summaryrefslogtreecommitdiff
path: root/packages/backend/src/server/api/endpoints/ap/show.ts (follow)
Commit message (Collapse)AuthorAgeFilesLines
* emit IdentifiableErrors from validator.tsHazelnoot2025-06-061-0/+4
|
* lint and type fixesHazelnoot2025-04-011-1/+2
|
* remerge: remove FetchAllowSoftFailMask in favor of our same-authority checksHazelnoot2025-03-251-27/+13
|
* merge upstreamHazelnoot2025-03-251-9/+3
|\
| * Merge commit from fork饺子w (Yumechi)2025-02-231-9/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. [GHSA-6w2c-vf6f-xf26](https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26) Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * Enhance: Add configuration option to disable all external redirects when responding to an ActivityPub lookup (config.disallowExternalApRedirect) Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * fixup! fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. * docs & one edge case Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * apply suggestions Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * remove stale frontend reference to _responseInvalidIdHostNotMatch Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * apply suggestions Signed-off-by: eternal-flame-AD <yume@yumechi.jp> --------- Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
* | remove assertActivityMatchesUrls in favor of three-way same-authority checksHazelnoot2025-03-021-3/+5
| |
* | Merge branch 'develop' into merge/2024-02-03Hazelnoot2025-02-111-3/+22
|\ \
| * | allow ap/show to follow cross-domain redirectsHazelnoot2025-02-051-1/+20
| | |
| * | use leaky bucket rate limit for ap/showHazelnoot2025-02-051-2/+2
| | |
* | | merge upstream 2025-02-03Hazelnoot2025-02-031-2/+63
|\ \ \ | |/ / |/| / | |/
| * enhance(frontend): 照会の際にエラーを表示するように (#15147)かっこかり2024-12-191-2/+63
| | | | | | | | | | | | | | | | | | | | | | * enhance: 照会の失敗理由を表示するように * Update Changelog * fix * fix test * lookupErrors-> remoteLookupErrors
* | Merge tag '2024.11.0' into feature/2024.10dakkar2024-11-221-0/+1
|\|
| * fix(backend): fix apResolver (#15010)かっこかり2024-11-211-2/+3
| | | | | | | | | | | | | | | | | | * fix(backend): fix apResolver * fix * add comments * tweak comment
| * fix(backend): fix security patches (#15008)かっこかり2024-11-211-2/+2
| |
| * fix ap/showsyuilo2024-11-211-1/+1
| |
| * Merge commit from forkJulia2024-11-211-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * enhance: Add a few validation fixes from Sharkey See the original MR on the GitLab instance: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484 Co-Authored-By: Dakkar <dakkar@thenautilus.net> * fix: primitive 2: acceptance of cross-origin alternate Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 3: validation of non-final url * fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities * fix: primitives 5 & 8: reject activities with non string identifiers Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 6: reject anonymous objects that were fetched by their id * fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections * fix: code style for primitive 14 * fix: primitive 15: improper same-origin validation for note uri and url Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 16: improper same-origin validation for user uri and url * fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array * fix: code style for primitive 17 * fix: check attribution against actor in notes While this isn't strictly required to fix the exploits at hand, this mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a preemptive countermeasure. * fix: primitive 18: `ap/get` bypasses access checks One might argue that we could make this one actually preform access checks against the returned activity object, but I feel like that's a lot more work than just restricting it to administrators, since, to me at least, it seems more like a debugging tool than anything else. * fix: primitive 19 & 20: respect blocks and hide more Ideally, the user property should also