From bf62fbe644aafa6a9293cdebb2923cb82175694c Mon Sep 17 00:00:00 2001 From: Piotr Juszczyk <74842304+pijuszczyk@users.noreply.github.com> Date: Tue, 4 Jul 2023 12:14:37 +0200 Subject: [PATCH 1/5] Remove not needed anymore http-signature-normalization-actix dependency (#3458) --- Cargo.lock | 34 ++-------------------------------- crates/apub/Cargo.toml | 1 - crates/apub/src/http/routes.rs | 3 --- 3 files changed, 2 insertions(+), 36 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0e6dc9161..81a6ffb6b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -31,7 +31,7 @@ dependencies = [ "enum_delegate", "futures-core", "http", - "http-signature-normalization 0.7.0", + "http-signature-normalization", "http-signature-normalization-reqwest", "httpdate", "itertools", @@ -2219,15 +2219,6 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0bfe8eed0a9285ef776bb792479ea3834e8b94e13d615c2f66d03dd50a435a29" -[[package]] -name = "http-signature-normalization" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8f45adbef81d7ea3bd7e9bcc6734b7245dad05a14abdcc7ddc0988791d63515" -dependencies = [ - "httpdate", -] - [[package]] name = "http-signature-normalization" version = "0.7.0" @@ -2237,26 +2228,6 @@ dependencies = [ "httpdate", ] -[[package]] -name = "http-signature-normalization-actix" -version = "0.6.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7483d0ee4d093fa4bfe5956cd405492c07808a5064a29cfe3960d474f21f39c2" -dependencies = [ - "actix-http", - "actix-rt", - "actix-web", - "base64 0.13.1", - "futures-util", - "http-signature-normalization 0.6.0", - "sha2", - "thiserror", - "tokio", - "tracing", - "tracing-error", - "tracing-futures", -] - [[package]] name = "http-signature-normalization-reqwest" version = "0.8.0" @@ -2264,7 +2235,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3c382c69a07b21accae86298d520579403af6479b1cd1c389e3ee11f01d48627" dependencies = [ "base64 0.13.1", - "http-signature-normalization 0.7.0", + "http-signature-normalization", "httpdate", "reqwest", "reqwest-middleware", @@ -2661,7 +2632,6 @@ dependencies = [ "futures", "html2md", "http", - "http-signature-normalization-actix", "itertools", "lemmy_api_common", "lemmy_db_schema", diff --git a/crates/apub/Cargo.toml b/crates/apub/Cargo.toml index 8570541f7..fe94cdc7f 100644 --- a/crates/apub/Cargo.toml +++ b/crates/apub/Cargo.toml @@ -40,7 +40,6 @@ reqwest = { workspace = true } once_cell = { workspace = true } html2md = "0.2.14" serde_with = { workspace = true } -http-signature-normalization-actix = { version = "0.6.2", default-features = false, features = ["server", "sha-2"] } enum_delegate = "0.2.0" [dev-dependencies] diff --git a/crates/apub/src/http/routes.rs b/crates/apub/src/http/routes.rs index 4d4941f53..0012fccf2 100644 --- a/crates/apub/src/http/routes.rs +++ b/crates/apub/src/http/routes.rs @@ -19,8 +19,6 @@ use actix_web::{ http::{header, Method}, web, }; -use http_signature_normalization_actix::digest::middleware::VerifyDigest; -use sha2::{Digest, Sha256}; pub fn config(cfg: &mut web::ServiceConfig) { cfg @@ -57,7 +55,6 @@ pub fn config(cfg: &mut web::ServiceConfig) { cfg.service( web::scope("") - .wrap(VerifyDigest::new(Sha256::new())) .guard(InboxRequestGuard) .route("/c/{community_name}/inbox", web::post().to(community_inbox)) .route("/u/{user_name}/inbox", web::post().to(person_inbox)) From 8bcf2ea7c9c55e8e073917e3050f85e4bf913605 