Merge branch 'develop' into 'tusooa/quote'

# Conflicts:
#   lib/pleroma/constants.ex

lib/mix/tasks/pleroma/instance.ex

@@ -266,12 +266,20 @@ defmodule Mix.Tasks.Pleroma.Instance do
       config_dir = Path.dirname(config_path)
       psql_dir = Path.dirname(psql_path)
 
+      # Note: Distros requiring group read (0o750) on those directories should
+      # pre-create the directories.
       [config_dir, psql_dir, static_dir, uploads_dir]
       |> Enum.reject(&File.exists?/1)
-      |> Enum.map(&File.mkdir_p!/1)
+      |> Enum.each(fn dir ->
+        File.mkdir_p!(dir)
+        File.chmod!(dir, 0o700)
+      end)
 
       shell_info("Writing config to #{config_path}.")
 
+      # Sadly no fchmod(2) equivalent in Elixir…
+      File.touch!(config_path)
+      File.chmod!(config_path, 0o640)
       File.write(config_path, result_config)
       shell_info("Writing the postgres script to #{psql_path}.")
       File.write(psql_path, result_psql)
@@ -290,8 +298,7 @@ defmodule Mix.Tasks.Pleroma.Instance do
     else
       shell_error(
         "The task would have overwritten the following files:\n" <>
-          (Enum.map(will_overwrite, &"- #{&1}\n") |> Enum.join("")) <>
-          "Rerun with `--force` to overwrite them."
+          Enum.map_join(will_overwrite, &"- #{&1}\n") <> "Rerun with `--force` to overwrite them."
       )
     end
   end

lib/pleroma/config/release_runtime_provider.ex

@@ -20,6 +20,20 @@ defmodule Pleroma.Config.ReleaseRuntimeProvider do
 
     with_runtime_config =
       if File.exists?(config_path) do
+        # <https://git.pleroma.social/pleroma/pleroma/-/issues/3135>
+        %File.Stat{mode: mode} = File.lstat!(config_path)
+
+        if Bitwise.band(mode, 0o007) > 0 do
+          raise "Configuration at #{config_path} has world-permissions, execute the following: chmod o= #{config_path}"
+        end
+
+        if Bitwise.band(mode, 0o020) > 0 do
+          raise "Configuration at #{config_path} has group-wise write permissions, execute the following: chmod g-w #{config_path}"
+        end
+
+        # Note: Elixir doesn't provides a getuid(2)
+        # so cannot forbid group-read only when config is owned by us
+
         runtime_config = Config.Reader.read!(config_path)
 
         with_defaults

lib/pleroma/constants.ex

@@ -92,4 +92,6 @@ defmodule Pleroma.Constants do
       "application/activity+json"
     ]
   )
+
+  const(upload_object_types, do: ["Document", "Image"])
 end

lib/pleroma/emoji/pack.ex

@@ -285,6 +285,7 @@ defmodule Pleroma.Emoji.Pack do
 
   @spec load_pack(String.t()) :: {:ok, t()} | {:error, :file.posix()}
   def load_pack(name) do
+    name = Path.basename(name)
     pack_file = Path.join([emoji_path(), name, "pack.json"])
 
     with {:ok, _} <- File.stat(pack_file),

lib/pleroma/web/activity_pub/activity_pub.ex

@@ -455,6 +455,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
     |> maybe_preload_objects(opts)
     |> maybe_preload_bookmarks(opts)
     |> maybe_set_thread_muted_field(opts)
+    |> restrict_unauthenticated(opts[:user])
     |> restrict_blocked(opts)
     |> restrict_blockers_visibility(opts)
     |> restrict_recipients(recipients, opts[:user])
@@ -1215,6 +1216,27 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
 
   defp restrict_filtered(query, _), do: query
 
+  defp restrict_unauthenticated(query, nil) do
+    local = Config.restrict_unauthenticated_access?(:activities, :local)
+    remote = Config.restrict_unauthenticated_access?(:activities, :remote)
+
+    cond do
+      local and remote ->
+        from(activity in query, where: false)
+
+      local ->
+        from(activity in query, where: activity.local == false)
+
+      remote ->
+        from(activity in query, where: activity.local == true)
+
+      true ->
+        query
+    end
+  end
+
+  defp restrict_unauthenticated(query, _), do: query
+
   defp exclude_poll_votes(query, %{include_poll_votes: true}), do: query
 
   defp exclude_poll_votes(query, _) do

lib/pleroma/web/common_api/utils.ex

@@ -59,7 +59,12 @@ defmodule Pleroma.Web.CommonAPI.Utils do
   end
 
   defp get_attachment(media_id) do
-    Repo.get(Object, media_id)
+    with %Object{data: data} = object <- Repo.get(Object, media_id),
+         %{"type" => type} when type in Pleroma.Constants.upload_object_types() <- data do
+      object
+    else
+      _ -> nil
+    end
   end
 