be hidden (as leaving it in leaks information slightly), but given the schema of the note endpoint, I don't think that would be possible without introducing some kind of "ghost" user, who is attributed for posts by users who have you blocked. * fix: primitives 21, 22, and 23: reuse resolver This also increases the default `recursionLimit` for `Resolver`, as it theoretically will go higher that it previously would and could possibly fail on non-malicious collection activities. * fix: primitives 25-33: proper local instance checks * revert: fix: primitive 19 & 20 This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c. --------- Co-authored-by: Dakkar <dakkar@thenautilus.net> Co-authored-by: Laura Hausmann <laura@hausmann.dev> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
* | fix: primitive 13: check attribution against actor in notesJulia Johannesen2024-11-201-1/+1
| |
* | Merge remote-tracking branch 'misskey/master' into feature/2024.9.0dakkar2024-10-091-7/+4
|\|
| * wip (#14643)syuilo2024-09-281-7/+1
| |
| * refactor/perf(backend): provide metadata statically (#14601)syuilo2024-09-221-6/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * wip * Update ReactionService.ts * Update ApiCallService.ts * Update timeline.ts * Update GlobalModule.ts * Update GlobalModule.ts * Update NoteEntityService.ts * wip * wip * wip * Update ApPersonService.ts * wip * Update GlobalModule.ts * Update mock-resolver.ts * Update RoleService.ts * Update activitypub.ts * Update activitypub.ts * Update activitypub.ts * Update activitypub.ts * Update activitypub.ts * clean up * Update utils.ts * Update UtilityService.ts * Revert "Update utils.ts" This reverts commit a27d4be764b78c1b5a9eac685e261fee49331d89. * Revert "Update UtilityService.ts" This reverts commit e5fd9e004c482cf099252201c0c1aa888e001430. * vuwa- * Revert "vuwa-" This reverts commit 0c3bd12472b4b9938cdff2d6f131e6800bc3724c. * Update entry.ts * Update entry.ts * Update entry.ts * Update entry.ts * Update jest.setup.ts
* | some validation fixesdakkar2024-03-301-1/+5
| |
* | merge: upstreamMarie2024-02-191-1/+1
|\|
| * (re) update SPDX-FileCopyrightTexttamaina2024-02-131-1/+1
| | | | | | | | Fix #13290
| * Revert "update SPDX-FileCopyrightText"tamaina2024-02-131-1/+1
| | | | | | | | This reverts commit 9b5aeb76d8c9372d67058c512597152b6bf222f2.
| * update SPDX-FileCopyrightTextsyuilo2024-02-121-1/+1
| |
* | merge: upstreamMarie2024-02-031-1/+1
|\|
| * refactor(backend): User関連のスキーマ/型の指定を強くする ↵zyoshoka2024-01-311-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (#12808) * refactor(backend): User関連のスキーマ/型の指定を強くする * refactor(backend): `pack()`の引数にスキーマを指定するように * chore: fix ci * fix: 変更漏れ * fix ci --------- Co-authored-by: syuilo <Syuilotan@yahoo.co.jp>
| * Merge pull request from GHSA-7pxq-6xx9-xpgmChocolate Pie2023-12-271-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * fix: fix improper authorization when accessing with third-party application * refactor: refactor type definitions * fix: get rid of unnecessary access limitation * enhance: サードパーティアプリケーションがWebsocket APIを使えるように * fix: add missing parentheses * Revert "fix(backend): add missing kind definition for admin endpoints to improve security" This reverts commit 5150053275594278e9eb23e72d98b16593c4c230. * frontend: 翻訳の抜けを訂正, read:adminとwrite:adminはアクセス発行トークンのデフォルトでは非表示にする * enhance(test): misskey-ghsa-7pxq-6xx9-xpgmに関するテストを追加 * enhance(test): Websocket APIに対するテストも追加 * enhance(refactor): `@/misc/api-permissions.ts`を`misskey-js/permissions`に統合 * fix(frontend): アクセストークン発行UIで全ての権限を有効にした際、管理者用APIへのアクセスも許可してしまう問題を修正 * enhance(backend): Websocketの接続に最低限必要な権限を変更 * fix(backend): `/api/admin/meta`をサードパーティアプリケーションからはアクセスできないように * fix(backend): エンドポイントにアクセスするために必要な権限を変更 * fix(frontend/locale): Add missing type declaration * chore: update `misskey-js/src/autogen` --------- Co-authored-by: tamaina <tamaina@hotmail.co.jp>
