Commit Graph

168 Commits

Author SHA1 Message Date
Mike Dalessio b6ea558de8 Move TrackTrueClientIp middleware into saas engine (#2677)
The True-Client-IP header is set by Cloudflare and is only trustworthy
when behind a Cloudflare proxy. In non-Cloudflare deployments, this
header is attacker-controlled and can be used to spoof IP addresses.

Moving the middleware into the saas engine ensures it only loads for our
Cloudflare-fronted production deployment, not for self-hosted OSS
instances.

GHSA-cpch-9qg2-x8fq
2026-03-09 15:14:17 -04:00
Rosa Gutierrez 05819f84a2 Refactor notification push system with registry pattern
Replace NotificationPusher with a cleaner architecture:

- Add Notification::Pushable concern with push target registry
- Add Notification::Push base class with template methods
- Add Notification::Push::Web for web push (OSS)
- Add Notification::Push::Native for native push (SaaS)
- Add Notification::WebPushJob and Notification::NativePushJob

Key design:
- Registry pattern: Notification.register_push_target(:web)
- Template method: push calls should_push? then perform_push
- Subclasses override should_push? (with super) and perform_push
- Each target handles its own job enqueueing

Also:
- Add Notification#pushable? for checking push eligibility
- Add Notification#identity delegation to user
- Reorganize tests to match new class structure

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Tidy up saas engine a bit more
2026-02-25 19:31:13 +01:00
Stanko K.R. 6e6e4e9b5a Fix orphaned attachments when deleting the whole account 2026-02-02 14:35:01 +01:00
Stanko K.R. 58a14fb1f5 Fix load error 2026-02-02 12:49:39 +01:00
Kevin McConnell e105ca6fb5 Remove zero-padding from account slug
This shortens URLs in the self-hosted case, where external account ID is
typically a small number.
2026-01-28 11:59:42 +00:00
Kevin McConnell 23fe40fa81 Correctly initialise WebPush connection (#2417)
The `ipaddr` arg here is being interpreted as a positional arg (since
the keyword arg doesn't exist), which results in an invalid connection
object. This was causing push notifications to silently fail.

We should initialise the property on the object instead.
2026-01-22 12:03:02 -08:00
Rosa Gutierrez 235890e666 Use relative URLs for avatars and rich text attachments
These URLs can be problematic or inconsistent, as we might end up with
rich text content with beta URLs for attachments being used in
production, or viceversa. It'll also be problematic when importing or
exporting data between a self-hosted instance and the SaaS version.
2026-01-14 11:01:42 +01:00
Jeremy Daer 006e61ea58 Allow ActionText embed reuse and safe purge (#2346) 2026-01-12 10:30:18 -08:00
Rosa Gutierrez 196d685f8d Implement authorization for Active Storage endpoints
Consider blobs attached to any public records accessible to anyone with
the URL.
2025-12-25 21:22:36 +01:00
Rosa Gutierrez 3fcf5a9d08 Require authorization for direct uploads
Respond with 403 to JSON requests that are unauthorized, instead of
redirecting.
2025-12-23 11:08:51 +01:00
Jeremy Daer bd6c1cf34f Storage: harden reconcile for concurrent writes and fix board transfer (#2096)
* Storage: harden reconcile for concurrent writes and fix board transfer

Reconcile now uses two-cursor approach: captures cursor before and after
the storage scan, aborting if they differ (entries added during scan).
Job retries 3x with 1-minute waits and limits concurrency to 1 per owner.

Board transfer now correctly moves storage for card description embeds
and comment embeds, not just direct attachments. Uses batched queries
to handle cards with thousands of comments efficiently.

Also fixes N+1 queries in attachment grouping via lookup maps.

* Storage: fix per-attachment reconcile and enforce no blob reuse

The storage ledger tracks per-attachment (not per-blob) as a business
abstraction for quotas. This fixes reconcile to match that model and
adds enforcement to prevent blob reuse in tracked contexts.

