Merge pull request #554 from nexryai/devel

v12.23Q4.5
nexryai · Dec 26, 2023 · 3ad3c11 · 3ad3c11
2 parents a8e75c0 + 6c3beba
commit 3ad3c11
Show file tree

Hide file tree

Showing 10 changed files with 234 additions and 204 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 12.23Q4.5
+ - Security Hotfix: 管理者用APIのアクセス権限が適切に設定されていない問題を修正
+   * Appは管理者/モデレータ権限を使えないように
+ - fix: Filter featured collection
+ - 依存関係の更新
+
 ## 12.23Q4.4
  - Backend: deep-email-validatorをdevmehq/email-validator-jsで置き換えより高精度で捨てアド判定ができるように
  - Feat: arm64のDockerコンテナを利用可能に

diff --git a/README.md b/README.md
@@ -1,34 +1,11 @@
 # Nexkey
 nexryaiによるMisskey v12フォーク
 
+### motive
+ - 中小規模のサーバーに最適化された軽量なMisskey v12のフォークを開発維持すること
+
 ### 変更点
- - ベース: Atsu1125さんのv12 LTS [repo](https://github.com/atsu1125/misskey-v12/)
- - v13のデザインの改善を取り込み（cherry-picked from [taiyme frok](https://github.com/taiyme/misskey)）
- - Firefishの実装を~~パクって~~参考にSonicによる検索と過去投稿のインデックス機能を実装
- - 脆弱性のある依存関係の更新
- - DockerコンテナをAlpineベースにしGlibcのメモリアロケータとの相性問題を緩和（要検証だけど多分かなりマシになってる）
- - v13で実装された一部機能の実装
-   * RNミュート
-   * Turnstile対応
-   * ウィジェット同期
-   * リードレプリカ対応
- - インスタンスティッカーやエントランス画面周りの改善
- - リアクションミュート実装
- - 配信モード実装
- - オンラインユーザーを常時表示
- - 検索をexploreに統合
- - インスタンスミュートの仕様を改善
-   * FFであれば適用しない、メンションには適用しないなど制限を緩和し本家より気軽に使えるようにした
-   * 完全に断交したいという需要があるなら将来的にユーザー毎のインスタンスブロックを実装する予定
- - 一部UIの修正
- - パスワードハッシュをargon2に
- - お気に入りをクリップに統合
- - ナビゲーションバーとウィジェットの設定をデバイス間で同期するように
- - onlyQueueProcessorモードとdisableQueueProcessorモード追加
- - 以下の機能を削除
-	 * NSFW自動検出（精度が低くメモリリークの原因なため）
-	 * チャンネル（連合しないため）
-	 * ギャラリー（使わん）
-	 * LTL（STLで代替可能なため）
+CHANGELOGを参照してください。
+
 ### Thanks
 Thanks to the developers and contributors of the original Misskey and the referenced fork!
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "nexkey",
-	"version": "12.23Q4.4",
+	"version": "12.23Q4.5",
 	"codename": "chirigiku",
 	"repository": {
 		"type": "git",
@@ -42,7 +42,7 @@
 	"devDependencies": {
 		"@types/gulp": "4.0.17",
 		"@types/gulp-rename": "2.0.6",
-		"@typescript-eslint/parser": "6.15.0",
+		"@typescript-eslint/parser": "6.16.0",
 		"cross-env": "7.0.3",
 		"cypress": "13.6.1",
 		"start-server-and-test": "2.0.3",

