Commit Graph

48670 Commits

Author SHA1 Message Date
Blake Erickson 6695d568ca
SECURITY: Handle concurrent invite accepts
Raise an error on concurrent invite accept attempts.
2023-07-28 12:56:36 +01:00
Alan Guo Xiang Tan 439cc5b023
SECURITY: Impose a upper bound on limit params in various controllers
What is the problem here?

In multiple controllers, we are accepting a `limit` params but do not
impose any upper bound on the values being accepted. Without an upper
bound, we may be allowing arbituary users from generating DB queries
which may end up exhausing the resources on the server.

What is the fix here?

A new `fetch_limit_from_params` helper method is introduced in
`ApplicationController` that can be used by controller actions to safely
get the limit from the params as a default limit and maximum limit has
to be set. When an invalid limit params is encountered, the server will
respond with the 400 response code.
2023-07-28 12:56:35 +01:00
Discourse Translator Bot 2e62d86139
Update translations (#22665) 2023-07-25 17:57:53 +02:00
David Taylor eec936c99f
DEV: Support version operators in .discourse-compatibility (stable) (#22763)
This adds support for the `<=` and `<` version operators in `.discourse-compatibility` files. This allows for more flexibility (e.g. targeting the entire 3.1.x stable release via `< 3.2.0.beta1`), and should also make compatibility files to be more readable.

If an operator is not specified we default to `<=`, which matches the old behavior.
2023-07-25 14:04:58 +01:00
Alan Guo Xiang Tan cc54539f90
FIX: specify chrome version (#22681) (#22685)
Co-authored-by: Krzysztof Kotlarek <kotlarek.krzysztof@gmail.com>
2023-07-19 14:35:26 +08:00
Blake Erickson 461966e028
Version bump to v3.0.5 (#22556) 2023-07-11 17:09:02 -06:00
Blake Erickson aa0a236416
SECURITY: ensure topic is valid before updating category (#22547)
Co-authored-by: David Battersby <info@davidbattersby.com>
2023-07-11 15:23:48 -06:00
Blake Erickson 06ab681498
SECURITY: Don't reuse CSP nonce between requests (#22553)
Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
2023-07-11 15:23:04 -06:00
Discourse Translator Bot 51c53e6007
Update translations (#22538) 2023-07-11 16:20:58 +02:00
Roman Rizzi cec7c05dae
SECURITY: Bump URI gem to 0.12.2 to address CVE-2023-36617 (#22350) 2023-06-29 14:25:39 -03:00
Discourse Translator Bot 37066e2b39
Update translations (#22301) 2023-06-27 16:39:51 +02:00
Discourse Translator Bot 412060ad3e
Update translations (#22205) 2023-06-20 17:27:41 +02:00
communiteq 76620c2502
FIX broken topic embedding because of incomplete security patch (#22088) (#22184) 2023-06-19 14:49:04 -04:00
Blake Erickson 21c80f5993
Version bump to v3.0.4 (#22093) 2023-06-13 12:20:26 -06:00
Blake Erickson 2a14338133
SECURITY: Prevent dismissal of topics that user can't see (#22090)
Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
2023-06-13 11:10:10 -06:00
Blake Erickson a891e06989
SECURITY: set max-height property for iframes (#22089)
Co-authored-by: David Battersby <info@davidbattersby.com>
2023-06-13 11:09:40 -06:00
Blake Erickson 5e3106387f
SECURITY: Use canonical url for topic embeddings (#22088)
This prevents duplicate topics from being created when using embed_urls
that only differ on query params.
2023-06-13 11:09:23 -06:00
Discourse Translator Bot 8189ea6858
Update translations (#22082) 2023-06-13 15:18:50 +02:00
Discourse Translator Bot bff0dfcf07
Update translations (#21951) 2023-06-06 15:36:57 +02:00
Discourse Translator Bot 3000f4566c
Update translations (#21828) 2023-05-31 09:15:22 +02:00
Discourse Translator Bot 45f740ba86
Update translations (#21703) 2023-05-23 21:23:49 +02:00
Ted Johansson c9ee11c675
FIX: Remove obsolete references to lounge category (#21608)
### What is this change?

The lounge category was replaced with the general category in https://github.com/discourse/discourse/pull/18097.

However, there are still a few references to the lounge category in code. In particular, `Category#seeded?` is erroring out in production looking for `SiteSetting.lounge_category_id`.
2023-05-17 16:48:31 +08:00
Discourse Translator Bot 292ca384b9
Update translations (#21584) 2023-05-16 19:40:07 +02:00
Ted Johansson aaec964547
DEV: Add both safe and unsafe Discourse.store.download methods (stable) (#21499)
### Background

Several call sites use `FileStore#download` (through `Discourse.store.download`). In some cases the author seems aware that the method can raise an error if the download fails, and in some cases not. Because of this we're seeing some of these exceptions bubble all the way up and getting logged in production. Although they are not really actionable at that point. Rather each call site needs to be considered to figure out how to handle them.