* Reconcile now uses joins(:blob).sum() for per-attachment counting
* New validation prevents reusing blobs across tracked attachments
* Race-safe storage_total creation with create_or_find_by
* Job efficiency: skip find_by when object already available
* Backfill script checks per-attachment, not just per-blob
2025-12-19 13:07:32 -08:00
Mike Dalessio b04dee31d0 Raise a clear exception if libvips is not installed 2025-12-19 09:22:55 -05:00
Mike Dalessio e9cb2956ee Lightbox uses Stimulus target callbacks instead of data-action
Remove data-action from the sanitizer allowlist to disallow injection
of potentially malicious Stimulus actions in user-provided
content. The lightbox controller now uses imageTarget callbacks to
handle clicks on image links.

Also add the file name as a caption in the light box, and fix the
caption color for dark mode visibility.
2025-12-13 17:06:03 -05:00
Mike Dalessio db4c8c1138 Introduce Vips configuration 2025-12-13 12:41:37 -05:00
Javier Valencia 8f68e13707 Fix indentation in multi_db.rb initializer (#2082) 2025-12-11 20:37:28 -08:00
Thiago Youssef 36419c3600 Bump rails version to remove svg renderer patch (#2081) 2025-12-11 15:15:54 +01:00
Kevin McConnell 193a28f6c8 Merge pull request #2035 from harisadam/single_tenant
Add env-configurable option to disable public signups
2025-12-11 13:08:19 +00:00
Kevin McConnell 06bfe2c982 Scope the config option
Also use a `configure` block to set it up.
2025-12-11 11:28:32 +00:00
Kevin McConnell 0e443d3602 Use initializer to configure tenant mode 2025-12-11 11:20:43 +00:00
Stanko K.R. 5ee10800a2 Allow direct uploads via API 2025-12-11 11:52:38 +01:00
Jeremy Daer 22da6dc19d CSP: full config with env vars per source (#2069)
* Configure all sources with CSP_* vars. Space separated source list.
* Fall back to `config.x.content_security_policy.*`
* Move our sources to fizzy-saas

References https://github.com/basecamp/fizzy-saas/pull/24
2025-12-10 17:21:09 -08:00
Jeremy Daer 761d0b4a76 Speedy, auditable, deadlock-resistant storage tracking (#2026)
An append-only storage ledger replaces deadlock-prone synchronous
counter updates and drift-prone async updates.

All content storage (card images, card/comment/board description embeds)
is tracked. Account exports (which expire) and avatars are not tracked.

Storage is accounted for by Account and Board. Both consume the same
event stream independently: no bubble-up storage bumps triggering
deadlocks due to lock sequencing. Each calculates its own total from
the underlying ledger with independent cursors and materialization.

* Storage::Entry: Append-only ledger recording attach/detach/transfer
  events with delta bytes. Single event stream indexed for both
  Account and Board cursor queries.

* Storage::Total: Polymorphic snapshot cache with cursor (last_entry_id)
  tracking which entries have been materialized.

* Storage::Totaled concern: Provides bytes_used (fast snapshot) and
  bytes_used_exact (snapshot + pending) query modes, plus
  materialize_storage! to roll up pending entries.

* Storage::Tracked concern: For models owning attachments (Card,
  Comment, Board). Provides board_for_storage_tracking for models
  where board is determined differently (Board returns self).
  Handles board transfers by recording transfer_out/transfer_in entries.

* Storage::AttachmentTracking: Hooks ActiveStorage::Attachment lifecycle
  to record attach/detach entries. Handles ActionText::RichText embeds
  by traversing to the actual model. Snapshots context in before_destroy
  to handle cascading deletes where parent record may be gone by
  after_destroy_commit.

* MaterializeJob: Rolls up pending entries into snapshot. Concurrency
  limited per owner to prevent duplicate work.

* ReconcileJob: On-demand reconciliation against actual attachment
  storage for support/debugging. Compares ledger total to real bytes
  from card images, card embeds, comment embeds, and board embeds.