diff --git a/packages/backend/package.json b/packages/backend/package.json
@@ -16,7 +16,7 @@
 	},
 	"overrides": { "multer": { "busboy": "1.6.0" } },
 	"dependencies": {
-		"@bull-board/koa": "5.9.1",
+		"@bull-board/koa": "5.10.2",
 		"@devmehq/email-validator-js": "1.0.19",
 		"@discordapp/twemoji": "15.0.2",
 		"@elastic/elasticsearch": "8.10.0",
@@ -33,7 +33,7 @@
 		"argon2": "0.31.2",
 		"autobind-decorator": "2.4.0",
 		"autwh": "0.1.0",
-		"aws-sdk": "2.1483.0",
+		"aws-sdk": "2.1525.0",
 		"bcryptjs": "2.4.3",
 		"blurhash": "2.0.5",
 		"bull": "4.11.4",
@@ -45,7 +45,7 @@
 		"co-body": "6.1.0",
 		"color-convert": "2.0.1",
 		"content-disposition": "0.5.4",
-		"date-fns": "2.30.0",
+		"date-fns": "3.0.6",
 		"escape-regexp": "0.0.1",
 		"extract-domain": "4.1.3",
 		"feed": "4.2.2",
@@ -95,7 +95,7 @@
 		"ratelimiter": "3.4.1",
 		"re2": "1.19.2",
 		"redis-lock": "0.1.4",
-		"reflect-metadata": "0.1.13",
+		"reflect-metadata": "0.2.1",
 		"rename": "1.0.4",
 		"rndstr": "1.0.0",
 		"rss-parser": "3.13.0",
@@ -111,7 +111,7 @@
 		"tinycolor2": "1.6.0",
 		"tmp": "0.2.1",
 		"ts-loader": "9.5.1",
-		"ts-node": "10.9.1",
+		"ts-node": "10.9.2",
 		"tsc-alias": "1.8.8",
 		"tsconfig-paths": "4.2.0",
 		"twemoji-parser": "14.0.0",
@@ -140,12 +140,12 @@
 		"@types/koa-favicon": "2.1.3",
 		"@types/koa-logger": "3.1.4",
 		"@types/koa-mount": "4.0.4",
-		"@types/koa-send": "4.1.5",
+		"@types/koa-send": "4.1.6",
 		"@types/koa-views": "7.0.0",
 		"@types/koa__cors": "4.0.3",
 		"@types/koa__multer": "2.0.7",
 		"@types/koa__router": "8.0.11",
-		"@types/mocha": "10.0.3",
+		"@types/mocha": "10.0.6",
 		"@types/node": "20.8.4",
 		"@types/node-fetch": "3.0.3",
 		"@types/nodemailer": "6.4.14",
@@ -157,7 +157,7 @@
 		"@types/ratelimiter": "3.4.4",
 		"@types/redis": "4.0.11",
 		"@types/rename": "1.0.6",
-		"@types/sanitize-html": "2.9.3",
+		"@types/sanitize-html": "2.9.5",
 		"@types/sharp": "0.32.0",
 		"@types/sinonjs__fake-timers": "8.1.2",
 		"@types/speakeasy": "2.0.9",

diff --git a/packages/backend/src/server/activitypub/featured.ts b/packages/backend/src/server/activitypub/featured.ts
@@ -25,8 +25,9 @@ export default async (ctx: Router.RouterContext) => {
         order: { id: "DESC" },
     });
 
-    const pinnedNotes = await Promise.all(pinings.map(pining =>
-        Notes.findOneByOrFail({ id: pining.noteId })));
+    const pinnedNotes = (await Promise.all(pinings.map(pining =>
+        Notes.findOneByOrFail({ id: pining.noteId }))))
+        .filter(note => !note.localOnly && ["public", "home"].includes(note.visibility));
 
     const renderedNotes = await Promise.all(pinnedNotes.map(note => renderNote(note)));
 

diff --git a/packages/backend/src/server/api/call.ts b/packages/backend/src/server/api/call.ts
@@ -93,6 +93,14 @@ export default async (endpoint: string, user: CacheableLocalUser | null | undefi
         });
     }
 
+    if (token && ep.meta.requireAdmin) {
+        throw new ApiError(accessDenied, { reason: "Apps cannot use admin privileges." });
+    }
+
+    if (token && ep.meta.requireModerator) {
+        throw new ApiError(accessDenied, { reason: "Apps cannot use moderator privileges." });
+    }
+
     // Cast non JSON input
     if ((ep.meta.requireFile || ctx?.method === "GET") && ep.params.properties) {
         for (const k of Object.keys(ep.params.properties)) {

diff --git a/packages/backend/yarn.lock b/packages/backend/yarn.lock
@@ -289,33 +289,33 @@
     "@babel/helper-validator-identifier" "^7.22.5"
     to-fast-properties "^2.0.0"
 
