Merge branch 'develop' into system-accounts

2025-02-26 18:04:05 +09:00
parent c935e0c4ed 6199139307
commit 0cebd1b0bf
74 changed files with 2513 additions and 1456 deletions
--- a/packages/backend/test/e2e/clips.ts
+++ b/packages/backend/test/e2e/clips.ts
@@ -182,7 +182,6 @@ describe('クリップ', () => {
 		{ label: 'nameがnull', parameters: { name: null } },
 		{ label: 'nameが最大長+1', parameters: { name: 'x'.repeat(101) } },
 		{ label: 'isPublicがboolじゃない', parameters: { isPublic: 'true' } },
-		{ label: 'descriptionがゼロ長', parameters: { description: '' } },
 		{ label: 'descriptionが最大長+1', parameters: { description: 'a'.repeat(2049) } },
 	];
 	test.each(createClipDenyPattern)('の作成は$labelならできない', async ({ parameters }) => failedApiCall({
@@ -199,6 +198,23 @@ describe('クリップ', () => {
 		id: '3d81ceae-475f-4600-b2a8-2bc116157532',
 	}));

+	test('の作成はdescriptionが空文字ならnullになる', async () => {
+		const clip = await successfulApiCall({
+			endpoint: 'clips/create',
+			parameters: {
+				...defaultCreate(),
+				description: '',
+			},
+			user: alice,
+		});
+
+		assert.deepStrictEqual(clip, {
+			...clip,
+			...defaultCreate(),
+			description: null,
+		});
+	});
+
 	test('の更新ができる', async () => {
 		const res = await update({
 			clipId: (await create()).id,
@@ -249,6 +265,24 @@ describe('クリップ', () => {
 		...assertion,
 	}));

+	test('の更新はdescriptionが空文字ならnullになる', async () => {
+		const clip = await successfulApiCall({
+			endpoint: 'clips/update',
+			parameters: {
+				clipId: (await create()).id,
+				name: 'updated',
+				description: '',
+			},
+			user: alice,
+		});
+
+		assert.deepStrictEqual(clip, {
+			...clip,
+			name: 'updated',
+			description: null,
+		});
+	});
+
 	test('の削除ができる', async () => {
 		await deleteClip({
 			clipId: (await create()).id,
--- a/packages/backend/test/e2e/timelines.ts
+++ b/packages/backend/test/e2e/timelines.ts
@@ -397,7 +397,7 @@ describe('Timelines', () => {
 			assert.strictEqual(res.body.some(note => note.id === bobNote2.id), true);
 			assert.strictEqual(res.body.some(note => note.id === carolNote1.id), false);
 			assert.strictEqual(res.body.some(note => note.id === carolNote2.id), false);
-		}, 1000 * 15);
+		}, 1000 * 30);

 		test.concurrent('フォローしているユーザーのチャンネル投稿が含まれない', async () => {
 			const [alice, bob] = await Promise.all([signup(), signup()]);
--- a/packages/backend/test/unit/RelayService.ts
+++ b/packages/backend/test/unit/RelayService.ts
@@ -3,6 +3,8 @@
 * SPDX-License-Identifier: AGPL-3.0-only
 */

+import { UtilityService } from '@/core/UtilityService.js';
+
 process.env.NODE_ENV = 'test';

 import { jest } from '@jest/globals';
@@ -36,6 +38,7 @@ describe('RelayService', () => {
 				RelayService,
 				UserEntityService,
 				SystemAccountService,
+				UtilityService,
 			],
 		})
 			.useMocker((token) => {
--- a/packages/backend/test/unit/ap-request.ts
+++ b/packages/backend/test/unit/ap-request.ts
@@ -8,6 +8,8 @@ import httpSignature from '@peertube/http-signature';

 import { genRsaKeyPair } from '@/misc/gen-key-pair.js';
 import { ApRequestCreator } from '@/core/activitypub/ApRequestService.js';
+import { assertActivityMatchesUrls, FetchAllowSoftFailMask } from '@/core/activitypub/misc/check-against-url.js';
+import { IObject } from '@/core/activitypub/type.js';

 export const buildParsedSignature = (signingString: string, signature: string, algorithm: string) => {
 	return {
@@ -24,6 +26,10 @@ export const buildParsedSignature = (signingString: string, signature: string, a
 	};
 };

