From 3266f3948a3e493d119881b263c181a57fc3dc7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Acid=20Chicken=20=28=E7=A1=AB=E9=85=B8=E9=B6=8F=29?= Date: Sun, 26 Aug 2018 17:55:06 +0900 Subject: [PATCH 001/539] Update README.md [AUTOGEN] --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5c1b243396..32a9baede5 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,7 @@ Misskey is using Crowdin for l10n. negao ne_moni Melilot +Axella べすれい gutfuckllc Peter G. @@ -66,6 +67,7 @@ Misskey is using Crowdin for l10n. negao ne_moni Melilot +Axella べすれい gutfuckllc Peter G. @@ -89,7 +91,7 @@ Misskey is using Crowdin for l10n. fujishan -**Last updated:** Wed, 22 Aug 2018 05:25:06 UTC +**Last updated:** Sun, 26 Aug 2018 08:55:06 UTC :four_leaf_clover: Copyright From 98f6b2324968a53cae88cd3ded515bf6efeda9d5 Mon Sep 17 00:00:00 2001 From: "greenkeeper[bot]" Date: Wed, 29 Aug 2018 12:27:33 +0000 Subject: [PATCH 002/539] fix(package): update summaly to version 2.2.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index eea3f363c3..11391ea2a0 100644 --- a/package.json +++ b/package.json @@ -193,7 +193,7 @@ "style-loader": "0.23.0", "stylus": "0.54.5", "stylus-loader": "3.0.2", - "summaly": "2.1.4", + "summaly": "2.2.0", "systeminformation": "3.44.2", "syuilo-password-strength": "0.0.1", "textarea-caret": "3.1.0", From 073c96af478f4c518ad19d2b7650c8a611321d62 Mon Sep 17 00:00:00 2001 From: "greenkeeper[bot]" Date: Wed, 29 Aug 2018 14:02:49 +0000 Subject: [PATCH 003/539] fix(package): update vue-js-modal to version 1.3.24 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index eea3f363c3..b48b336a49 100644 --- a/package.json +++ b/package.json @@ -210,7 +210,7 @@ "vue": "2.5.17", "vue-chartjs": "3.4.0", "vue-cropperjs": "2.2.1", - "vue-js-modal": "1.3.23", + "vue-js-modal": "1.3.24", "vue-json-tree-view": "2.1.4", "vue-loader": "15.4.1", "vue-router": "3.0.1", From 5b943722fbd9a143b0b6b654e07e192e1218d4da Mon Sep 17 00:00:00 2001 From: "greenkeeper[bot]" Date: Thu, 30 Aug 2018 00:16:12 +0000 Subject: [PATCH 004/539] fix(package): update @types/uuid to version 3.4.4 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 3123de1042..774c978f05 100644 --- a/package.json +++ b/package.json @@ -76,7 +76,7 @@ "@types/speakeasy": "2.0.2", "@types/systeminformation": "3.23.0", "@types/tmp": "0.0.33", - "@types/uuid": "3.4.3", + "@types/uuid": "3.4.4", "@types/webpack": "4.4.11", "@types/webpack-stream": "3.2.10", "@types/websocket": "0.0.39", From 6a87e9f690c87579c37e3145bac080d6b6cbad35 Mon Sep 17 00:00:00 2001 From: "greenkeeper[bot]" Date: Thu, 30 Aug 2018 00:18:42 +0000 Subject: [PATCH 005/539] fix(package): update @types/websocket to version 0.0.40 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 3123de1042..4496b950eb 100644 --- a/package.json +++ b/package.json @@ -79,7 +79,7 @@ "@types/uuid": "3.4.3", "@types/webpack": "4.4.11", "@types/webpack-stream": "3.2.10", - "@types/websocket": "0.0.39", + "@types/websocket": "0.0.40", "@types/ws": "6.0.0", "animejs": "2.2.0", "autosize": "4.0.2", From dddf7834ccf2b915338da92f42544b5f20b12247 Mon Sep 17 00:00:00 2001 From: mei23 Date: Thu, 30 Aug 2018 20:52:35 +0900 Subject: [PATCH 006/539] Add host/digest to HTTP signature --- src/remote/activitypub/request.ts | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/remote/activitypub/request.ts b/src/remote/activitypub/request.ts index 6238d3acb1..d739d08e15 100644 --- a/src/remote/activitypub/request.ts +++ b/src/remote/activitypub/request.ts @@ -2,6 +2,7 @@ import { request } from 'https'; const { sign } = require('http-signature'); import { URL } from 'url'; import * as debug from 'debug'; +const crypto = require('crypto'); import config from '../../config'; import { ILocalUser } from '../../models/user'; @@ -13,6 +14,12 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso const { protocol, hostname, port, pathname, search } = new URL(url); + const data = JSON.stringify(object); + + const sha256 = crypto.createHash('sha256'); + sha256.update(data); + const hash = sha256.digest('base64'); + const req = request({ protocol, hostname, @@ -20,7 +27,8 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso method: 'POST', path: pathname + search, headers: { - 'Content-Type': 'application/activity+json' + 'Content-Type': 'application/activity+json', + 'Digest': `SHA-256=${hash}` } }, res => { log(`${url} --> ${res.statusCode}`); @@ -35,7 +43,8 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso sign(req, { authorizationHeaderName: 'Signature', key: user.keypair, - keyId: `${config.url}/users/${user._id}/publickey` + keyId: `${config.url}/users/${user._id}/publickey`, + headers: ['date', 'host', 'digest'] }); // Signature: Signature ... => Signature: ... @@ -43,5 +52,5 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso sig = sig.replace(/^Signature /, ''); req.setHeader('Signature', sig); - req.end(JSON.stringify(object)); + req.end(data); }); From 