-"@bull-board/api@5.9.1":
-  version "5.9.1"
-  resolved "https://registry.yarnpkg.com/@bull-board/api/-/api-5.9.1.tgz#c75768b50d08f6e6b16b935e12af7f774398db30"
-  integrity sha512-xZzPYNw9Dp46It4vvZv3tmFScmUu/UT/jWQxYK9cvbkJRXh15rsZrbbR+/phUqou0NxRQGiHoFSZ1y5D107dIA==
+"@bull-board/api@5.10.2":
+  version "5.10.2"
+  resolved "https://registry.yarnpkg.com/@bull-board/api/-/api-5.10.2.tgz#ae8ff6918b23897bf879a6ead3683f964374c4b3"
+  integrity sha512-Gx98cqN0cryJB35mVKjYsEnD3NxArWY3Xi2E5Wrr17QTVOzWEP4jyDQ/riiapVdnYqc9RSsxCCmdIaNdNPcXlQ==
   dependencies:
     redis-info "^3.0.8"
 
-"@bull-board/koa@5.9.1":
-  version "5.9.1"
-  resolved "https://registry.yarnpkg.com/@bull-board/koa/-/koa-5.9.1.tgz#dbff383428bdec8a77d9157f9e4098b07a614365"
-  integrity sha512-PV2b6SQYu5/QSh65+QxbNsBmCP406qXrjUIp09cG7A+/aaTpdThDju5EgXIoe9VGPPG1CZMZ4eVOR8UT5D7H5A==
+"@bull-board/koa@5.10.2":
+  version "5.10.2"
+  resolved "https://registry.yarnpkg.com/@bull-board/koa/-/koa-5.10.2.tgz#568fc5aea98b674073bba76a9d589acce9ca338a"
+  integrity sha512-fVgs2/Y5vqYQGe0Hn5AanricF6TCM9uglxzaxBSDNHHpYIJDl8aLoU6L1/x5/K2fPE16STpSyGhJf+UFEWCQ0A==
   dependencies:
-    "@bull-board/api" "5.9.1"
-    "@bull-board/ui" "5.9.1"
+    "@bull-board/api" "5.10.2"
+    "@bull-board/ui" "5.10.2"
     ejs "^3.1.7"
     koa "^2.13.1"
     koa-mount "^4.0.0"
     koa-router "^10.0.0"
     koa-static "^5.0.0"
     koa-views "^7.0.1"
 
-"@bull-board/ui@5.9.1":
-  version "5.9.1"
-  resolved "https://registry.yarnpkg.com/@bull-board/ui/-/ui-5.9.1.tgz#46b00abc551f6f04e611b698d209bfbc6ed0bad2"
-  integrity sha512-lL93KVRTpLSl73KUFBw7sXOcCrqddGBbpiMKWEbViXxObIq68yFuhRrcfR7JeTSocLF5GsnqSVdSiNCZHmdNpw==
+"@bull-board/ui@5.10.2":
+  version "5.10.2"
+  resolved "https://registry.yarnpkg.com/@bull-board/ui/-/ui-5.10.2.tgz#08dcaa5095fbf11ba6488d9ae9370cdea7aebd59"
+  integrity sha512-wU9XmrX/COISZ3+sn3VEDB1UtPt7szu4QSKTw1O0q+U1JLM4Kxfs3tH9ZAIulzMrY+CQtkJXd+dKZPuRqy4rfQ==
   dependencies:
-    "@bull-board/api" "5.9.1"
+    "@bull-board/api" "5.10.2"
 
 "@chainsafe/is-ip@^2.0.1":
   version "2.0.2"
@@ -950,10 +950,10 @@
   dependencies:
     "@types/koa" "*"
 