   @spec get_to_and_cc(ActivityDraft.t()) :: {list(String.t()), list(String.t())}

lib/pleroma/web/endpoint.ex

@@ -101,13 +101,10 @@ defmodule Pleroma.Web.Endpoint do
   plug(Plug.Logger, log: :debug)
 
   plug(Plug.Parsers,
-    parsers: [
-      :urlencoded,
-      {:multipart, length: {Config, :get, [[:instance, :upload_limit]]}},
-      :json
-    ],
+    parsers: [:urlencoded, Pleroma.Web.Multipart, :json],
     pass: ["*/*"],
     json_decoder: Jason,
+    # Note: this is compile-time only, won't work for database-config
     length: Config.get([:instance, :upload_limit]),
     body_reader: {Pleroma.Web.Plugs.DigestPlug, :read_body, []}
   )

lib/pleroma/web/multipart.ex

@@ -0,0 +1,22 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2023 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+# <https://hexdocs.pm/plug/Plug.Parsers.MULTIPART.html#module-dynamic-configuration>
+defmodule Pleroma.Web.Multipart do
+  @multipart Plug.Parsers.MULTIPART
+
+  def init(opts) do
+    opts
+  end
+
+  def parse(conn, "multipart", subtype, headers, opts) do
+    length = Pleroma.Config.get([:instance, :upload_limit])
+    opts = @multipart.init([length: length] ++ opts)
+    @multipart.parse(conn, "multipart", subtype, headers, opts)
+  end
+
+  def parse(conn, _type, _subtype, _headers, _opts) do
+    {:next, conn}
+  end
+end

lib/pleroma/web/plugs/http_security_plug.ex

@@ -93,18 +93,26 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
 
     img_src = "img-src 'self' data: blob:"
     media_src = "media-src 'self'"
+    connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
 
     # Strict multimedia CSP enforcement only when MediaProxy is enabled
-    {img_src, media_src} =
+    {img_src, media_src, connect_src} =
       if Config.get([:media_proxy, :enabled]) &&
            !Config.get([:media_proxy, :proxy_opts, :redirect_on_failure]) do
         sources = build_csp_multimedia_source_list()
-        {[img_src, sources], [media_src, sources]}
+        {
+          [img_src, sources],
+          [media_src, sources],
+          [connect_src, sources]
+        }
       else
-        {[img_src, " https:"], [media_src, " https:"]}
+        {
+          [img_src, " https:"],
+          [media_src, " https:"],
+          [connect_src, " https:"]
+        }
       end
 
-    connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
 
     connect_src =
       if Config.get(:env) == :dev do

lib/pleroma/web/router.ex

@@ -996,8 +996,8 @@ defmodule Pleroma.Web.Router do
   scope "/", Pleroma.Web.Fallback do
     get("/registration/:token", RedirectController, :registration_page)
     get("/:maybe_nickname_or_id", RedirectController, :redirector_with_meta)
-    match(:*, "/api/pleroma*path", LegacyPleromaApiRerouterPlug, [])
-    get("/api*path", RedirectController, :api_not_implemented)
+    match(:*, "/api/pleroma/*path", LegacyPleromaApiRerouterPlug, [])
+    get("/api/*path", RedirectController, :api_not_implemented)
     get("/*path", RedirectController, :redirector_with_preload)
 
     options("/*path", RedirectController, :empty)

lib/pleroma/web/xml.ex

@@ -29,7 +29,10 @@ defmodule Pleroma.Web.XML do
       {doc, _rest} =
         text
         |> :binary.bin_to_list()
-        |> :xmerl_scan.string(quiet: true)
+        |> :xmerl_scan.string(
+          quiet: true,
+          allow_entities: false
+        )
 
       {:ok, doc}
     rescue