Merge branch 'develop' into schedule-note

2023-11-16 02:51:53 +09:00 · 2023-11-16 02:51:53 +09:00 · 49e0681f80
commit 49e0681f80
parent cb00b236d2 838c70192e
30 changed files with 574 additions and 170 deletions
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@ -151,6 +151,7 @@
 		"rss-parser": "3.13.0",
 		"rxjs": "7.8.1",
 		"sanitize-html": "2.11.0",
+		"secure-json-parse": "^2.4.0",
 		"sharp": "0.32.6",
 		"sharp-read-bmp": "github:misskey-dev/sharp-read-bmp",
 		"slacc": "0.0.10",
--- a/packages/backend/src/core/activitypub/ApRendererService.ts
+++ b/packages/backend/src/core/activitypub/ApRendererService.ts
@ -464,7 +464,7 @@ export class ApRendererService {
 		const attachment = profile.fields.map(field => ({
 			type: 'PropertyValue',
 			name: field.name,
-			value: /^https?:/.test(field.value)
+			value: (field.value.startsWith('http://') || field.value.startsWith('https://'))
 				? `<a href="${new URL(field.value).href}" rel="me nofollow noopener" target="_blank">${new URL(field.value).href}</a>`
 				: field.value,
 		}));
--- a/packages/backend/src/server/ActivityPubServerService.ts
+++ b/packages/backend/src/server/ActivityPubServerService.ts
@ -11,6 +11,7 @@ import httpSignature from '@peertube/http-signature';
 import { Brackets, In, IsNull, LessThan, Not } from 'typeorm';
 import accepts from 'accepts';
 import vary from 'vary';
+import secureJson from 'secure-json-parse';
 import { DI } from '@/di-symbols.js';
 import type { FollowingsRepository, NotesRepository, EmojisRepository, NoteReactionsRepository, UserProfilesRepository, UserNotePiningsRepository, UsersRepository, FollowRequestsRepository } from '@/models/_.js';
 import * as url from '@/misc/prelude/url.js';
@ -28,7 +29,7 @@ import { UserEntityService } from '@/core/entities/UserEntityService.js';
 import { bindThis } from '@/decorators.js';
 import { IActivity } from '@/core/activitypub/type.js';
 import { isPureRenote } from '@/misc/is-pure-renote.js';
-import type { FastifyInstance, FastifyRequest, FastifyReply, FastifyPluginOptions } from 'fastify';
+import type { FastifyInstance, FastifyRequest, FastifyReply, FastifyPluginOptions, FastifyBodyParser } from 'fastify';
 import type { FindOptionsWhere } from 'typeorm';

 const ACTIVITY_JSON = 'application/activity+json; charset=utf-8';
@ -512,9 +513,28 @@ export class ActivityPubServerService {
 			},
 		});

+		const almostDefaultJsonParser: FastifyBodyParser<Buffer> = function (request, rawBody, done) {
+			if (rawBody.length === 0) {
+				const err = new Error('Body cannot be empty!') as any;
+				err.statusCode = 400;
+				return done(err);
+			}
+
+			try {
+				const json = secureJson.parse(rawBody.toString('utf8'), null, {
+					protoAction: 'ignore',
+					constructorAction: 'ignore',
+				});
+				done(null, json);
+			} catch (err: any) {
+				err.statusCode = 400;
+				return done(err);
+			}
+		};
+
 		fastify.register(fastifyAccepts);
-		fastify.addContentTypeParser('application/activity+json', { parseAs: 'string' }, fastify.getDefaultJsonParser('ignore', 'ignore'));
-		fastify.addContentTypeParser('application/ld+json', { parseAs: 'string' }, fastify.getDefaultJsonParser('ignore', 'ignore'));
+		fastify.addContentTypeParser('application/activity+json', { parseAs: 'buffer' }, almostDefaultJsonParser);
+		fastify.addContentTypeParser('application/ld+json', { parseAs: 'buffer' }, almostDefaultJsonParser);

 		fastify.addHook('onRequest', (request, reply, done) => {
 			reply.header('Access-Control-Allow-Headers', 'Accept');
--- a/packages/backend/src/server/ServerService.ts
+++ b/packages/backend/src/server/ServerService.ts
@ -88,9 +88,9 @@ export class ServerService implements OnApplicationShutdown {
 		}