-"@types/koa-send@4.1.5":
-  version "4.1.5"
-  resolved "https://registry.yarnpkg.com/@types/koa-send/-/koa-send-4.1.5.tgz#c88362b07f0c12fd94ec9d61590a307be3f81a37"
-  integrity sha512-O2qnxAKr7MoAxHHUitJejMWw45b9QtgTra0pnVDl/XoNdYTdZOgwj8wSVDon0qXg/lrcYHye4LFbAaSfSWwnrg==
+"@types/koa-send@4.1.6":
+  version "4.1.6"
+  resolved "https://registry.yarnpkg.com/@types/koa-send/-/koa-send-4.1.6.tgz#15d90e95e3ccce669a15b6a3c56c3a650a167cea"
+  integrity sha512-vgnNGoOJkx7FrF0Jl6rbK1f8bBecqAchKpXtKuXzqIEdXTDO6dsSTjr+eZ5m7ltSjH4K/E7auNJEQCAd0McUPA==
   dependencies:
     "@types/koa" "*"
 
@@ -1009,10 +1009,10 @@
   resolved "https://registry.yarnpkg.com/@types/mime/-/mime-1.3.2.tgz#93e25bf9ee75fe0fd80b594bc4feb0e862111b5a"
   integrity sha512-YATxVxgRqNH6nHEIsvg6k2Boc1JHI9ZbH5iWFFv/MTkchz3b1ieGDa5T0a9RznNdI0KhVbdbWSN+KWWrQZRxTw==
 
-"@types/mocha@10.0.3":
-  version "10.0.3"
-  resolved "https://registry.yarnpkg.com/@types/mocha/-/mocha-10.0.3.tgz#4804fe9cd39da26eb62fa65c15ea77615a187812"
-  integrity sha512-RsOPImTriV/OE4A9qKjMtk2MnXiuLLbcO3nCXK+kvq4nr0iMfFgpjaX3MPLb6f7+EL1FGSelYvuJMV6REH+ZPQ==
+"@types/mocha@10.0.6":
+  version "10.0.6"
+  resolved "https://registry.yarnpkg.com/@types/mocha/-/mocha-10.0.6.tgz#818551d39113081048bdddbef96701b4e8bb9d1b"
+  integrity sha512-dJvrYWxP/UcXm36Qn36fxhUKu8A/xMRXVT2cliFF1Z7UA9liG5Psj3ezNSZw+5puH2czDXRLcXQxf8JbJt0ejg==
 
 "@types/node-fetch@3.0.3":
   version "3.0.3"
@@ -1101,10 +1101,10 @@
   resolved "https://registry.yarnpkg.com/@types/rename/-/rename-1.0.6.tgz#cdf05d05e406f498ff62f15936bee39f3f1de286"
   integrity sha512-uLznlquGwzyFMxjBGcR3mY+k/zWv+9kk3yEzsldIU5OzjRw0i6EdZ1ydVCjTEYQ4HkWGBY+bXn62lrGKS+G1iw==
 
-"@types/sanitize-html@2.9.3":
-  version "2.9.3"
-  resolved "https://registry.yarnpkg.com/@types/sanitize-html/-/sanitize-html-2.9.3.tgz#eb31abeb496838719014b094b9e647dd7937ce7d"
-  integrity sha512-1rsSdEJLV7utAG+Fms2uP+nSmmYmOhUUSSZvUz4wF2wlA0M5/A/gVgnpWZ7EKaPWsrrxWiSuNJqSBW8dh2isBA==
+"@types/sanitize-html@2.9.5":
+  version "2.9.5"
+  resolved "https://registry.yarnpkg.com/@types/sanitize-html/-/sanitize-html-2.9.5.tgz#e8b2214c8afc7bb88d62f9c3bbbc5b4ecc80a25d"
+  integrity sha512-2Sr1vd8Dw+ypsg/oDDfZ57OMSG2Befs+l2CMyCC5bVSK3CpE7lTB2aNlbbWzazgVA+Qqfuholwom6x/mWd1qmw==
   dependencies:
     htmlparser2 "^8.0.0"
 
@@ -1619,10 +1619,10 @@ available-typed-arrays@^1.0.5:
   resolved "https://registry.yarnpkg.com/available-typed-arrays/-/available-typed-arrays-1.0.5.tgz#92f95616501069d07d10edb2fc37d3e1c65123b7"
   integrity sha512-DMD0KiN46eipeziST1LPP/STfDU0sufISXmjSgvVsoU2tqxctQeASejWcfNtxYKqETM1UxQ8sp2OrSBWpHY6sw==
 
