Commit Graph

44928 Commits

Author SHA1 Message Date
Jarek Radosz
1503ec07c5
Version bump to v2.8.9 (#18430) 2022-09-29 21:00:32 +02:00
Jarek Radosz
65017fe920
SECURITY: moderator shouldn't be able to import a theme via API (stable) (#18420)
* SECURITY: moderator shouldn't be able to import a theme via API.
* DEV: apply `AdminConstraint` for all the "themes" routes.

Co-authored-by: Vinoth Kannan <svkn.87@gmail.com>
2022-09-29 20:13:34 +02:00
Jarek Radosz
4302097b3b
SECURITY: Prevent arbitrary file write when decompressing files (stable) (#18423)
* SECURITY: Prevent arbitrary file write when decompressing files
* FIX: Allow decompressing files into symlinked directories

Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
Co-authored-by: Gerhard Schlager <gerhard.schlager@discourse.org>
2022-09-29 20:07:58 +02:00
Martin Brennan
a896a69c50
SECURITY: Limit user profile field length (#18304)
Adds limits to location and website fields at model and DB level to
match the bio_raw field limits. A limit cannot be added at the DB level
for bio_raw because it is a postgres text field.

The migration here uses version `6.1` instead of `7.0` since `stable`
is not on that version of rails yet, otherwise this is the same as `beta`
apart from also removing the new tests which caused too many conflicts.

Co-authored-by: Alan Guo Xiang Tan gxtan1990@gmail.com
2022-09-21 13:49:25 +10:00
Loïc Guitaut
13517cde7e Version bump to 2.8.8 2022-08-10 15:05:39 +02:00
Krzysztof Kotlarek
4fcffd3fae SECURITY: Limit email invitations to topic 2022-08-10 11:47:14 +02:00
Roman Rizzi
7b8f74439e
Version bump to v2.8.7 (#17700) 2022-07-27 17:28:39 -03:00
Roman Rizzi
af1cb735db
SECURITY: Prevent abuse of the update_activation_email route (stable) 2022-07-27 23:09:09 +03:00
Roman Rizzi
7af25544c3
SECURITY: Do not cache error responses for static assets (stable) 2022-07-27 22:58:38 +03:00
David Taylor
f0ef186a4e
FIX: Allow Symbol objects to be deserialized in PostRevision (stable) (#17512)
Followup to bb287c6c74
2022-07-15 13:16:20 +01:00
David Taylor
5d2ecce3f6
FIX: Allow Time objects to be deserialized in PostRevision (stable) (#17502)
Followup to bb287c6c74
2022-07-15 00:17:53 +01:00
David Taylor
c75ec7335d
Version bump to v2.8.6 (#17472) 2022-07-13 12:40:16 +01:00
David Taylor
bb287c6c74
SECURITY: Bump Rails to 6.1.6.1 (stable) (#17470)
https://discuss.rubyonrails.org/t/81017
2022-07-13 11:19:55 +01:00
Gerhard Schlager
3d1bbf7446 FIX: Logout could fail due to cached user
Logging out failed when the current user was cached by an instance of `Auth::DefaultCurrentUserProvider` and `#log_off_user` was called on a different instance of that class.

Co-authored-by: Sam <sam.saffron@gmail.com>
2022-07-04 17:01:45 +02:00
Gerhard Schlager
61ed83ecfc FIX: Incorrect currentUser could be cached for requests with API key (#17279)
This happened when a middleware accessed the `currentUser` before a controller had a chance to populate the `action_dispatch.request.path_parameters` env variable. In that case Discourse would always cache `nil` as `currentUser`.
2022-07-04 17:01:45 +02:00
Penar Musaraj
61cf791929
Version bump to v2.8.5 (#17187) 2022-06-21 15:05:00 -04:00
Daniel Waterworth
7616e9b540
SECURITY: Validate email constraints when trying to redeem an invite (#17182)
In certain situations, a logged in user can redeem an invite with an email that
either doesn't match the invite's email or does not adhere to the email domain
restriction of an invite link. The impact of this flaw is aggrevated
when the invite has been configured to add the user that accepts the
invite into restricted groups.

Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2022-06-21 13:25:10 -05:00
Blake Erickson
cf94e52f78
Version bump to v2.8.4 (#17075) 2022-06-13 15:04:02 -06:00
Blake Erickson
918c296fe8
SECURITY: banner-info (#17071) (#17073) 2022-06-13 11:47:44 -06:00
Alan Guo Xiang Tan
036467aac3
FIX: Approves user when redeeming an invite for invites only sites (#16987)
When a site has `SiteSetting.invite_only` enabled, we create a
`ReviewableUser`record when activating a user if the user is not
approved. Therefore, we need to approve the user when redeeming an
invite.

There are some uncertainties surrounding why a `ReviewableRecord` is
created for a user in an invites only site but this commit does not seek
to address that.

Follow-up to 7c4e2d33fa
2022-06-03 14:50:58 +08:00
Alan Guo Xiang Tan
576354072e
DEV: Fix auto start for wizard qunit tests (#16988)
`run-qunit.js` does not expect QUnit tests to start automatically but
our wizard QUnit setup did not respect the `qunit_disable_auto_start`
URL param. Hence, tests would start running automatically and when a
subsequent `QUnit.start()` function call is made, we ended up getting a
`QUnit.start cannot be called inside a test context.` error.

This error can be consistently reproduced in the `discourse:discourse_test` container but not in
the local development environment. I do not know why and did not feel
like it is important at this point in time to know why.
2022-06-03 12:44:42 +08:00
Gerhard Schlager
5c91d9a629
SECURITY: Remove auto approval when redeeming an invite (#16976)
This security fix affects sites which have `SiteSetting.must_approve_users`
enabled. There are intentional and unintentional cases where invited
users can be auto approved and are deemed to have skipped the staff approval process.
Instead of trying to reason about when auto-approval should happen, we have decided that
enabling the `must_approve_users` setting going forward will just mean that all new users
must be explicitly approved by a staff user in the review queue. The only case where users are auto
approved is when the `auto_approve_email_domains` site setting is used.

Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2022-06-02 16:11:04 +02:00
David Taylor
a0c141d6ac
FIX: Ensure theme JavaScript cache get consistent SHA1 digest (stable backport) (#16669)
(Stable backport of 7ed899f)

There is a couple of layers of caching for theme JavaScript in Discourse:

The first layer is the `javascript_caches` table in the database. When a theme
with JavaScript files is installed, Discourse stores each one of the JavaScript
files in the `theme_fields` table, and then concatenates the files, compiles
them, computes a SHA1 digest of the compiled JavaScript and store the results
along with the SHA1 digest in the `javascript_caches` table.

Now when a request comes in, we need to render `<script>` tags for the
activated theme(s) of the site. To do this, we retrieve the `javascript_caches`
records of the activated themes and generate a `<script>` tag for each record.
The `src` attribute of these tags is a path to the `/theme-javascripts/:digest`
route which simply responds with the compiled JavaScript that has the requested
digest.

The second layer is a distributed cache whose purpose is to make rendering
`<script>` a lot more efficient. Without this cache, we'd have to query the
`javascript_caches` table to retrieve the SHA1 digests for every single
request. So we use this cache to store the `<script>` tags themselves so that
we only have to retrieve the `javascript_caches` records of the activated
themes for the first request and future requests simply get the cached
`<script>` tags.

What this commit does it ensures that the SHA1 digest in the
`javascript_caches` table stay the same across compilations by adding an order
by id clause to the query that loads the `theme_fields` records. Currently, we
specify no order when retrieving the `theme_fields` records so the order in
which they're retrieved can change across compilations and therefore cause the
SHA1 to change even though the individual records have not changed at all.

An inconsistent SHA1 digest across compilations can cause the database cache
and the distributed cache to have different digests and that causes the
JavaScript to fail to load (and if the theme heavily customizes the site, it
gives the impression that the site is broken) until the cache is cleared.

This can happen in busy sites when 2 concurrent requests recompile the
JavaScript files of a theme at the same time (this can happen when deploying a
new Discourse version) and request A updates the database cache after request B
did, and request B updates the distributed cache after request A did.

Internal ticket: t60783.

