Merge branch 'develop'

2024-11-24 06:04:12 -06:00 · 2024-11-24 06:04:12 -06:00 · 3d17243f85
commit 3d17243f85
parent 87dac36860 5c500cb805
10 changed files with 44 additions and 15 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,8 @@
+## 2024.11.0-yumechinokuni.8
+
+- Frontend: SSRでユーザープロフィールが表示されない問題を修正
+- Security: AP Payloadの検証を強化
+
 ## 2024.11.0-yumechinokuni.7

 - Misskey Trademark内容をWebUIから削除
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
 	"name": "misskey",
-	"version": "2024.11.0-yumechinokuni.7",
+	"version": "2024.11.0-yumechinokuni.8",
 	"codename": "nasubi",
 	"repository": {
 		"type": "git",
--- a/packages/backend/src/core/DownloadService.ts
+++ b/packages/backend/src/core/DownloadService.ts
@ -44,6 +44,14 @@ export class DownloadService {
 		const maxSize = this.config.maxFileSize;

 		const urlObj = new URL(url);
+		if (urlObj.protocol && urlObj.protocol !== 'https:') {
+			throw new Error(`Unsupported protocol: ${urlObj.protocol}, only HTTPS is supported`);
+		}
+		urlObj.protocol = 'https:';
+		if (urlObj.port && urlObj.port !== '443') {
+			throw new Error(`Unsupported port: ${urlObj.port}, only 443 is supported`);
+		}
+
 		let filename = urlObj.pathname.split('/').pop() ?? 'untitled';

 		const req = got.stream(url, {
--- a/packages/backend/src/core/HttpRequestService.ts
+++ b/packages/backend/src/core/HttpRequestService.ts
@ -171,9 +171,10 @@ export class HttpRequestService {
 	 */
 	@bindThis
 	public getAgentByUrl(url: URL, bypassProxy = false): https.Agent {
-		if (url.protocol !== 'https:') {
+		if (url.protocol && url.protocol !== 'https:') {
 			throw new Error('Invalid protocol');
 		}
+		url.protocol = 'https:';
 		if (url.port && url.port !== '443') {
 			throw new Error('Invalid port');
 		}
--- a/packages/backend/src/core/activitypub/ApResolverService.ts
+++ b/packages/backend/src/core/activitypub/ApResolverService.ts
@ -64,7 +64,7 @@ export class Resolver {
 	public async resolveCollection(value: string | IObject): Promise<ICollection | IOrderedCollection> {
 		const collection = typeof value === 'string'
 			? await this.resolve(value)
-			: value;
+			: yumeNormalizeObject(value);

 		if (isCollectionOrOrderedCollection(collection)) {
 			return collection;
@ -74,7 +74,7 @@ export class Resolver {
 	}

 	@bindThis
-	public async resolveNotNormalized(value: string | IObject): Promise<IUnsanitizedObject> {
+	private async resolveNotNormalized(value: string | IObject): Promise<IUnsanitizedObject> {
 		if (typeof value !== 'string') {
 			return value;
 		}
--- a/packages/backend/src/core/activitypub/models/ApNoteService.ts
+++ b/packages/backend/src/core/activitypub/models/ApNoteService.ts
@ -3,6 +3,7 @@
 * SPDX-License-Identifier: AGPL-3.0-only
 */

+import * as Bull from 'bullmq';
 import { forwardRef, Inject, Injectable } from '@nestjs/common';
 import { In } from 'typeorm';
 import { DI } from '@/di-symbols.js';
@ -164,7 +165,7 @@ export class ApNoteService {
 			const noteUrl = yumeAssertAcceptableURL(note.id);

 			if (noteUrl.host !== actUrl.host) {
-				throw new Error(`note url & uri host mismatch: note url: ${url}, note uri: ${note.id}`);
+				throw new Bull.UnrecoverableError(`note url & uri host mismatch: note url: ${url}, note uri: ${note.id}`);
 			}
 		}