* | Merge pull request from GHSA-7pxq-6xx9-xpgmChocolate Pie2023-12-281-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * fix: fix improper authorization when accessing with third-party application * refactor: refactor type definitions * fix: get rid of unnecessary access limitation * enhance: サードパーティアプリケーションがWebsocket APIを使えるように * fix: add missing parentheses * Revert "fix(backend): add missing kind definition for admin endpoints to improve security" This reverts commit 5150053275594278e9eb23e72d98b16593c4c230. * frontend: 翻訳の抜けを訂正, read:adminとwrite:adminはアクセス発行トークンのデフォルトでは非表示にする * enhance(test): misskey-ghsa-7pxq-6xx9-xpgmに関するテストを追加 * enhance(test): Websocket APIに対するテストも追加 * enhance(refactor): `@/misc/api-permissions.ts`を`misskey-js/permissions`に統合 * fix(frontend): アクセストークン発行UIで全ての権限を有効にした際、管理者用APIへのアクセスも許可してしまう問題を修正 * enhance(backend): Websocketの接続に最低限必要な権限を変更 * fix(backend): `/api/admin/meta`をサードパーティアプリケーションからはアクセスできないように * fix(backend): エンドポイントにアクセスするために必要な権限を変更 * fix(frontend/locale): Add missing type declaration * chore: update `misskey-js/src/autogen` --------- Co-authored-by: tamaina <tamaina@hotmail.co.jp>
* | upd: add MFM to HTML support and Mentions parsing to mastodon api (#33)Marie2023-10-011-1/+1
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * upd: attempt to turn MFM to html on mastodon * revert: recent change until better implementation later * chore: remove unused packages * Update docker.yml * upd: add MFM to HTML for timelines and status view * chore: lint * upd: megalodon resolve urls * upd: add spliting * test: local user mention * test: change local user url in mention * upd: change check * test: megalodon changes * upd: edit resolving of local users This is starting to drive me nuts * upd: remove the @ symbol in query * fix: make renderPerson return host instead of null for local * upd: change url for local user * upd: change limit * upd: add url to output * upd: add mastodon boolean * test: test different format * fix: test of different format * test: change up resolving * fix: forgot to provide url * upd: change lookup function a bit * test: substring * test: regex * upd: remove substr * test: new regexs * dirty test * test: one last attempt for today * upd: fix build error * upd: take input from iceshrimp dev * upd: parse remote statuses * upd: fix pleroma users misformatted urls * upd: add uri to normal user * fix: forgot to push updated types * fix: resolving broke * fix: html not converting correctly * fix: return default img if no banner * upd: swap out img used for no header, set fallback avatar * fix: html escaped & and ' symbols * upd: fix ' converting into 39; and get profile fields * upd: resolve fields on lookup --------- Co-authored-by: Amelia Yukii <123300075+Insert5StarName@users.noreply.github.com>
* refactor(backend): update directory structure for modelssyuilo2023-09-201-2/+2
|
* chore(backend): Resolve `import/no-default-export` rule violations (#11732)woxtu2023-08-171-2/+1
| | | | | * Disable `import/no-default-export` properly * Disable `import/no-default-export`
* refactor: prefix Mi for all entities (#11719)syuilo2023-08-161-4/+4
| | | | | | | | | | | | | | | | | | | | | * wip * wip * wip * wip * Update RepositoryModule.ts * wip * wip * wip * Revert "wip" This reverts commit c1c13b37d2aaf3c65bc148212da302b0eb7868bf.
* refactor(backend): Remove unused injections (#11462)woxtu2023-08-051-9/+1
| | | | | * Remove unused injections * Remove unused imports
* chore: ↵Shun Sakai2023-07-271-0/+5
| | | | | | | | | | | | | | 著作権とライセンスについての情報を各ファイルに追加する (#11348) * chore: Add the SPDX information to each file Add copyright and licensing information as defined in version 3.0 of the REUSE Specification. * tweak format --------- Co-authored-by: syuilo <Syuilotan@yahoo.co.jp>
* refactor: rename schema to json-schemasyuilo2023-03-101-1/+1
|
* refactorsyuilo2023-02-131-3/+3
|
* refactor: fix typessyuilo2023-02-131-3/+3
|
