Merge branch 'develop' into issue/1383

2020-02-03 21:42:36 +03:00 · 2020-02-03 21:42:36 +03:00 · 2c40c8b4a2
commit 2c40c8b4a2
parent 21a2a05407 c27d1d65bf
49 changed files with 773 additions and 97 deletions
--- a/lib/pleroma/application.ex
+++ b/lib/pleroma/application.ex
@ -33,6 +33,7 @@ defmodule Pleroma.Application do
  def start(_type, _args) do
    Pleroma.HTML.compile_scrubbers()
    Pleroma.Config.DeprecationWarnings.warn()
+    Pleroma.Plugs.HTTPSecurityPlug.warn_if_disabled()
    Pleroma.Repo.check_migrations_applied!()
    setup_instrumenters()
    load_custom_modules()
--- a/lib/pleroma/plugs/http_security_plug.ex
+++ b/lib/pleroma/plugs/http_security_plug.ex
@ -6,6 +6,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
  alias Pleroma.Config
  import Plug.Conn

+  require Logger
+
  def init(opts), do: opts

  def call(conn, _options) do
@ -90,6 +92,51 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
    |> Enum.join("; ")
  end

+  def warn_if_disabled do
+    unless Config.get([:http_security, :enabled]) do
+      Logger.warn("
+                                 .i;;;;i.
+                               iYcviii;vXY:
+                             .YXi       .i1c.
+                            .YC.     .    in7.
+                           .vc.   ......   ;1c.
+                           i7,   ..        .;1;
+                          i7,   .. ...      .Y1i
+                         ,7v     .6MMM@;     .YX,
+                        .7;.   ..IMMMMMM1     :t7.
+                       .;Y.     ;$MMMMMM9.     :tc.
+                       vY.   .. .nMMM@MMU.      ;1v.
+                      i7i   ...  .#MM@M@C. .....:71i
+                     it:   ....   $MMM@9;.,i;;;i,;tti
+                    :t7.  .....   0MMMWv.,iii:::,,;St.
+                   .nC.   .....   IMMMQ..,::::::,.,czX.
+                  .ct:   ....... .ZMMMI..,:::::::,,:76Y.
+                  c2:   ......,i..Y$M@t..:::::::,,..inZY
+                 vov   ......:ii..c$MBc..,,,,,,,,,,..iI9i
+                i9Y   ......iii:..7@MA,..,,,,,,,,,....;AA:
+               iIS.  ......:ii::..;@MI....,............;Ez.
+              .I9.  ......:i::::...8M1..................C0z.
+             .z9;  ......:i::::,.. .i:...................zWX.
+             vbv  ......,i::::,,.      ................. :AQY
+            c6Y.  .,...,::::,,..:t0@@QY. ................ :8bi
+           :6S. ..,,...,:::,,,..EMMMMMMI. ............... .;bZ,
+          :6o,  .,,,,..:::,,,..i#MMMMMM#v.................  YW2.
+         .n8i ..,,,,,,,::,,,,.. tMMMMM@C:.................. .1Wn
+         7Uc. .:::,,,,,::,,,,..   i1t;,..................... .UEi
+         7C...::::::::::::,,,,..        ....................  vSi.
+         ;1;...,,::::::,.........       ..................    Yz:
+          v97,.........                                     .voC.
+           izAotX7777777777777777777777777777777777777777Y7n92:
+             .;CoIIIIIUAA666666699999ZZZZZZZZZZZZZZZZZZZZ6ov.
+
+HTTP Security is disabled. Please re-enable it to prevent users from attacking
+your instance and your users via malicious posts:
+
+      config :pleroma, :http_security, enabled: true
+      ")
+    end
+  end
+
  defp maybe_send_sts_header(conn, true) do
    max_age_sts = Config.get([:http_security, :sts_max_age])
    max_age_ct = Config.get([:http_security, :ct_max_age])
--- a/lib/pleroma/plugs/rate_limiter/rate_limiter.ex
+++ b/lib/pleroma/plugs/rate_limiter/rate_limiter.ex
@ -67,6 +67,8 @@ defmodule Pleroma.Plugs.RateLimiter do
  alias Pleroma.Plugs.RateLimiter.LimiterSupervisor
  alias Pleroma.User

+  require Logger
+
  def init(opts) do
    limiter_name = Keyword.get(opts, :name)

@ -89,18 +91,39 @@ defmodule Pleroma.Plugs.RateLimiter do
  def call(conn, nil), do: conn

  def call(conn, settings) do
-    settings
-    |> incorporate_conn_info(conn)
-    |> check_rate()
-    |> case do
-      {:ok, _count} ->
+    case disabled?() do
+      true ->
+        if Pleroma.Config.get(:env) == :prod,
+          do: Logger.warn("Rate limiter is disabled for localhost/socket")
+
        conn

-      {:error, _count} ->
-        render_throttled_error(conn)
+      false ->
+        settings
+        |> incorporate_conn_info(conn)
+        |> check_rate()
+        |> case do
+          {:ok, _count} ->
+            conn
+
+          {:error, _count} ->
+            render_throttled_error(conn)
+        end
    end
  end