-aws-sdk@2.1483.0:
-  version "2.1483.0"
-  resolved "https://registry.yarnpkg.com/aws-sdk/-/aws-sdk-2.1483.0.tgz#1687731fec00b7196d5fc093a75c8eebb4f0f044"
-  integrity sha512-u1DVpvBd2UeYLXwXgY8tO/SjbdFEE6nRkQWiLaDJaBoHycHpe+DjPtGl1KaLiOIMaDZ+cnIzf3/aRSss/mCeBQ==
+aws-sdk@2.1525.0:
+  version "2.1525.0"
+  resolved "https://registry.yarnpkg.com/aws-sdk/-/aws-sdk-2.1525.0.tgz#2d55fa7bbc110c96bb2e10a30af6b0d64a7d422b"
+  integrity sha512-M6wNOrq9HliJoWgmgHeRzMHHrgK6UY20RL2tUhNqq45ETZnj1ihrqG5vSt5ywLrV9WUyI/lUQAVmCP/2PYjpQw==
   dependencies:
     buffer "4.9.2"
     events "1.1.1"
@@ -2308,7 +2308,12 @@ data-urls@^4.0.0:
     whatwg-mimetype "^3.0.0"
     whatwg-url "^12.0.0"
 
-date-fns@2.30.0, date-fns@^2.29.3:
+date-fns@3.0.6:
+  version "3.0.6"
+  resolved "https://registry.yarnpkg.com/date-fns/-/date-fns-3.0.6.tgz#fe3aeb7592d359f075ffc41cb16139828810ca83"
+  integrity sha512-W+G99rycpKMMF2/YD064b2lE7jJGUe+EjOES7Q8BIGY8sbNdbgcs9XFTZwvzc9Jx1f3k7LB7gZaZa7f8Agzljg==
+
+date-fns@^2.29.3:
   version "2.30.0"
   resolved "https://registry.yarnpkg.com/date-fns/-/date-fns-2.30.0.tgz#f367e644839ff57894ec6ac480de40cae4b0f4d0"
   integrity sha512-fnULvOpxnC5/Vg3NCiWelDsLiUc9bRwAPs/+LfTLNvetFCtCTN+yQz15C/fs4AwX1R9K5GLtLfn8QW+dWisaAw==
@@ -5817,7 +5822,12 @@ redis@*:
     "@redis/search" "1.1.3"
     "@redis/time-series" "1.0.4"
 
-reflect-metadata@0.1.13, reflect-metadata@^0.1.13:
+reflect-metadata@0.2.1:
+  version "0.2.1"
+  resolved "https://registry.yarnpkg.com/reflect-metadata/-/reflect-metadata-0.2.1.tgz#8d5513c0f5ef2b4b9c3865287f3c0940c1f67f74"
+  integrity sha512-i5lLI6iw9AU3Uu4szRNPPEkomnkjRTaVt9hy/bn5g/oSzekBSMeLZblcjP74AW0vBabqERLLIrz+gR8QYR54Tw==
+
+reflect-metadata@^0.1.13:
   version "0.1.13"
   resolved "https://registry.yarnpkg.com/reflect-metadata/-/reflect-metadata-0.1.13.tgz#67ae3ca57c972a2aa1642b10fe363fe32d49dc08"
   integrity sha512-Ts1Y/anZELhSsjMcU605fU9RE4Oi3p5ORujwbIKXfWa+0Zxs510Qrmrce5/Jowq3cHSZSJqBjypxmHarc+vEWg==
@@ -6670,10 +6680,10 @@ ts-loader@9.5.1:
     semver "^7.3.4"
     source-map "^0.7.4"
 