+function cartesianProduct<T, U>(a: T[], b: U[]): [T, U][] {
+	return a.flatMap(a => b.map(b => [a, b] as [T, U]));
+}
+
 describe('ap-request', () => {
 	test('createSignedPost with verify', async () => {
 		const keypair = await genRsaKeyPair();
@@ -58,4 +64,123 @@ describe('ap-request', () => {
 		const result = httpSignature.verifySignature(parsed, keypair.publicKey);
 		assert.deepStrictEqual(result, true);
 	});
+
+	test('rejects non matching domain', () => {
+		assert.doesNotThrow(() => assertActivityMatchesUrls(
+			'https://alice.example.com/abc',
+			{ id: 'https://alice.example.com/abc' } as IObject,
+			[
+				'https://alice.example.com/abc',
+			],
+			FetchAllowSoftFailMask.Strict,
+		), 'validation should pass base case');
+		assert.throws(() => assertActivityMatchesUrls(
+			'https://alice.example.com/abc',
+			{ id: 'https://bob.example.com/abc' } as IObject,
+			[
+				'https://alice.example.com/abc',
+			],
+			FetchAllowSoftFailMask.Any,
+		), 'validation should fail no matter what if the response URL is inconsistent with the object ID');
+		
+		// fix issues like threads
+		// https://github.com/misskey-dev/misskey/issues/15039
+		const withOrWithoutWWW = [
+			'https://alice.example.com/abc',
+			'https://www.alice.example.com/abc',
+		];
+
+		cartesianProduct(
+			cartesianProduct(
+				withOrWithoutWWW,
+				withOrWithoutWWW,
+			),
+			withOrWithoutWWW,
+		).forEach(([[a, b], c]) => {
+			assert.doesNotThrow(() => assertActivityMatchesUrls(
+				a,
+				{ id: b } as IObject,
+				[
+					c,
+				],
+				FetchAllowSoftFailMask.Strict,
+			), 'validation should pass with or without www. subdomain');
+		});
+	});
+
+	test('cross origin lookup', () => {
+		assert.doesNotThrow(() => assertActivityMatchesUrls(
+			'https://alice.example.com/abc',
+			{ id: 'https://bob.example.com/abc' } as IObject,
+			[
+				'https://bob.example.com/abc',
+			],
+			FetchAllowSoftFailMask.CrossOrigin | FetchAllowSoftFailMask.NonCanonicalId,
+		), 'validation should pass if the response is otherwise consistent and cross-origin is allowed');
+		assert.throws(() => assertActivityMatchesUrls(
+			'https://alice.example.com/abc',
+			{ id: 'https://bob.example.com/abc' } as IObject,
+			[
+				'https://bob.example.com/abc',
+			],
+			FetchAllowSoftFailMask.Strict,
+		), 'validation should fail if the response is otherwise consistent and cross-origin is not allowed');
+	});
+
+	test('rejects non-canonical ID', () => {
+		assert.throws(() => assertActivityMatchesUrls(
+			'https://alice.example.com/@alice',
+			{ id: 'https://alice.example.com/users/alice' } as IObject,
+			[
+				'https://alice.example.com/users/alice'
+			],
+			FetchAllowSoftFailMask.Strict,
+		), 'throws if the response ID did not exactly match the expected ID');
+		assert.doesNotThrow(() => assertActivityMatchesUrls(
+			'https://alice.example.com/@alice',
+			{ id: 'https://alice.example.com/users/alice' } as IObject,
+			[
+				'https://alice.example.com/users/alice',
+			],
+			FetchAllowSoftFailMask.NonCanonicalId,
+		), 'does not throw if non-canonical ID is allowed');
+	});
+
+	test('origin relaxed alignment', () => {
+		assert.doesNotThrow(() => assertActivityMatchesUrls(
+			'https://alice.example.com/abc',
+			{ id: 'https://ap.alice.example.com/abc' } as IObject,
+			[
+				'https://ap.alice.example.com/abc',
+			],
+			FetchAllowSoftFailMask.MisalignedOrigin | FetchAllowSoftFailMask.NonCanonicalId,
+		), 'validation should pass if response is a subdomain of the expected origin');
+		assert.throws(() => assertActivityMatchesUrls(
+			'https://alice.multi-tenant.example.com/abc',
+			{ id: 'https://alice.multi-tenant.example.com/abc' } as IObject,
+			[
+				'https://bob.multi-tenant.example.com/abc',
+			],
+			FetchAllowSoftFailMask.MisalignedOrigin | FetchAllowSoftFailMask.NonCanonicalId,
+		), 'validation should fail if response is a disjoint domain of the expected origin');
+		assert.throws(() => assertActivityMatchesUrls(
+			'https://alice.example.com/abc',
+			{ id: 'https://ap.alice.example.com/abc' } as IObject,
+			[
+				'https://ap.alice.example.com/abc',
+			],
+			FetchAllowSoftFailMask.Strict,
+		), 'throws if relaxed origin is forbidden');
+	});
+
+	test('resist HTTP downgrade', () => {
+		assert.throws(() => assertActivityMatchesUrls(
+			'https://alice.example.com/abc',
+			{ id: 'https://alice.example.com/abc' } as IObject,
+			[
+				'http://alice.example.com/abc',
+			],
+			FetchAllowSoftFailMask.Strict,
+		), 'throws if HTTP downgrade is detected');
+	});
 });