 		// Register raw-body parser for ActivityPub HTTP signature validation.
-		fastify.register(fastifyRawBody, {
+		await fastify.register(fastifyRawBody, {
 			global: false,
-			encoding: 'utf-8',
+			encoding: null,
 			runFirst: true,
 		});

--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@ -379,16 +379,26 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-

 			const newName = updates.name === undefined ? user.name : updates.name;
 			const newDescription = profileUpdates.description === undefined ? profile.description : profileUpdates.description;
+			const newFields = profileUpdates.fields === undefined ? profile.fields : profileUpdates.fields;

 			if (newName != null) {
 				const tokens = mfm.parseSimple(newName);
-				emojis = emojis.concat(extractCustomEmojisFromMfm(tokens!));
+				emojis = emojis.concat(extractCustomEmojisFromMfm(tokens));
 			}

 			if (newDescription != null) {
 				const tokens = mfm.parse(newDescription);
-				emojis = emojis.concat(extractCustomEmojisFromMfm(tokens!));
-				tags = extractHashtags(tokens!).map(tag => normalizeForSearch(tag)).splice(0, 32);
+				emojis = emojis.concat(extractCustomEmojisFromMfm(tokens));
+				tags = extractHashtags(tokens).map(tag => normalizeForSearch(tag)).splice(0, 32);
+			}
+
+			for (const field of newFields) {
+				const nameTokens = mfm.parseSimple(field.name);
+				const valueTokens = mfm.parseSimple(field.value);
+				emojis = emojis.concat([
+					...extractCustomEmojisFromMfm(nameTokens),
+					...extractCustomEmojisFromMfm(valueTokens),
+				]);
 			}

 			updates.emojis = emojis;
--- a/packages/backend/src/server/api/endpoints/notes/create.ts
+++ b/packages/backend/src/server/api/endpoints/notes/create.ts
@ -82,6 +82,12 @@ export const meta = {
 			id: '749ee0f6-d3da-459a-bf02-282e2da4292c',
 		},

+		cannotReplyToInvisibleNote: {
+			message: 'You cannot reply to an invisible Note.',
+			code: 'CANNOT_REPLY_TO_AN_INVISIBLE_NOTE',
+			id: 'b98980fa-3780-406c-a935-b6d0eeee10d1',
+		},
+
 		cannotReplyToPureRenote: {
 			message: 'You can not reply to a pure Renote.',
 			code: 'CANNOT_REPLY_TO_A_PURE_RENOTE',
@ -325,6 +331,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 					throw new ApiError(meta.errors.noSuchReplyTarget);
 				} else if (isPureRenote(reply)) {
 					throw new ApiError(meta.errors.cannotReplyToPureRenote);
+				} else if (!await this.noteEntityService.isVisibleForMe(reply, me.id)) {
+					throw new ApiError(meta.errors.cannotReplyToInvisibleNote);
 				}

 				// Check blocking
--- a/packages/backend/test/e2e/timelines.ts
+++ b/packages/backend/test/e2e/timelines.ts
@ -152,6 +152,7 @@ describe('Timelines', () => {

 			await api('/following/create', { userId: bob.id }, alice);
 			await api('/following/create', { userId: carol.id }, alice);
+			await api('/following/create', { userId: carol.id }, bob);
 			await api('/following/update', { userId: bob.id, withReplies: true }, alice);
 			await sleep(1000);
 			const carolNote = await post(carol, { text: 'hi', visibility: 'followers' });