-ts-node@10.9.1:
-  version "10.9.1"
-  resolved "https://registry.yarnpkg.com/ts-node/-/ts-node-10.9.1.tgz#e73de9102958af9e1f0b168a6ff320e25adcff4b"
-  integrity sha512-NtVysVPkxxrwFGUUxGYhfux8k78pQB3JqYBXlLRZgdGUqTO5wU/UyHop5p70iEbGhB7q5KmiZiU0Y3KlJrScEw==
+ts-node@10.9.2:
+  version "10.9.2"
+  resolved "https://registry.yarnpkg.com/ts-node/-/ts-node-10.9.2.tgz#70f021c9e185bccdca820e26dc413805c101c71f"
+  integrity sha512-f0FFpIdcHgn8zcPSbf1dRevwt047YMnaiJM3u2w2RewrB+fob/zePZcrOyQoLMMO7aBIddLcQIEK5dYjkLnGrQ==
   dependencies:
     "@cspotcode/source-map-support" "^0.8.0"
     "@tsconfig/node10" "^1.0.7"

diff --git a/packages/client/package.json b/packages/client/package.json
@@ -13,8 +13,8 @@
 	"dependencies": {
 		"@discordapp/twemoji": "15.0.2",
 		"@rollup/plugin-alias": "5.1.0",
-		"@rollup/plugin-json": "6.0.1",
-		"@rollup/pluginutils": "5.0.5",
+		"@rollup/plugin-json": "6.1.0",
+		"@rollup/pluginutils": "5.1.0",
 		"@syuilo/aiscript": "0.11.1",
 		"@tabler/icons-webfont": "2.44.0",
 		"@vitejs/plugin-vue": "4.5.2",
@@ -24,13 +24,13 @@
 		"blurhash": "2.0.5",
 		"broadcast-channel": "7.0.0",
 		"browser-image-resizer": "git+https://github.com/misskey-dev/browser-image-resizer#v2.2.1-misskey.10",
-		"chart.js": "4.4.0",
+		"chart.js": "4.4.1",
 		"chartjs-adapter-date-fns": "3.0.0",
 		"chartjs-plugin-gradient": "0.6.1",
 		"chartjs-plugin-zoom": "2.0.1",
 		"compare-versions": "6.1.0",
 		"cropperjs": "2.0.0-beta.4",
-		"date-fns": "2.30.0",
+		"date-fns": "3.0.6",
 		"escape-regexp": "0.0.1",
 		"eventemitter3": "5.0.1",
 		"idb-keyval": "6.2.1",
@@ -40,7 +40,7 @@
 		"matter-js": "0.19.0",
 		"mfm-js": "0.23.3",
 		"misskey-js": "0.0.14",
-		"photoswipe": "5.4.2",
+		"photoswipe": "5.4.3",
 		"prismjs": "1.29.0",
 		"punycode": "2.3.1",
 		"querystring": "0.2.1",
@@ -52,16 +52,16 @@
 		"stringz": "2.1.0",
 		"syuilo-password-strength": "0.0.1",
 		"textarea-caret": "3.1.0",
-		"three": "0.159.0",
+		"three": "0.160.0",
 		"throttle-debounce": "5.0.0",
 		"tinycolor2": "1.6.0",
 		"tsc-alias": "1.8.8",
 		"tsconfig-paths": "4.2.0",
 		"twemoji-parser": "14.0.0",
-		"typescript": "5.3.2",
+		"typescript": "5.3.3",
 		"uuid": "9.0.1",
 		"vanilla-tilt": "1.8.1",
-		"vite": "5.0.5",
+		"vite": "5.0.10",
 		"vue": "3.3.8",
 		"vue-prism-editor": "2.0.0-alpha.2",
 		"vuedraggable": "4.1.0"
@@ -78,12 +78,12 @@
 		"@types/throttle-debounce": "5.0.2",
 		"@types/tinycolor2": "1.4.6",
 		"@types/uuid": "9.0.7",
-		"@typescript-eslint/eslint-plugin": "6.15.0",
+		"@typescript-eslint/eslint-plugin": "6.16.0",
 		"@typescript-eslint/parser": "6.13.2",
 		"cross-env": "7.0.3",
 		"cypress": "13.6.1",
 		"eslint": "8.56.0",
-		"eslint-plugin-import": "2.29.0",
+		"eslint-plugin-import": "2.29.1",
 		"eslint-plugin-vue": "9.19.2",
 		"rollup": "4.9.1",
 		"start-server-and-test": "2.0.3"