Mon Sep 17 00:00:00 2001 From: Dessalines Date: Tue, 4 Jul 2023 06:15:27 -0400 Subject: [PATCH 2/5] Fixing clippy. (#3471) --- crates/db_schema/src/utils.rs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/crates/db_schema/src/utils.rs b/crates/db_schema/src/utils.rs index 44230d10a..1dc2f9afa 100644 --- a/crates/db_schema/src/utils.rs +++ b/crates/db_schema/src/utils.rs @@ -346,10 +346,7 @@ mod tests { diesel_option_overwrite_to_url(&Some(String::new())), Ok(Some(None)) )); - assert!(matches!( - diesel_option_overwrite_to_url(&Some("invalid_url".to_string())), - Err(_) - )); + assert!(diesel_option_overwrite_to_url(&Some("invalid_url".to_string())).is_err()); let example_url = "https://example.com"; assert!(matches!( diesel_option_overwrite_to_url(&Some(example_url.to_string())), From cdc5b478860607193942d28ba825f9bf00e05e0b Mon Sep 17 00:00:00 2001 From: Josephos Date: Tue, 4 Jul 2023 12:41:58 +0200 Subject: [PATCH 3/5] Improved validation of display names (Fixes #3436) (#3437) * Fixed validation of display names Fixed validation of display names: reject names beginning with invisible unicode characters. * Formatting Formatting fix. * Expanded list of forbidden Unicode characters. Validation now checks for disallowed characters anywhere in the name. * Formatting * Added a comment detailing source of the list of invisible chars. --- crates/utils/src/utils/validation.rs | 60 +++++++++++++++++++++++++++- 1 file changed, 58 insertions(+), 2 deletions(-) diff --git a/crates/utils/src/utils/validation.rs b/crates/utils/src/utils/validation.rs index 347d791a8..e43ddbbb5 100644 --- a/crates/utils/src/utils/validation.rs +++ b/crates/utils/src/utils/validation.rs @@ -24,6 +24,62 @@ const BIO_MAX_LENGTH: usize = 300; const SITE_NAME_MAX_LENGTH: usize = 20; const SITE_NAME_MIN_LENGTH: usize = 1; const SITE_DESCRIPTION_MAX_LENGTH: usize = 150; +//Invisible unicode characters, taken from https://invisible-characters.com/ +const FORBIDDEN_DISPLAY_CHARS: [char; 53] = [ + '\u{0009}', + '\u{00a0}', + '\u{00ad}', + '\u{034f}', + '\u{061c}', + '\u{115f}', + '\u{1160}', + '\u{17b4}', + '\u{17b5}', + '\u{180e}', + '\u{2000}', + '\u{2001}', + '\u{2002}', + '\u{2003}', + '\u{2004}', + '\u{2005}', + '\u{2006}', + '\u{2007}', + '\u{2008}', + '\u{2009}', + '\u{200a}', + '\u{200b}', + '\u{200c}', + '\u{200d}', + '\u{200e}', + '\u{200f}', + '\u{202f}', + '\u{205f}', + '\u{2060}', + '\u{2061}', + '\u{2062}', + '\u{2063}', + '\u{2064}', + '\u{206a}', + '\u{206b}', + '\u{206c}', + '\u{206d}', + '\u{206e}', + '\u{206f}', + '\u{3000}', + '\u{2800}', + '\u{3164}', + '\u{feff}', + '\u{ffa0}', + '\u{1d159}', + '\u{1d173}', + '\u{1d174}', + '\u{1d175}', + '\u{1d176}', + '\u{1d177}', + '\u{1d178}', + '\u{1d179}', + '\u{1d17a}', +]; fn has_newline(name: &str) -> bool { name.contains('\n') @@ -42,8 +98,8 @@ pub fn is_valid_actor_name(name: &str, actor_name_max_length: usize) -> LemmyRes // Can't do a regex here, reverse lookarounds not supported pub fn is_valid_display_name(name: &str, actor_name_max_length: usize) -> LemmyResult<()> { - let check = !name.starts_with('@') - && !name.starts_with('\u{200b}') + let check = !name.contains(FORBIDDEN_DISPLAY_CHARS) + && !name.starts_with('@') && name.chars().count() >= 3 && name.chars().count() <= actor_name_max_length && !has_newline(name); From 85dab149a93cd93dc5363fe5b8d51942385625b3 