From 3c82c4e7806e1c95964738027d7e907e8557116b Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 20 Mar 2023 20:02:58 +0100 Subject: [PATCH 1/9] Fix crash in `tootctl` commands making use of parallelization when Elasticsearch is enabled (#24182) --- lib/mastodon/cli_helper.rb | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/lib/mastodon/cli_helper.rb b/lib/mastodon/cli_helper.rb index a78a28e27..4e304c903 100644 --- a/lib/mastodon/cli_helper.rb +++ b/lib/mastodon/cli_helper.rb @@ -53,14 +53,16 @@ module Mastodon progress.log("Processing #{item.id}") if options[:verbose] - result = ActiveRecord::Base.connection_pool.with_connection do - yield(item) - ensure - RedisConfiguration.pool.checkin if Thread.current[:redis] - Thread.current[:redis] = nil - end + Chewy.strategy(:mastodon) do + result = ActiveRecord::Base.connection_pool.with_connection do + yield(item) + ensure + RedisConfiguration.pool.checkin if Thread.current[:redis] + Thread.current[:redis] = nil + end - aggregate.increment(result) if result.is_a?(Integer) + aggregate.increment(result) if result.is_a?(Integer) + end rescue => e progress.log pastel.red("Error processing #{item.id}: #{e}") ensure From ae64c5b7eca37be65f87b2ea82c92d9732b641dd Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 27 Mar 2023 17:07:37 +0200 Subject: [PATCH 2/9] Fix user archive takeout when using OpenStack Swift or S3 providers with no ACL support (#24200) --- app/controllers/backups_controller.rb | 6 +++++- app/models/backup.rb | 2 +- config/initializers/paperclip.rb | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/app/controllers/backups_controller.rb b/app/controllers/backups_controller.rb index 2f4b400b8..0687b62c5 100644 --- a/app/controllers/backups_controller.rb +++ b/app/controllers/backups_controller.rb @@ -13,7 +13,11 @@ class BackupsController < ApplicationController when :s3 redirect_to @backup.dump.expiring_url(10) when :fog - redirect_to @backup.dump.expiring_url(Time.now.utc + 10) + if Paperclip::Attachment.default_options.dig(:storage, :fog_credentials, :openstack_temp_url_key).present? + redirect_to @backup.dump.expiring_url(Time.now.utc + 10) + else + redirect_to full_asset_url(@backup.dump.url) + end when :filesystem redirect_to full_asset_url(@backup.dump.url) end diff --git a/app/models/backup.rb b/app/models/backup.rb index 20e6e8aa8..8823e7cae 100644 --- a/app/models/backup.rb +++ b/app/models/backup.rb @@ -17,6 +17,6 @@ class Backup < ApplicationRecord belongs_to :user, inverse_of: :backups - has_attached_file :dump, s3_permissions: 'private' + has_attached_file :dump, s3_permissions: ->(*) { ENV['S3_PERMISSION'] == '' ? nil : 'private' } do_not_validate_attachment_file_type :dump end diff --git a/config/initializers/paperclip.rb b/config/initializers/paperclip.rb index a2285427c..63f0d9240 100644 --- a/config/initializers/paperclip.rb +++ b/config/initializers/paperclip.rb @@ -124,6 +124,7 @@ elsif ENV['SWIFT_ENABLED'] == 'true' openstack_domain_name: ENV.fetch('SWIFT_DOMAIN_NAME') { 'default' }, openstack_region: ENV['SWIFT_REGION'], openstack_cache_ttl: ENV.fetch('SWIFT_CACHE_TTL') { 60 }, + openstack_temp_url_key: ENV['SWIFT_TEMP_URL_KEY'], }, fog_file: { 'Cache-Control' => 'public, max-age=315576000, immutable' }, From 590df443f11c21ad0bad49dd0d4dfb6560e75930 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Sat, 11 Feb 2023 04:02:07 +0100 Subject: [PATCH 3/9] Bump blurhash from 0.1.6 to 0.1.7 (#23517) --- Gemfile.lock | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 3bd2d591d..2d7ee2df8 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -120,8 +120,7 @@ GEM bindata (2.4.14) binding_of_caller (1.0.0) debug_inspector (>= 0.0.1) - blurhash (0.1.6) - ffi (~> 1.14) + blurhash (0.1.7) bootsnap (1.16.0) msgpack (~> 1.2) brakeman (5.4.0) From af6eb37c704e4114157fdc04e54f682a9de0e8d9 Mon Sep 17 00:00:00 2001 From: Robert R George Date: Wed, 29 Mar 2023 00:58:27 -0700 Subject: [PATCH 4/9] Wrap db:setup with Chewy.strategy(:mastodon) (#24302) --- db/seeds.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/db/seeds.rb b/db/seeds.rb index 1ca300de7..c01e83f1d 100644 --- a/db/seeds.rb +++ b/db/seeds.rb @@ -1,5 +1,7 @@ # frozen_string_literal: true -Dir[Rails.root.join('db', 'seeds', '*.rb')].sort.each do |seed| - load seed +Chewy.strategy(:mastodon) do + Dir[Rails.root.join('db', 'seeds', '*.rb')].sort.each do |seed| + load seed + end end From 01617534fac1f7f9c5646556d7b78baef6c1dfb0 Mon Sep 17 00:00:00 2001 From: Sai Date: Fri, 31 Mar 2023 16:11:22 +0100 Subject: [PATCH 5/9] Update Ruby to 3.0.6 (#24334) --- .ruby-version | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.ruby-version b/.ruby-version index b0f2dcb32..818bd47ab 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -3.0.4 +3.0.6 diff --git a/Dockerfile b/Dockerfile index ce7f4d718..160efeea4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ # This needs to be bullseye-slim because the Ruby image is built on bullseye-slim ARG NODE_VERSION="16.18.1-bullseye-slim" -FROM ghcr.io/moritzheiber/ruby-jemalloc:3.0.4-slim as ruby +FROM ghcr.io/moritzheiber/ruby-jemalloc:3.0.6-slim as ruby FROM node:${NODE_VERSION} as build COPY --link --from=ruby /opt/ruby /opt/ruby From 51572ac615208197ceced4c81192aa0dfd47e923 Mon Sep 17 00:00:00 2001 From: Claire Date: Fri, 31 Mar 2023 21:42:28 +0200 Subject: [PATCH 6/9] Fix invalid/expired