Merge commit '8e0fd2d619dac93c193da6a762564244e5622498' into glitch-s…

…oc/merge-upstream Conflicts: - `.github/workflows/build-image.yml`: Upstream changed how releases are tagged, we don't have releases. Ignored the changes
glitch-soc · Jul 12, 2023 · 2aadebc · 2aadebc
2 parents 15f6fa8 + 8e0fd2d
commit 2aadebc
Show file tree

Hide file tree

Showing 10 changed files with 292 additions and 157 deletions.
diff --git a/.github/workflows/bundler-audit.yml b/.github/workflows/bundler-audit.yml
@@ -0,0 +1,40 @@
+name: Bundler Audit
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - 'Gemfile*'
+      - '.ruby-version'
+      - '.bundler-audit.yml'
+      - '.github/workflows/bundler-audit.yml'
+
+  pull_request:
+    paths:
+      - 'Gemfile*'
+      - '.ruby-version'
+      - '.bundler-audit.yml'
+      - '.github/workflows/bundler-audit.yml'
+
+  schedule:
+    - cron: '0 5 * * 1'
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v3
+
+      - name: Install native Ruby dependencies
+        run: sudo apt-get install -y libicu-dev libidn11-dev
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .ruby-version
+          bundler-cache: true
+
+      - name: Run bundler-audit
+        run: bundle exec bundler-audit
diff --git a/.github/workflows/lint-ruby.yml b/.github/workflows/lint-ruby.yml
@@ -8,7 +8,7 @@ on:
       - 'Gemfile*'
       - '.rubocop*.yml'
       - '.ruby-version'
-      - '.bundler-audit.yml'
+      - 'config/brakeman.ignore'
       - '**/*.rb'
       - '**/*.rake'
       - '.github/workflows/lint-ruby.yml'
@@ -18,7 +18,7 @@ on:
       - 'Gemfile*'
       - '.rubocop*.yml'
       - '.ruby-version'
-      - '.bundler-audit.yml'
+      - 'config/brakeman.ignore'
       - '**/*.rb'
       - '**/*.rake'
       - '.github/workflows/lint-ruby.yml'
@@ -46,5 +46,6 @@ jobs:
       - name: Run rubocop
         run: bundle exec rubocop
 
-      - name: Run bundler-audit
-        run: bundle exec bundler-audit
+      - name: Run brakeman
+        if: always() # Run both checks, even if the first failed
+        run: bundle exec brakeman
diff --git a/.github/workflows/rebase-needed.yml b/.github/workflows/rebase-needed.yml
@@ -1,17 +1,8 @@
 name: PR Needs Rebase
 
 on:
-  push:
-    branches-ignore:
-      - 'dependabot/**'
-      - 'renovate/**'
-      - 'l10n_main'
-  pull_request_target:
-    branches-ignore:
-      - 'dependabot/**'
-      - 'renovate/**'
-      - 'l10n_main'
-    types: [synchronize]
+  schedule:
+    - cron: '0 * * * *'
 
 permissions:
   pull-requests: write

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -143,7 +143,7 @@ All notable changes to this project will be documented in this file.
 - Add instance activity API endpoint toggle back to the admin interface ([dariusk](https://github.com/mastodon/mastodon/pull/22833))
 - Add setting for status page URL ([Gargron](https://github.com/mastodon/mastodon/pull/23390), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/23499))
   - REST API changes:
-    - Add `configuration.urls.status` attribute to the object returned by `GET /api/v1/instance`
+    - Add `configuration.urls.status` attribute to the object returned by `GET /api/v2/instance`
 - Add `account.approved` webhook ([Saiv46](https://github.com/mastodon/mastodon/pull/22938))
 - Add 12 hours option to polls ([Pleclown](https://github.com/mastodon/mastodon/pull/21131))
 - Add dropdown menu item to open admin interface for remote domains ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/21895))

diff --git a/Gemfile b/Gemfile
@@ -158,7 +158,7 @@ group :development do
   gem 'letter_opener_web', '~> 2.0'
 
   # Security analysis CLI tools
-  gem 'brakeman', '~> 5.4', require: false
+  gem 'brakeman', '~> 6.0', require: false
   gem 'bundler-audit', '~> 0.9', require: false
 
   # Linter CLI for HAML files

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -130,7 +130,7 @@ GEM
     blurhash (0.1.7)
     bootsnap (1.16.0)
       msgpack (~> 1.2)
-    brakeman (5.4.1)
+    brakeman (6.0.0)
     browser (5.3.1)
     brpoplpush-redis_script (0.1.3)
       concurrent-ruby (~> 1.0, >= 1.0.5)
@@ -765,7 +765,7 @@ DEPENDENCIES
   binding_of_caller (~> 1.0)
   blurhash (~> 0.1)
   bootsnap (~> 1.16.0)
-  brakeman (~> 5.4)
+  brakeman (~> 6.0)
   browser
   bundler-audit (~> 0.9)
   capistrano (~> 3.17)

diff --git a/app/javascript/mastodon/store/middlewares/sounds.ts b/app/javascript/mastodon/store/middlewares/sounds.ts
@@ -1,5 +1,8 @@
 import type { Middleware, AnyAction } from 'redux';
 