--- a/packages/backend/src/core/activitypub/type.ts
+++ b/packages/backend/src/core/activitypub/type.ts
@ -103,26 +103,33 @@ export function yumeNormalizeRecursive<O extends IUnsanitizedObject | string | (
 		if (object.length > 64) {
 			throw new bull.UnrecoverableError('array length limit exceeded');
 		}
-		return object.flatMap(yumeNormalizeRecursive);
+		return object.flatMap((x) => yumeNormalizeRecursive(x, depth + (object.length + 3 / 4)));
 	}

-	return yumeNormalizeObject(object);
+	return yumeNormalizeObject(object, depth + 1);
 }

-export function yumeNormalizeObject(object: IUnsanitizedObject): IObject {
+export function yumeNormalizeObject(object: IUnsanitizedObject, depth = 0): IObject {
 	if (object.cc) {
-		object.cc = yumeNormalizeRecursive(object.cc);
+		object.cc = yumeNormalizeRecursive(object.cc, depth + 1);
 	}
 	if (object.id) {
 		object.id = yumeNormalizeURL(object.id);
 	}

 	if (object.url) {
-		object.url = yumeNormalizeRecursive(object.url);
+		object.url = yumeNormalizeRecursive(object.url, depth + 1);
+	}
+
+	if (object.replies) {
+		object.replies.first = object.replies.first ?
+			typeof object.replies.first === 'string' ? yumeNormalizeURL(object.replies.first) : yumeNormalizeObject(object.replies.first, depth + 1) : undefined;
+		object.replies.items = object.replies.items ? 
+			typeof object.replies.items === 'string' ? yumeNormalizeURL(object.replies.items) : yumeNormalizeRecursive(object.replies.items, depth + 1) : undefined;
 	}

 	if (object.inReplyTo) {
-		object.inReplyTo = yumeNormalizeRecursive(object.inReplyTo);
+		object.inReplyTo = yumeNormalizeRecursive(object.inReplyTo, depth + 1);
 	}

 	return object as IObject;
--- a/packages/backend/src/server/web/ClientServerService.ts
+++ b/packages/backend/src/server/web/ClientServerService.ts
@ -638,7 +638,9 @@ export class ClientServerService {
 					reply.header('X-Robots-Tag', 'noai');
 				}

-				const _user = await this.userEntityService.pack(user);
+				const _user = await this.userEntityService.pack(user, null, { 
+					schema: host ? 'UserLite' : 'UserDetailedNotMe' // リモートユーザーの場合は詳細情報を返さない
+				});

 				return await reply.view('user', {
 					user, profile, me,
@ -712,9 +714,14 @@ export class ClientServerService {
 		// Page
 		fastify.get<{ Params: { user: string; page: string; } }>('/@:user/pages/:page', async (request, reply) => {
 			const { username, host } = Acct.parse(request.params.user);
+			
+			if (host) {
+				return await renderBase(reply); // リモートユーザーのページはSSRしない
+			}
+
 			const user = await this.usersRepository.findOneBy({
 				usernameLower: username.toLowerCase(),
-				host: host ?? IsNull(),
+				host: IsNull(),
 			});

 			if (user == null) return;
--- a/packages/frontend/src/pages/user/home.vue
+++ b/packages/frontend/src/pages/user/home.vue
@ -53,7 +53,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 							<div><MkSparkle><Mfm :plain="true" :text="user.followedMessage" :author="user"/></MkSparkle></div>
 						</MkFukidashi>
 					</div>
-					<div v-if="user.roles.length > 0" class="roles">
+					<div v-if="user.roles && user.roles.length > 0" class="roles">
 						<span v-for="role in user.roles" :key="role.id" v-tooltip="role.description" class="role" :style="{ '--color': role.color }">
 							<MkA v-adaptive-bg :to="`/roles/${role.id}`">
 								<img v-if="role.iconUrl" style="height: 1.3em; vertical-align: -22%;" :src="role.iconUrl"/>
--- a/packages/misskey-js/package.json
+++ b/packages/misskey-js/package.json
@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "misskey-js",
-	"version": "2024.11.0-yumechinokuni.7",
+	"version": "2024.11.0-yumechinokuni.8",
 	"description": "Misskey SDK for JavaScript",
 	"license": "MIT",
 	"main": "./built/index.js",