Usage:
* account.bytes_used / board.bytes_used: fast, slightly stale bytesize
* account.bytes_used_exact / board.bytes_used_exact: real-time bytesize
* Storage::Entry: audit trail for debugging and point-in-time queries
2025-12-10 16:04:30 -08:00
Jeremy Daer 8eb01da057 Process blob variants using local files
Rails does post-upload variant processing using the same file upload
in https://github.com/rails/rails/pull/56327

Unrelated Lexxy bump:
Pulls in https://github.com/basecamp/lexxy/pull/493 to work around `dom_id`
removal from ActionText tag in https://github.com/rails/rails/pull/51238
2025-12-08 23:41:15 -08:00
Jeremy Daer 49c4f2adc6 Fix ActiveStorage FileNotFoundError with immediate variant processing (#2022)
When ActiveStorage::Record uses `connects_to` for read replica support,
it creates a separate connection pool from ApplicationRecord. This causes
`after_commit` callbacks to fire in non-deterministic order - the
Attachment's `create_variants` callback can fire before the User model's
upload callback completes, resulting in FileNotFoundError.

The fix removes replica connection configuration from ActiveStorage::Record
so it shares the same connection pool as application models, ensuring
proper callback ordering.

Also reverts test workarounds that were added to work around this issue,
since the root cause is now fixed.

See: https://github.com/rails/rails/issues/53694
2025-12-08 14:44:49 -08:00
Jorge Manrubia cb0e9b9962 Immediate avatar and embed variants (#2002)
Reverts #2001
Restores #1955
2025-12-08 14:17:06 -08:00
Jeremy Daer dcc005be34 Add lazy error context for Rails error reporter (#2014)
Register a middleware with Rails.error that adds identity_id and
account_id from Current attributes. Only evaluated when an error
is actually reported, avoiding the cost on successful requests.
2025-12-08 11:00:40 -08:00
Jeremy Daer b88182c3ad Autotuner: use structured logging instead of Sentry (#2011)
Move thousands of info-level Sentry events to logs. Query Loki rather
than downsampling events: `event.action = "run.ruby-script",
script.name = "autotuner"`
2025-12-08 10:01:28 -08:00
Jorge Manrubia c8c91259c7 Revert "Immediate avatar and embed variants" 2025-12-07 12:06:03 +01:00
Jorge Manrubia 568783efd1 Merge pull request #1905 from basecamp/web-push-ssrf
Security: Web Push SSRF
2025-12-07 11:58:14 +01:00
Jorge Manrubia 91017c9208 Merge pull request #1955 from basecamp/immediate-variants
Immediate avatar and embed variants
2025-12-07 11:50:02 +01:00
Stanko K.R. 73c2b00211 Rever to using Ssrf instead of SSRF
Ref: https://github.com/basecamp/fizzy/pull/1967#discussion_r2593750027
2025-12-06 11:04:55 +01:00
Jeremy Daer af14feb8fc CSP gives env config precedence (#1976)
Bit clearer, and simpler config wrangling: presence of ENV → use it.
2025-12-05 20:49:41 -08:00
Jeremy Daer ab5964a375 Tune CSP: allow required external sources and user tools (#1977)
External sources:
- challenges.cloudflare.com for Turnstile (script-src, frame-src)
- storage.basecamp.com for Active Storage (connect-src)

User tools: loosen style/img/font/media/worker-src to avoid fighting
accessibility extensions, privacy tools, and custom fonts.
2025-12-05 20:45:48 -08:00
Jeremy Daer 345f457513 Tune CSP for user extensions and close implicit-allow gaps (#1974)
Loosen font-src and add media-src to allow browser extensions like
accessibility fonts (OpenDyslexic) and user style managers to work
without CSP violations.

Add default-src and connect-src directives to close security gaps where
unspecified directives were implicitly allowing all sources.
2025-12-05 16:57:03 -08:00
Jeremy Daer 6006491ab4 Content Security Policy (#1964)
Default to a very narrow policy since there are no CDNs or third-party
resources to contend with.