Co-authored-by: David Taylor <david@taylorhq.com>
Co-authored-by: Osama Sayegh <asooomaasoooma90@gmail.com>
2022-05-06 11:10:40 +01:00
David Taylor
d8b68e00c9
FIX: Ensure values are escaped in select-kit dropdowns (#16586)
The values in Discourse dropdown menus only come from admin-defined strings, not unsanitised end-user input, so this lack of escaping was not exploitable.
2022-04-28 16:31:41 +01:00
Penar Musaraj
bb57be95f0 DEV: Cleanup body.scrollTop usage (#16445)
All current browser treat the HTML document (not the body element) as
the scrollable document element. Hence in all current browsers,
`document.body.scrollTop` returns 0. This commit removes all usage of
this property, because it is effectively 0.

Co-authored-by: David Taylor <david@taylorhq.com>
2022-04-14 12:45:34 -04:00
Penar Musaraj
9a9a29b24b FIX: Buggy topic scrolling on iOS 12 (#16422) 2022-04-14 12:45:34 -04:00
Penar Musaraj
a9a643bcdc
Version bump to v2.8.3 2022-04-14 10:08:37 -04:00
David Taylor
b72b0dac10
SECURITY: Ensure user-agent-based responses are cached separately (stable) (#16476) 2022-04-14 14:26:00 +01:00
Alan Guo Xiang Tan
3ac1b3a5c9 SECURITY: Update Nokogiri to 1.13.4.
Nokogiri 1.13.4 updates zlib to 1.2.12 to address CVE-2018-25032.

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
2022-04-12 15:19:46 +08:00
Jarek Radosz
6bbc822495 DEV: Don't check this.element in @afterRender (#16033)
This would allow to use the decorator in tag-less components and in controllers.
2022-04-11 13:03:54 +08:00
Alan Guo Xiang Tan
72c69a644f DEV: Add pretender endpoint for category visible groups.
This was causing our build to become flaky.
2022-04-11 13:03:54 +08:00
Alan Guo Xiang Tan
3d581ce159 SECURITY: Category group permissions leaked to normal users.
After this commit, category group permissions can only be seen by users
that are allowed to manage a category. In the past, we inadvertently
included a category's group permissions settings in `CategoriesController#show`
and `CategoriesController#find_by_slug` endpoints for normal users when
those settings are only a concern to users that can manage a category.
2022-04-08 11:04:59 +02:00
Bianca Nenciu
dcbd788412 FIX: Serialize permissions for everyone group
The permissions for the 'everyone' group were not serialized because
the list of groups a user can view did not include it. This bug was
introduced in commit dfaf9831f7.
2022-04-08 11:04:59 +02:00
Martin Brennan
f0574564c4 DEV: Fix failing share topic tests (#16309)
Since 3fd7b31a2a some tests
were failing with this error:

> Error: Unhandled request in test environment: /c/feature/find_by_slug.json
> (GET) at http://localhost:7357/assets/test-helpers.js

This commit fixes the issue by adding the missing pretender. Also
noticed while fixing this that the parameter for the translation
was incorrect -- it was `group` instead of `groupNames`, so that
is fixed here too, along with moving the onShow functions into
@afterRender decorated private functions. There is no need for the
appevent listeners.
2022-04-08 11:04:59 +02:00
Bianca Nenciu
1516dd75f5 FIX: Show restricted groups warning when necessary (#16236)
It was displayed for the "everyone" group too, but that was not
necessary.
2022-04-08 11:04:59 +02:00
Alan Guo Xiang Tan
7b5ef41a43 DEV: Restore order assertion in category serializer tests. (#16344)
Our group fabrication creates groups with name "my_group_#{n}" where n
is the sequence number of the group being created. However, this can
cause the test to be flaky if and when a group with name `my_group_10`
is created as it will be ordered before
`my_group_9`. This commits makes the group names determinstic to
eliminate any flakiness.