+import ready from 'mastodon/ready';
+import { assetHost } from 'mastodon/utils/config';
+
 import type { RootState } from '..';
 
 interface AudioSource {
@@ -35,18 +38,20 @@ export const soundsMiddleware = (): Middleware<
   Record<string, never>,
   RootState
 > => {
-  const soundCache: { [key: string]: HTMLAudioElement } = {
-    boop: createAudio([
+  const soundCache: { [key: string]: HTMLAudioElement } = {};
+
+  void ready(() => {
+    soundCache.boop = createAudio([
       {
-        src: '/sounds/boop.ogg',
+        src: `${assetHost}/sounds/boop.ogg`,
         type: 'audio/ogg',
       },
       {
-        src: '/sounds/boop.mp3',
+        src: `${assetHost}/sounds/boop.mp3`,
         type: 'audio/mpeg',
       },
-    ]),
-  };
+    ]);
+  });
 
   return () =>
     (next) =>

diff --git a/app/javascript/styles/mastodon/components.scss b/app/javascript/styles/mastodon/components.scss
@@ -9089,10 +9089,10 @@ noscript {
   width: auto;
   padding: 15px;
   margin: 0;
-  color: $primary-text-color;
+  color: $white;
   background: rgba($black, 0.85);
   backdrop-filter: blur(8px);
-  border: 1px solid rgba(lighten($ui-base-color, 4%), 0.85);
+  border: 1px solid rgba(lighten($classic-base-color, 4%), 0.85);
   border-radius: 8px;
   box-shadow: 0 10px 15px -3px rgba($base-shadow-color, 0.25),
     0 4px 6px -4px rgba($base-shadow-color, 0.25);
@@ -9120,7 +9120,7 @@ noscript {
   text-transform: uppercase;
   margin-inline-start: 10px;
   cursor: pointer;
-  color: $highlight-text-color;
+  color: $blurple-300;
   border-radius: 4px;
   padding: 0 4px;
 

diff --git a/config/brakeman.ignore b/config/brakeman.ignore
@@ -102,6 +102,30 @@
       ],
       "note": ""
     },
+    {
+      "warning_type": "Denial of Service",
+      "warning_code": 76,
+      "fingerprint": "7b6abba5699755348e7ee82a4694bfbf574b41c7cce2d0db0f7c11ae3f983c72",
+      "check_name": "RegexDoS",
+      "message": "Model attribute used in regular expression",
+      "file": "lib/mastodon/cli/domains.rb",
+      "line": 128,
+      "link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
+      "code": "/\\.?(#{DomainBlock.where(:severity => 1).pluck(:domain).map do\n Regexp.escape(domain)\n end.join(\"|\")})$/",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Mastodon::CLI::Domains",
+        "method": "crawl"
+      },
+      "user_input": "DomainBlock.where(:severity => 1).pluck(:domain)",
+      "confidence": "Weak",
+      "cwe_id": [
+        20,
+        185
+      ],
+      "note": ""
+    },
     {
       "warning_type": "Mass Assignment",
       "warning_code": 105,
@@ -148,6 +172,29 @@
       ],
       "note": ""
     },
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "b0dd0a26d24f5ede9713fe49210e9638be5f5548af9eee0b5a16fe9dbc80ffcd",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/controllers/api/v2/search_controller.rb",
+      "line": 42,
+      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
+      "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id, :following)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Api::V2::SearchController",
+        "method": "search_params"
+      },
+      "user_input": ":account_id",
+      "confidence": "High",
+      "cwe_id": [
+        915
+      ],
+      "note": ""
+    },
     {
       "warning_type": "Cross-Site Scripting",
       "warning_code": 4,
@@ -184,13 +231,13 @@
     {
       "warning_type": "Mass Assignment",
       "warning_code": 105,
-      "fingerprint": "f9de0ca4b04ae4b51b74d98db14dcbb6dae6809e627b58e711019cf9b4a47866",
+      "fingerprint": "d0511f0287aea4ed9511f5a744f880cb15af77a8ec88f81b7365b00b642cf427",
       "check_name": "PermitAttributes",
       "message": "Potentially dangerous key allowed for mass assignment",
       "file": "app/controllers/api/v1/reports_controller.rb",
       "line": 26,
       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
-      "code": "params.permit(:account_id, :comment, :category, :forward, :status_ids => ([]), :rule_ids => ([]))",
+      "code": "params.permit(:account_id, :comment, :category, :forward, :forward_to_domains => ([]), :status_ids => ([]), :rule_ids => ([]))",
       "render_path": null,
       "location": {
         "type": "method",
@@ -205,6 +252,6 @@
       "note": ""
     }
   ],
-  "updated": "2023-07-05 14:34:42 -0400",
-  "brakeman_version": "5.4.1"
+  "updated": "2023-07-11 16:08:58 +0200",
+  "brakeman_version": "6.0.0"
 }