my misskey fork http://g.freya.cat/misskey/atom?h=master 2026-03-05T17:55:43Z 2026-03-05T17:55:43Z Freya Murphy freya@freyacat.org 2026-03-02T21:05:12Z urn:sha1:587ab8500abb2d8b0a494dc05952c9919cc7f66f 2026-01-08T02:49:12Z anatawa12 anatawa12@icloud.com 2026-01-08T02:49:12Z urn:sha1:666f78e676e29abd48b351c58270b3f721f03573 * dev: set --no-bail for lint task * lint: enable no-async-promise-executor lint and fix them * lint: enable no-unused-vars with allowing _ prefix * lint: fix semi 2025-06-08T00:12:59Z zyoshoka 107108195+zyoshoka@users.noreply.github.com 2025-06-08T00:12:59Z urn:sha1:b5767c315a31363edac4fe39aa5202f94942f7e9 2025-04-15T07:15:27Z anatawa12 anatawa12@icloud.com 2025-04-15T07:15:27Z urn:sha1:b2e3e658965b52873dd6771cf9771b3032a0ed15 * fix: use ftt for outbox * chore: check for enableFanoutTimeline * lint: fix lint 2025-04-13T09:34:33Z anatawa12 anatawa12@icloud.com 2025-04-13T09:34:33Z urn:sha1:4c473eb76d77736ce4c46a7d0c967f3a872cd769 * fix: resolve with non-lowercased acct is broken * docs(changelog): Fix: 大文字を含むユーザの URL で紹介された場合に 404 エラーを返す問題 2025-03-17T04:21:09Z syuilo 4439005+syuilo@users.noreply.github.com 2025-03-17T04:21:09Z urn:sha1:6c8f21b608eb6e9e7691983c7e57f1cbe0a28fc1 2025-03-07T07:03:52Z かっこかり 67428053+kakkokari-gtyih@users.noreply.github.com 2025-03-07T07:03:52Z urn:sha1:83c3bb839f50fc24f667611f6852db3b14bd05e6 * Revert "fix(build): corepackのバグの回避 (#15387)" This reverts commit 9c70a4e63130f85d191c5bc16d0a4be5cd1dece2. * deps: update pnpm to v10 * fix broken lockfile * update changelog * fix * fix * Revert "fix" This reverts commit 4abc6c194edc20989f5ec97d343307a4b8c9047d. * fix * fix * attempt to fix docker build * lint fixes * fix: revertしすぎた * detect pnpm version and install it * fix: そもそもpnpmを2回入れる必要がないかも * fix * refactor * fix * refactor: remove unnecessary arg * Update Dockerfile * update pnpm to v10.6.1 * Update Changelog * chore: use node to avoid installing jq 2025-01-08T10:35:09Z かっこかり 67428053+kakkokari-gtyih@users.noreply.github.com 2025-01-08T10:35:09Z urn:sha1:55713fcd657983add090a7788c6ffd984cbbd15f * fix(backend/ActivityPubServerService): apOrHtml Constraintが正しく評価されない問題を修正 (MisskeyIO#869) * Update Changelog * indent --------- Co-authored-by: あわわわとーにゅ <17376330+u1-liquid@users.noreply.github.com> 2024-11-20T23:20:09Z Julia julia@insertdomain.name 2024-11-20T23:20:09Z urn:sha1:5f675201f261d5db6a58d3099a190372bb2f09f0 * enhance: Add a few validation fixes from Sharkey See the original MR on the GitLab instance: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484 Co-Authored-By: Dakkar <dakkar@thenautilus.net> * fix: primitive 2: acceptance of cross-origin alternate Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 3: validation of non-final url * fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities * fix: primitives 5 & 8: reject activities with non string identifiers Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 6: reject anonymous objects that were fetched by their id * fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections * fix: code style for primitive 14 * fix: primitive 15: improper same-origin validation for note uri and url Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 16: improper same-origin validation for user uri and url * fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array * fix: code style for primitive 17 * fix: check attribution against actor in notes While this isn't strictly required to fix the exploits at hand, this mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a preemptive countermeasure. * fix: primitive 18: `ap/get` bypasses access checks One might argue that we could make this one actually preform access checks against the returned activity object, but I feel like that's a lot more work than just restricting it to administrators, since, to me at least, it seems more like a debugging tool than anything else. * fix: primitive 19 & 20: respect blocks and hide more Ideally, the user property should also be hidden (as leaving it in leaks information slightly), but given the schema of the note endpoint, I don't think that would be possible without introducing some kind of "ghost" user, who is attributed for posts by users who have you blocked. * fix: primitives 21, 22, and 23: reuse resolver This also increases the default `recursionLimit` for `Resolver`, as it theoretically will go higher that it previously would and could possibly fail on non-malicious collection activities. * fix: primitives 25-33: proper local instance checks * revert: fix: primitive 19 & 20 This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c. --------- Co-authored-by: Dakkar <dakkar@thenautilus.net> Co-authored-by: Laura Hausmann <laura@hausmann.dev> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> 2024-11-09T01:54:44Z momoirodouhu momoirodouhu@gmail.com 2024-11-09T01:54:44Z urn:sha1:a4c5ce1413078c9b98816644bebfcc0a24e94a85 * enhance(backend) : リモートユーザーの照会をオリジナルにリダイレクトするように (#12892) * オリジンリダイレクトのテストをtodoとして追加。 e2eテストにリモートユーザー考慮のテストがなさそうなので。 次のコマンドで動くことは確認済みです。 curl "http://localhost:3000/@foo@bar" -H "accept: application/activity+json" -L * Acctのパースを既存のパーサーでするように修正 * lint