* enhance: Judge instance block by endsWith (#9263)tamaina2023-01-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * TypeScriptでendsWith * fix * SQL? * バ〜カアホ * Update packages/backend/src/core/UtilityService.ts Co-authored-by: Acid Chicken (硫酸鶏) <root@acid-chicken.com> * add comment * add description * Update packages/backend/src/core/UtilityService.ts Co-authored-by: syuilo <Syuilotan@yahoo.co.jp> * Update packages/backend/src/core/chart/charts/federation.ts Co-authored-by: Acid Chicken (硫酸鶏) <root@acid-chicken.com> * remove comment * fix * fix? * add changelog * ILIKE, ARRAY Co-authored-by: Acid Chicken (硫酸鶏) <root@acid-chicken.com> Co-authored-by: syuilo <Syuilotan@yahoo.co.jp>
* refactor: introduce bindThis decorator to bind this automaticalysyuilo2022-12-041-0/+3
|
* refactorsyuilo2022-12-041-5/+5
|
* fix import typesyuilo2022-09-211-1/+1
|
* testsyuilo2022-09-191-6/+6
|
* なんかもうめっちゃ変えたsyuilo2022-09-181-72/+93
|
* refactor: simplify ap/show with DbResolver (#8838)Johann1502022-06-231-99/+33
| | | | | | Using the existing code in DbResolver we can avoid separate code for parsing the URIs in this endpoint. Co-authored-by: syuilo <Syuilotan@yahoo.co.jp>
* refactor: migrate to typeorm 3.0 (#8443)syuilo2022-03-261-8/+8
| | | | | | | | | | | | | | | | | | | | | | | * wip * wip * wip * Update following.ts * wip * wip * wip * Update resolve-user.ts * maxQueryExecutionTime * wip * wip
* refactor: Use ESM (#8358)syuilo2022-02-271-13/+13
| | | | | | | | | | | | | | | * wip * wip * fix * clean up * Update tsconfig.json * Update activitypub.ts * wip
* Fix ajv (#8333)tamaina2022-02-201-1/+1
| | | | | | | | | | | * wip * :v: * use ajv/dist/core * revert try * clean up
* refactor: use ajv instead of cafy (#8324)syuilo2022-02-191-8/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * wip * wip * Update abuse-user-reports.ts * Update files.ts * Update list-remote.ts * Update list.ts * Update show-users.ts * wip * wip * wip * wip * wip * wip * wip * wip * wip * wip * wip * Update update.ts * Update search.ts * Update reactions.ts * Update search.ts * wip * wip * wip * wip * Update update.ts * Update relation.ts * Update available.ts * wip * wip * wip * Update packages/backend/src/server/api/define.ts Co-authored-by: Johann150 <johann.galle@protonmail.com> * Update define.ts * Update define.ts * typo * wip * wip * wip * wip * wip * wip * wip * wip * Update update.ts * wip * Update signup.ts * Update call.ts * minimum for limit * type * remove needless annotation * wip * Update signup.ts * wip * wip * fix * Update create.ts Co-authored-by: Johann150 <johann.galle@protonmail.com>
* refactor: ↵tamaina2022-01-181-18/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | APIエンドポイントファイルの定義を良い感じにする (#8154) * Fix API Schema Error * Delete SimpleSchema/SimpleObj and Move schemas to dedicated files * Userのスキーマを分割してみる * define packMany type * add , * Ensure enum schema and Make "as const" put once * test? * Revert "test?" This reverts commit 97dc9bfa70851bfb7d1cf38e883f8df20fb78b79. * Revert "Fix API Schema Error" This reverts commit 21b6176d974ed8e3eb73723ad21a105c5d297323. * :v: * clean up * test? * wip * wip * better schema def * :v: * fix * add minLength property * wip * wip * wip * anyOf/oneOf/allOfに対応? ~ relation.ts * refactor! * Define MinimumSchema * wip * wip * anyOf/oneOf/allOfが動作するようにUnionSchemaTypeを修正 * anyOf/oneOf/allOfが動作するようにUnionSchemaTypeを修正 * Update packages/backend/src/misc/schema.ts Co-authored-by: Acid Chicken (硫酸鶏) <root@acid-chicken.com> * fix * array oneOfをより正確な型に * array oneOfをより正確な型に * wip * :v: * なんかもういろいろ * remove * very good schema * api schema * wip * refactor: awaitAllの型定義を変えてみる * fix * specify types in awaitAll * specify types in awaitAll * :v: * wip * ... * :v: * AllowDateはやめておく * 不必要なoptional: false, nullable: falseを廃止 * Packedが展開されないように * 続packed * wip * define note type * wip * UserDetailedをMeDetailedかUserDetailedNotMeかを区別できるように * wip * wip * wip specify user type of other schemas * ok * convertSchemaToOpenApiSchemaを改修 * convertSchemaToOpenApiSchemaを改修 * Fix * fix * :v: * wip * 分割代入ではなくallOfで定義するように Co-authored-by: Acid Chicken (硫酸鶏) <root@acid-chicken.com>
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-03-03 14:54:14 +0000