It looks like url validations are added in f7564d87b0, but I found another validation commit not applied in Calckey, so I cherry-picked 0da0cc80b9 from [Misskey](https://github.com/misskey-dev/misskey).
Co-authored-by: syuilo <Syuilotan@yahoo.co.jp>
Co-authored-by: naskya <m@naskya.net>
Reviewed-on: https://codeberg.org/calckey/calckey/pulls/9882
Co-authored-by: naskya <naskya@noreply.codeberg.org>
Co-committed-by: naskya <naskya@noreply.codeberg.org>
Sorry to create PR multiple times. I should have included this in #9778.
Co-authored-by: naskya <m@naskya.net>
Reviewed-on: https://codeberg.org/calckey/calckey/pulls/9783
Co-authored-by: naskya <naskya@noreply.codeberg.org>
Co-committed-by: naskya <naskya@noreply.codeberg.org>
A change sometime ago moved to setting some signature fields in the incoming
object to undefined as opposed to deleting them. The trouble is that downstream
code checks against existence, not undefinedness and rejects the message.
Resolves: #9665
#9293
Not sure if this is the right approach for this
Co-authored-by: s1idewhist1e <trombonedude05@gmail.com>
Reviewed-on: https://codeberg.org/calckey/calckey/pulls/9705
Co-authored-by: s1idewhist1e <s1idewhist1e@noreply.codeberg.org>
Co-committed-by: s1idewhist1e <s1idewhist1e@noreply.codeberg.org>
This PR should kill #9531 - Safeguarding against posts that are made before 2007 (Identica being made in 2008, the 'first ever activitypub software' according to wikipedia.)
Personally, if gone unnoticed, I believe that notes from the past can be used as an attack vector to silently flood a database.
Co-authored-by: Kio-td <kio.thedev@gmail.com>
Reviewed-on: https://codeberg.org/calckey/calckey/pulls/9605
Co-authored-by: daikei <daikei@noreply.codeberg.org>
Co-committed-by: daikei <daikei@noreply.codeberg.org>
This should reduce the performance hit when adding large numbers of
instances to the deliver queue by making the check for suspended and
dead instances a bulk operation.
Changelog: Changed
Reviewed-on: https://akkoma.dev/FoundKeyGang/FoundKey/pulls/215
* add id for activitypub follows
* fix lint
* fix: follower must be local, followee must be remote
Misskey will only use ActivityPub follow requests for users that are local
and are requesting to follow a remote user. This check is to ensure that
this endpoint can not be used by other services or instances.
* fix: missing import
* render block with id
* fix comment
* refactor: parseUri types and checks
The type has been refined to better represent what it actually is. Uses of
parseUri are now also checking the parsed object type before resolving.
* cannot resolve URLs with fragments
* also take remaining part of URL into account
Needed for parsing the follows URIs.
* Resolver uses DbResolver for local
* remove unnecessary use of DbResolver
Using DbResolver would mean that the URL is parsed and handled again.
This duplicated processing can be avoided by querying the database directly.
* fix missing property name
Ensure that the _misskey_content attribute will always exist. Because
the API endpoint does not require the existence of the `text` field,
that field may be `undefined`. By using `?? null` it can be ensured
that the value is at least `null`.
Furthermore, the rendered HTML of a note with empty text will also be
the empty string. From git blame it seems that this behaviour was added
because of a Mastodon bug that might have previously existed. Hoever,
this seems to be no longer the case as I can find mastodon posts that
have empty content.
The code could be made a bit more succinct by using the null coercion
operator.