48223c1c76f48ed59482c3e2a95564f18ff186ed Mon Sep 17 00:00:00 2001 From: mei23 Date: Thu, 30 Aug 2018 20:53:41 +0900 Subject: [PATCH 007/539] Validate host in activity --- src/queue/processors/http/process-inbox.ts | 55 ++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/src/queue/processors/http/process-inbox.ts b/src/queue/processors/http/process-inbox.ts index c9c2fa72cb..a30efe1a3a 100644 --- a/src/queue/processors/http/process-inbox.ts +++ b/src/queue/processors/http/process-inbox.ts @@ -6,6 +6,8 @@ import parseAcct from '../../../misc/acct/parse'; import User, { IRemoteUser } from '../../../models/user'; import perform from '../../../remote/activitypub/perform'; import { resolvePerson } from '../../../remote/activitypub/models/person'; +import { toUnicode } from 'punycode'; +import { URL } from 'url'; const log = debug('misskey:queue:inbox'); @@ -32,6 +34,15 @@ export default async (job: bq.Job, done: any): Promise => { return; } + // アクティビティ内のホストの検証 + try { + ValidateActivity(activity, host); + } catch (e) { + console.warn(e); + done(); + return; + } + user = await User.findOne({ usernameLower: username, host: host.toLowerCase() }) as IRemoteUser; // アクティビティを送信してきたユーザーがまだMisskeyサーバーに登録されていなかったら登録する @@ -39,6 +50,16 @@ export default async (job: bq.Job, done: any): Promise => { user = await resolvePerson(activity.actor) as IRemoteUser; } } else { + // アクティビティ内のホストの検証 + const host = toUnicode(new URL(signature.keyId).hostname.toLowerCase()); + try { + ValidateActivity(activity, host); + } catch (e) { + console.warn(e); + done(); + return; + } + user = await User.findOne({ host: { $ne: null }, 'publicKey.id': signature.keyId @@ -69,3 +90,37 @@ export default async (job: bq.Job, done: any): Promise => { done(e); } }; + +/** + * Validate host in activity + * @param activity Activity + * @param host Expect host + */ +function ValidateActivity(activity: any, host: string) { + // id (if exists) + if (typeof activity.id === 'string') { + const uriHost = toUnicode(new URL(activity.id).hostname.toLowerCase()); + if (host !== uriHost) throw new Error('activity.id has different host'); + } + + // actor (if exists) + if (typeof activity.actor === 'string') { + const uriHost = toUnicode(new URL(activity.actor).hostname.toLowerCase()); + if (host !== uriHost) throw new Error('activity.actor has different host'); + } + + // For Create activity + if (activity.type === 'Create' && activity.object) { + // object.id (if exists) + if (typeof activity.object.id === 'string') { + const uriHost = toUnicode(new URL(activity.object.id).hostname.toLowerCase()); + if (host !== uriHost) throw new Error('activity.object.id has different host'); + } + + // object.attributedTo (if exists) + if (typeof activity.object.attributedTo === 'string') { + const uriHost = toUnicode(new URL(activity.object.attributedTo).hostname.toLowerCase()); + if (host !== uriHost) throw new Error('activity.object.attributedTo has different host'); + } + } +} From f0abc4642969587039909d5f50adb7d4592f48ba Mon Sep 17 00:00:00 2001 From: syuilo Date: Thu, 30 Aug 2018 22:10:29 +0900 Subject: [PATCH 008/539] =?UTF-8?q?=E9=96=8B=E7=99=BA=E3=83=A2=E3=83=BC?= =?UTF-8?q?=E3=83=89=E3=81=A7=E8=AD=A6=E5=91=8A=E3=82=92=E8=A1=A8=E7=A4=BA?= =?UTF-8?q?=E3=81=99=E3=82=8B=E3=82=88=E3=81=86=E3=81=AB=E3=81=99=E3=82=8B?= =?UTF-8?q?=E3=81=AA=E3=81=A9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- locales/ja-JP.yml | 2 ++ src/client/app/config.ts | 2 ++ .../desktop/views/components/ui.header.vue | 19 ++++++++++++++++++- .../app/mobile/views/components/ui.header.vue | 18 +++++++++++++++--- src/client/app/mobile/views/components/ui.vue | 7 +++++++ webpack.config.ts | 3 ++- 6 files changed, 46 insertions(+), 5 deletions(-) diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml index 84b7ddb26f..6ebd167803 100644 --- a/locales/ja-JP.yml +++ b/locales/ja-JP.yml @@ -94,6 +94,8 @@ common: verified-user: "公式アカウント" disable-animated-mfm: "投稿内の動きのあるテキストを無効にする" + do-not-use-in-production: 'これは開発ビルドです。本番環境で使用しないでください。' + reversi: drawn: "引き分け" my-turn: "あなたのターンです" diff --git a/src/client/app/config.ts b/src/client/app/config.ts index 74b9ea21c8..a326c521db 100644 --- a/src/client/app/config.ts +++ b/src/client/app/config.ts @@ -4,6 +4,7 @@ declare const _THEME_COLOR_: string; declare const _COPYRIGHT_: string; declare const _VERSION_: string; declare const _CODENAME_: string; +declare const _ENV_: string; const address = new URL(location.href); @@ -18,3 +19,4 @@ export const themeColor = _THEME_COLOR_; export const copyright = _COPYRIGHT_; export const version = _VERSION_; export const codename = _CODENAME_; +export const env = _ENV_; diff --git a/src/client/app/desktop/views/components/ui.header.vue b/src/client/app/desktop/views/components/ui.header.vue index 6de4eaf744..ac8a6c7765 100644 --- a/src/client/app/desktop/views/components/ui.header.vue +++ b/src/client/app/desktop/views/components/ui.header.vue @@ -1,5 +1,6 @@