Mon Sep 17 00:00:00 2001 From: Louis GERARD Date: Tue, 4 Jul 2023 13:04:38 +0200 Subject: [PATCH 4/5] fix(posts/comments/search): return error on invalid community name (#3418) --- crates/apub/src/api/list_comments.rs | 4 +--- crates/apub/src/api/list_posts.rs | 4 +--- crates/apub/src/api/search.rs | 9 +++++---- 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/crates/apub/src/api/list_comments.rs b/crates/apub/src/api/list_comments.rs index 487aefa9e..edb70dbaa 100644 --- a/crates/apub/src/api/list_comments.rs +++ b/crates/apub/src/api/list_comments.rs @@ -27,9 +27,7 @@ pub async fn list_comments( check_private_instance(&local_user_view, &local_site)?; let community_id = if let Some(name) = &data.community_name { - resolve_actor_identifier::(name, &context, &None, true) - .await - .ok() + Some(resolve_actor_identifier::(name, &context, &None, true).await?) .map(|c| c.id) } else { data.community_id diff --git a/crates/apub/src/api/list_posts.rs b/crates/apub/src/api/list_posts.rs index bde373f65..ff7ac1089 100644 --- a/crates/apub/src/api/list_posts.rs +++ b/crates/apub/src/api/list_posts.rs @@ -29,9 +29,7 @@ pub async fn list_posts( let page = data.page; let limit = data.limit; let community_id = if let Some(name) = &data.community_name { - resolve_actor_identifier::(name, &context, &None, true) - .await - .ok() + Some(resolve_actor_identifier::(name, &context, &None, true).await?) .map(|c| c.id) } else { data.community_id diff --git a/crates/apub/src/api/search.rs b/crates/apub/src/api/search.rs index 777a7013b..0f9a6b37f 100644 --- a/crates/apub/src/api/search.rs +++ b/crates/apub/src/api/search.rs @@ -41,10 +41,11 @@ pub async fn search( let listing_type = data.listing_type; let search_type = data.type_.unwrap_or(SearchType::All); let community_id = if let Some(name) = &data.community_name { - resolve_actor_identifier::(name, &context, &local_user_view, false) - .await - .ok() - .map(|c| c.id) + Some( + resolve_actor_identifier::(name, &context, &local_user_view, false) + .await?, + ) + .map(|c| c.id) } else { data.community_id }; From ff47d97bd34d303dc8dd687bca29f5d9755a59af Mon Sep 17 00:00:00 2001 From: "Lemmus.org" <137361180+lemmus-org@users.noreply.github.com> Date: Tue, 4 Jul 2023 04:11:47 -0700 Subject: [PATCH 5/5] Add feature for enabling json logging (#3462) --- Cargo.toml | 1 + src/lib.rs | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index f73b6b531..311f5d7df 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -27,6 +27,7 @@ lto = "thin" [features] embed-pictrs = ["pict-rs"] console = ["console-subscriber", "opentelemetry", "opentelemetry-otlp", "tracing-opentelemetry", "reqwest-tracing/opentelemetry_0_16"] +json-log = ["tracing-subscriber/json"] default = [] [workspace] diff --git a/src/lib.rs b/src/lib.rs index cc77ca48f..f84842fe0 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -185,7 +185,14 @@ pub fn init_logging(opentelemetry_url: &Option) -> Result<(), LemmyError> { .trim_matches('"') .parse::()?; - let format_layer = tracing_subscriber::fmt::layer().with_filter(targets.clone()); + let format_layer = { + #[cfg(feature = "json-log")] + let layer = tracing_subscriber::fmt::layer().json(); + #[cfg(not(feature = "json-log"))] + let layer = tracing_subscriber::fmt::layer(); + + layer.with_filter(targets.clone()) + }; let subscriber = Registry::default() .with(format_layer)