invites being processed on sign-up (#24337) --- app/controllers/auth/registrations_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/auth/registrations_controller.rb b/app/controllers/auth/registrations_controller.rb index 71c0cd827..540b04a6c 100644 --- a/app/controllers/auth/registrations_controller.rb +++ b/app/controllers/auth/registrations_controller.rb @@ -48,7 +48,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController super(hash) resource.locale = I18n.locale - resource.invite_code = params[:invite_code] if resource.invite_code.blank? + resource.invite_code = @invite&.code if resource.invite_code.blank? resource.registration_form_time = session[:registration_form_time] resource.sign_up_ip = request.remote_ip From 4eaa6d58b2679b27b2fb6f9a3a41101ee65db63c Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 3 Apr 2023 15:05:39 +0200 Subject: [PATCH 7/9] Change root Chewy strategy to emit a warning instead of erroring out in production mode (#24327) --- config/application.rb | 1 + config/initializers/chewy.rb | 1 + lib/chewy/strategy/bypass_with_warning.rb | 12 ++++++++++++ 3 files changed, 14 insertions(+) create mode 100644 lib/chewy/strategy/bypass_with_warning.rb diff --git a/config/application.rb b/config/application.rb index 43631c551..f0e65f443 100644 --- a/config/application.rb +++ b/config/application.rb @@ -39,6 +39,7 @@ require_relative '../lib/public_file_server_middleware' require_relative '../lib/devise/two_factor_ldap_authenticatable' require_relative '../lib/devise/two_factor_pam_authenticatable' require_relative '../lib/chewy/strategy/mastodon' +require_relative '../lib/chewy/strategy/bypass_with_warning' require_relative '../lib/webpacker/manifest_extensions' require_relative '../lib/webpacker/helper_extensions' require_relative '../lib/rails/engine_extensions' diff --git a/config/initializers/chewy.rb b/config/initializers/chewy.rb index 2a91efefc..daf4a5f32 100644 --- a/config/initializers/chewy.rb +++ b/config/initializers/chewy.rb @@ -19,6 +19,7 @@ Chewy.settings = { # cycle, which takes care of checking if Elasticsearch is enabled # or not. However, mind that for the Rails console, the :urgent # strategy is set automatically with no way to override it. +Chewy.root_strategy = :bypass_with_warning if Rails.env.production? Chewy.request_strategy = :mastodon Chewy.use_after_commit_callbacks = false diff --git a/lib/chewy/strategy/bypass_with_warning.rb b/lib/chewy/strategy/bypass_with_warning.rb new file mode 100644 index 000000000..eb6fbaab1 --- /dev/null +++ b/lib/chewy/strategy/bypass_with_warning.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +module Chewy + class Strategy + class BypassWithWarning < Base + def update(...) + Rails.logger.warn 'Chewy update without a root strategy' unless @warning_issued + @warning_issued = true + end + end + end +end From b9f271364e8be91e822fc621c0d99cdd66a7acf1 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 3 Apr 2023 15:47:04 +0200 Subject: [PATCH 8/9] Fix unescaped user input in LDAP query (#24379) Fix CVE-2023-28853 --- app/models/concerns/ldap_authenticable.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/concerns/ldap_authenticable.rb b/app/models/concerns/ldap_authenticable.rb index dc5abcd5a..775df0817 100644 --- a/app/models/concerns/ldap_authenticable.rb +++ b/app/models/concerns/ldap_authenticable.rb @@ -6,7 +6,7 @@ module LdapAuthenticable class_methods do def authenticate_with_ldap(params = {}) ldap = Net::LDAP.new(ldap_options) - filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: params[:email]) + filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: Net::LDAP::Filter.escape(params[:email])) if (user_info = ldap.bind_as(base: Devise.ldap_base, filter: filter, password: params[:password])) ldap_get_user(user_info.first) From 4b9e4f6398760cc04f9fde2c659f30ffea216e12 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 27 Mar 2023 17:43:24 +0200 Subject: [PATCH 9/9] Bump version to v4.1.2 --- CHANGELOG.md | 14 ++++++++++++++ lib/mastodon/version.rb | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7416d2e6f..b17dcdeef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,20 @@ Changelog All notable changes to this project will be documented in this file. +## [4.1.2] - 2023-04-04 + +### Fixed + +- Fix crash in `tootctl` commands making use of parallelization when Elasticsearch is enabled ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/24182), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/24377)) +- Fix crash in `db:setup` when Elasticsearch is enabled ([rrgeorge](https://github.com/mastodon/mastodon/pull/24302)) +- Fix user archive takeout when using OpenStack Swift or S3 providers with no ACL support ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/24200)) +- Fix invalid/expired invites being processed on sign-up ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/24337)) + +### Security + +- Update Ruby to 3.0.6 due to ReDoS vulnerabilities ([saizai](https://github.com/mastodon/mastodon/pull/24334)) +- Fix unescaped user input in LDAP query ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/24379)) + ## [4.1.1] - 2023-03-16 ### Added diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index 6a797fccf..71bcfb4e1 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -13,7 +13,7 @@ module Mastodon end def patch - 1 + 2 end def flags