This reverts commit 558bc6b746.
2022-04-01 09:17:58 +08:00
David Taylor
62cde96c70 DEV: Fix flaky specs (#16340)
`group_permissions` are not serialized in a consistent order

Follow-up to dfaf9831f7
2022-04-01 09:17:58 +08:00
Alan Guo Xiang Tan
09e7dd00b8
SECURITY: Avoid leaking private group name when viewing category. (#16339)
In certain instances when viewing a category, the name of a group with
restricted visilbity may be revealed to users which do not have the
required permission.
2022-03-31 15:07:48 +08:00
Martin Brennan
bd0f10a50b
SECURITY: Hide private categories in user activity export (#16276)
In some of the user's own activity export data,
we sometimes showed a secure category's name or
exposed the existence of a secure category.
2022-03-24 15:56:50 +10:00
Neil Lalonde
74ce2fe2e7
Version bump to v2.8.2 2022-03-22 14:51:41 -04:00
Alan Guo Xiang Tan
79da89fd06
DEV: Don't load bundler when installing plugin gem. (#16176)
when bundler is loaded, it sets the `RUBYOPT` environment variable to setup bundler. However, it was causing weird errors like the following when we try to install
custom plugin gems into a specific directory.

```
/home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/git.rb:214:in `rescue in load_spec_files': https://github.com/discourse/mail.git is not yet checked out. Run `bundle install` first. (Bundler::GitError)
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/git.rb:210:in `load_spec_files'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/path.rb:107:in `local_specs'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/git.rb:178:in `specs'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/lazy_specification.rb:88:in `__materialize__'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/spec_set.rb:75:in `block in materialize'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/spec_set.rb:72:in `map!'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/spec_set.rb:72:in `materialize'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/definition.rb:468:in `materialize'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/definition.rb:190:in `specs'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/definition.rb:238:in `specs_for'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/runtime.rb:18:in `setup'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler.rb:151:in `setup'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/setup.rb:20:in `block in <top (required)>'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/ui/shell.rb:136:in `with_level'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/ui/shell.rb:88:in `silence'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/setup.rb:20:in `<top (required)>'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require'
```
2022-03-18 11:27:20 +08:00
Alan Guo Xiang Tan
43c744cdc8
DEV: Pull compatible version for plugins in Github test workflow. (#16212)
We have 3 branches which we care about, main, beta and stable.
However, each of this branch has different compatibilties with plugins
and we want to respect that.
2022-03-18 10:30:43 +08:00
Alan Guo Xiang Tan
1d2654f91f
DEV: Backport Github test workflow to stable. (#16210) 2022-03-17 14:02:45 +08:00
David Taylor
d7b48d0229
FIX: Handle nil values in DistributedCache#defer_get_set (stable) (#15980)
Themes often cache `nil` values in a DistributedCache. This bug meant that we were re-calculating some values on every request, AND triggering message-bus publishing on every request.

This fix should provide a significant performance improvement for busy sites.
2022-02-18 08:51:14 +00:00
Andrei Prigorshnev
2c8f62e271
FIX: backport caret moves to a wrong position when uploading an image via toolbar (#15865)
* FIX: Caret moves to a wrong position when uploading an image via toolbar

* Skip the test
2022-02-17 13:44:21 +11:00
Bianca Nenciu
0674d07cdf
FIX: Defer upload extension check for iOS (#15890)
accept HTML attribute is not fully supported on iOS yet and can contain
only MIME types. This changes the input to allow all files and the
extension check is performed later in JavaScript.
2022-02-15 19:57:58 +02:00
communiteq
247f70f79c
Fix bug regarding Chat on stable (#15954) 2022-02-15 12:40:48 -05:00
Krzysztof Kotlarek
cb9678ed34 Version bump to v2.8.1 2022-02-14 17:17:31 +11:00
Krzysztof Kotlarek
76195216ff SECURITY: Onebox response timeout and size limit (#15927)
Validation to ensure that Onebox request is no longer than 10 seconds and response size is not bigger than 1 MB
2022-02-14 12:13:22 +11:00
Dan Ungureanu
0b4e16aa2d
FEATURE: RS512, RS384 and RS256 COSE algorithms (#15868)
* FEATURE: RS512, RS384 and RS256 COSE algorithms

These algorithms are not implemented by cose-ruby, but used in the web
authentication API and were marked as supported.

* FEATURE: Use all algorithms supported by cose-ruby

Previously only a subset of the algorithms were allowed.
2022-02-09 13:56:45 +02:00