In this case requests won't be performed from a secure context [1] and
the browser won't send the Sec-Fetch-Site header. This means non-GET
requests will be rejected because CSRF protection will fail.
With this change, we allow these requests with missing Sec-Fetch-Site
headers if:
- They happen over HTTP
- The app is not configured to force SSL
The Origin check happens in any case.
[1] https://developer.mozilla.org/en-US/docs/Web/Security/Defenses/Secure_Contexts#potentially_trustworthy_origins
This task is unnecessary because the
`solid_queue_recurring_executions` table has a foreign key to
`solid_queue_jobs` with `on_delete: :cascade`.
This config was cargo-culted from HEY (in 44429644), which *does* need
this task to run because we've omitted the FK constraints there.
Use the more idiomatic ActiveRecord ids method instead of pluck(:id)
across controllers and models. The ids method is more readable and
explicitly conveys the intent to retrieve primary key values.
Changes:
- BoardsController#edit: Use @board.users.ids
- Board::Storage: Use cards.ids, Comment.where().ids, and ActionText::RichText.where().ids
- User::Accessor: Use account.boards.all_access.ids
This change improves code clarity while maintaining the same functionality.
* main: (63 commits)
Ignore hotkeys with modifiers
Fix 1Password account ID (was user UUID) (#2278)
Switch 1Password account to 37signals.1password.com (#2276)
Remove CSS testing comments
Max card count equals geared pagination size
Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
Only enable transitions on user interaction
Don't update counter if value hasn't changed
Add padding to upgrade message on larger screens
Add test coverage for autolinking multiple URLs
Add "noopener" to autolinks' rel attribute
Avoid string manipulation when autolinking.
Only bump z-index when nav is open
Move nav and related elements above footer
Delete Dockerfile.dev
fix: use the right gh-cli arch package (#2232)
Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 (#2257)
Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#2256)
Consider user avatars always public
Implement authorization for Active Storage endpoints
...
The SSRF filter checked ipv4_mapped? but not ipv4_compat?, allowing
addresses like ::169.254.169.254 to bypass the link-local check and
reach cloud metadata endpoints.
Changes:
- Add ipv4_compat? check to block deprecated IPv4-compatible format
- Rename private_address? to blocked_address? (more accurate - method
blocks more than just RFC 1918 private ranges)
- Add IPv6 test coverage for both mapped and compat formats
Both ipv4_mapped and ipv4_compat formats are blocked entirely as
defense-in-depth: DNS never returns these formats, so they only
appear in attack scenarios.
HackerOne: #3481701
Instead, let's use a Loofah scrubber which will create DOM nodes
directly. This should be faster and is a tiny bit simpler, as well as
removing a potential HTML injection vector.
Also, add "noreferrer" to all `mailto:` links (already present on URLs).
Avatars are purposely accessible without authentication
(5e3b5b6d7c) because they can be in public
collections. Trying to restrict this by checking whether they're in fact
present in some public collection is rather expensive, so let's keep
them public.
Betas use the same application DB as production, so all these tasks
already take place there. Moreover, since betas have different Solid
Queue instances, we can't prevent simultaneous runs of the same
recurring jobs because each Solid Queue instance is isolated from the
others, so they don't know these jobs are running already, leading to
all sort of issues.