+  def disabled? do
+    localhost_or_socket =
+      Pleroma.Config.get([Pleroma.Web.Endpoint, :http, :ip])
+      |> Tuple.to_list()
+      |> Enum.join(".")
+      |> String.match?(~r/^local|^127.0.0.1/)
+
+    remote_ip_disabled = not Pleroma.Config.get([Pleroma.Plugs.RemoteIp, :enabled])
+
+    localhost_or_socket and remote_ip_disabled
+  end
+
  def inspect_bucket(conn, name_root, settings) do
    settings =
      settings
--- a/lib/pleroma/plugs/remote_ip.ex
+++ b/lib/pleroma/plugs/remote_ip.ex
@ -10,10 +10,7 @@ defmodule Pleroma.Plugs.RemoteIp do
  @behaviour Plug

  @headers ~w[
-    forwarded
    x-forwarded-for
-    x-client-ip
-    x-real-ip
  ]

  # https://en.wikipedia.org/wiki/Localhost
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@ -325,12 +325,14 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
  def react_with_emoji(user, object, emoji, options \\ []) do
    with local <- Keyword.get(options, :local, true),
         activity_id <- Keyword.get(options, :activity_id, nil),
-         Pleroma.Emoji.is_unicode_emoji?(emoji),
+         true <- Pleroma.Emoji.is_unicode_emoji?(emoji),
         reaction_data <- make_emoji_reaction_data(user, object, emoji, activity_id),
         {:ok, activity} <- insert(reaction_data, local),
         {:ok, object} <- add_emoji_reaction_to_object(activity, object),
         :ok <- maybe_federate(activity) do
      {:ok, activity, object}
+    else
+      e -> {:error, e}
    end
  end

@ -345,6 +347,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
         {:ok, object} <- remove_emoji_reaction_from_object(reaction_activity, object),
         :ok <- maybe_federate(activity) do
      {:ok, activity, object}
+    else
+      e -> {:error, e}
    end
  end

--- a/lib/pleroma/web/mastodon_api/views/status_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/status_view.ex
@ -256,7 +256,11 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
    emoji_reactions =
      with %{data: %{"reactions" => emoji_reactions}} <- object do
        Enum.map(emoji_reactions, fn [emoji, users] ->
-          %{emoji: emoji, count: length(users)}
+          %{
+            emoji: emoji,
+            count: length(users),
+            reacted: !!(opts[:for] && opts[:for].ap_id in users)
+          }
        end)
      else
        _ -> []
--- a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
@ -573,11 +573,14 @@ keeping it in cache for #{div(cache_ms, 1000)}s")
  assumed to be emojis and stored in the new `pack.json` file.
  """
  def import_from_fs(conn, _params) do
-    with {:ok, results} <- File.ls(emoji_dir_path()) do
+    emoji_path = emoji_dir_path()
+
+    with {:ok, %{access: :read_write}} <- File.stat(emoji_path),
+         {:ok, results} <- File.ls(emoji_path) do
      imported_pack_names =
        results
        |> Enum.filter(fn file ->
-          dir_path = Path.join(emoji_dir_path(), file)
+          dir_path = Path.join(emoji_path, file)
          # Find the directories that do NOT have pack.json
          File.dir?(dir_path) and not File.exists?(Path.join(dir_path, "pack.json"))
        end)
@ -585,6 +588,11 @@ keeping it in cache for #{div(cache_ms, 1000)}s")

      json(conn, imported_pack_names)
    else
+      {:ok, %{access: _}} ->
+        conn
+        |> put_status(:internal_server_error)
+        |> json(%{error: "Error: emoji pack directory must be writable"})
+
      {:error, _} ->
        conn
        |> put_status(:internal_server_error)
--- a/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex
@ -47,13 +47,16 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIController do
           Object.normalize(activity) do
      reactions =
        emoji_reactions
-        |> Enum.map(fn [emoji, users] ->
-          users = Enum.map(users, &User.get_cached_by_ap_id/1)
+        |> Enum.map(fn [emoji, user_ap_ids] ->
+          users =
+            Enum.map(user_ap_ids, &User.get_cached_by_ap_id/1)
+            |> Enum.filter(& &1)

          %{
            emoji: emoji,
            count: length(users),
-            accounts: AccountView.render("index.json", %{users: users, for: user, as: :user})
+            accounts: AccountView.render("index.json", %{users: users, for: user, as: :user}),
+            reacted: !!(user && user.ap_id in user_ap_ids)
          }
        end)

--- a/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex
+++ b/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex
@ -48,6 +48,6 @@ defmodule Pleroma.Web.RichMedia.Parsers.MetaTagsParser do
  defp maybe_put_title(meta, _), do: meta

  defp get_page_title(html) do
-    Floki.find(html, "title") |> List.first() |> Floki.text()
+    Floki.find(html, "html head title") |> List.first() |> Floki.text()
  end
 end
--- a/lib/pleroma/web/streamer/worker.ex
+++ b/lib/pleroma/web/streamer/worker.ex
@ -138,7 +138,8 @@ defmodule Pleroma.Web.Streamer.Worker do

    with parent <- Object.normalize(item) || item,
         true <-
-           Enum.all?([blocked_ap_ids, muted_ap_ids, reblog_muted_ap_ids], &(item.actor not in &1)),
+           Enum.all?([blocked_ap_ids, muted_ap_ids], &(item.actor not in &1)),
+         true <- item.data["type"] != "Announce" || item.actor not in reblog_muted_ap_ids,
         true <- Enum.all?([blocked_ap_ids, muted_ap_ids], &(parent.data["actor"] not in &1)),
         true <- MapSet.disjoint?(recipients, recipient_blocks),
         %{host: item_host} <- URI.parse(item.actor),