Configurable via:
- config.x.content_security_policy.* for fizzy-saas gem overrides
- DISABLE_CSP to skip entirely
- CSP_REPORT_ONLY to enable report-only mode
- CSP_REPORT_URI for violation reporting
2025-12-05 14:57:50 -08:00
Stanko K.R. cd3751f4c1 Fix Resolv::DNS always returning no results 2025-12-05 20:09:39 +01:00
Jeremy Daer 21f3f72647 Immediate avatar and embed variants
Process variants synchronously on attachment to close the window between
image upload and variant availability, guaranteeing that we won't have
lazy variant processing attempts in GET requests.

Tradeoff is that we do variant processing in upload requests, which is
actually desirable. We're working with images that should take
milliseconds to resize given that we'll already have the file on hand.

References https://github.com/rails/rails/pull/51951
2025-12-04 23:54:37 -08:00
Jeremy Daer 496851b255 Security: Web Push SSRF and IP range bypass
Add SSRF protection for web push endpoints:
- Resolve endpoint IP once and pin it for connection
- Validate endpoints resolve to public IPs
- Whitelist permitted push service hosts

Add missing IP ranges to SsrfProtection:
- 100.64.0.0/10 (Carrier-grade NAT, RFC6598)
- 198.18.0.0/15 (Benchmark testing, RFC2544)

Note: link-local (169.254.0.0/16) is already covered by ip.link_local?
2025-12-04 21:35:55 -08:00
Donal McBreen 13db384648 Auto default for UUID primary keys
Patch load_schmema! to set the default value for UUID primary keys. This
removes the need to patch ApplicationRecord + Rails models individually.

It also means we no longer need to patch the default in for the integer
primary key in Search::Record::SQLite.
2025-12-03 14:27:52 +00:00
David Heinemeier Hansson 28371e10c8 Turn off the help notice 2025-12-01 16:25:23 +01:00
Jorge Manrubia 3480e2d6db Handle size in binary columns
In the cable schema we use:

```
    t.binary "payload", size: :long, null: false
```

This will fail when resetting the db otherwise with an error due to the unexpected size property.
2025-12-01 13:32:54 +01:00
Jorge Manrubia 6ccf655597 Move yabeda/prometheus stuff to the gem 2025-11-28 15:53:58 +01:00
Jorge Manrubia 3b0ddf4cfb Move sentry to engine 2025-11-28 15:53:58 +01:00
Jorge Manrubia 96caeacb03 Move to ENV (kamal secrets) 2025-11-28 15:53:58 +01:00
Jorge Manrubia 1083f715a8 This was moved to the gem already by Mike 2025-11-28 15:53:58 +01:00
Jorge Manrubia af42ce43d4 Remove vapid keys in development 2025-11-28 15:53:58 +01:00
Jorge Manrubia 8baf5b8abd Make mission control only accessible for staff members 2025-11-28 15:53:58 +01:00
Jorge Manrubia e1e9a01720 Make open source the default, and check for sass instead 2025-11-28 15:53:48 +01:00
Donal McBreen c4498212dc Merge branch 'main' into sqlite
* main: (116 commits)
  Ensure avatar thumbnails are square
  Update useragent to recognize twitterbot/facebot
  Add defensive styles for non-square avatar images
  Update test for copy changes
  Missed commit
  AI: standardize on https://agents.md
  Make it clear this is just notifications, not comprehensive activity
  AI: configure MCP servers for Chrome, Grafana, and Sentry (#1727)
  Allow requests from Google Image Proxy
  Update to basecamp's useragent fork
  Clean up a little bit the CSRF reporting code
  Claude: production observability guidance (#1725)
  Prevent autoscroll to the root columns container to prevent jump on page load
  Include full name string so you can type your name to filter
  Prioritize current user and assigned users in assignment dropdown
  Check and report on Sec-Fetch-Site header for forgery protection
  bundle update
  Bump bootsnap from 1.18.6 to 1.19.0
  Bump rails from `077c3ad` to `17f6e00`
  Fix cards getting stuck in edit mode
  ...
2025-11-26 10:07:41 +00:00
Donal McBreen b839340cf2 Tidy up modules and on_load points 2025-11-26 10:02:32 +00:00