### What is this change?

This change accomplishes primarily two things.

Firstly it separates the method into a safe version which will handle errors by returning `nil`, and an unsafe version which will re-package upstream errors in a new `FileStore::DownloadError` class.

Secondly it updates the call sites which have been doing error handling downstream to use the new safe version.

For backwards compatibility, there's an interim situation and a desired end state.

**Interim:**

```
FileStore#download      → Old unsafe version. Will raise any error and show a deprecation warning.
FileStore#download!     → New unsafe version. Will raise FileStore::DownloadError.
FileStore#download_safe → New safe version.   Will return nil.
```

**Desired end-state:**

```
FileStore#download  → New safe version.   Will return nil.
FileStore#download! → New unsafe version. Will raise FileStore::DownloadError.
```

### What's next?

We need to do a quick audit of the call sites that are using the old unsafe version without any error handling, as well as check for call sites in plugins other repos. Follow-up PRs incoming.
2023-05-12 11:38:08 +08:00
Discourse Translator Bot 99371c3e99
Update translations (#21456) 2023-05-10 00:48:15 +02:00
Martin Brennan 27082f7f53
DEV: Remove noisy SiteSetting deprecations (#21459)
We don't need these, they are causing a lot of
log noise on our servers, they have been removed
from the main branch from some time and it is
doubtful that anyone else needs to be told these
warnings on stable.
2023-05-09 19:40:01 +02:00
Blake Erickson 784006c71e
SECURITY: Do not overwrite permissions on the General category (#21390)
Before this fix if you had modified the default general category
settings they would be reset back to the default after a deploy.
2023-05-04 14:30:34 -06:00
Discourse Translator Bot 0bbbb9edc8
Update translations (#21335) 2023-05-02 17:39:38 +02:00
Discourse Translator Bot 845000a6ce
Update translations (#21146) 2023-04-25 17:23:28 +02:00
Ted Johansson 59dd20c415
Version bump to v3.0.3 (#21136) 2023-04-18 16:14:45 +08:00
Ted Johansson 0c11acf6cf
SECURITY: Encode embed url (#21134)
The embed_url in "This is a companion discussion..." could be used for
XSS.

Co-authored-by: Blake Erickson <o.blakeerickson@gmail.com>
2023-04-18 15:05:33 +08:00
Ted Johansson bbc7746cef
SECURITY: Ensure site setting being updated is a configurable site setting (#21132) 2023-04-18 14:32:21 +08:00
Krzysztof Kotlarek bd301c3f08
FIX: improve performance of UserStat.ensure_consistency (#21044) (#21121)
Optimize `UserStatpost_read_count` calculation.

In addition, tests were updated to fail when code is not evaluated. Creation of PostTiming was updating `post_read_count`. Count it has to be reset to ensure that ensure_consitency correctly calculates result.

Extracting users seen in the last hour to separate Common Table Expression reduces the amount of processed rows.

Before
```
Update on user_stats  (cost=267492.07..270822.95 rows=2900 width=174) (actual time=12606.121..12606.127 rows=0 loops=1)
  ->  Hash Join  (cost=267492.07..270822.95 rows=2900 width=174) (actual time=12561.814..12603.689 rows=10 loops=1)
        Hash Cond: (user_stats.user_id = x.user_id)
        Join Filter: (x.c <> user_stats.posts_read_count)
        Rows Removed by Join Filter: 67
        ->  Seq Scan on user_stats  (cost=0.00..3125.34 rows=75534 width=134) (actual time=0.014..39.173 rows=75534 loops=1)
        ->  Hash  (cost=267455.80..267455.80 rows=2901 width=48) (actual time=12558.613..12558.617 rows=77 loops=1)
              Buckets: 4096  Batches: 1  Memory Usage: 39kB
              ->  Subquery Scan on x  (cost=267376.03..267455.80 rows=2901 width=48) (actual time=12168.601..12558.572 rows=77 loops=1)
                    ->  GroupAggregate  (cost=267376.03..267426.79 rows=2901 width=12) (actual time=12168.595..12558.525 rows=77 loops=1)
                          Group Key: pt.user_id
                          ->  Sort  (cost=267376.03..267383.28 rows=2901 width=4) (actual time=12100.490..12352.106 rows=2072830 loops=1)
                                Sort Key: pt.user_id
                                Sort Method: external merge  Disk: 28488kB
                                ->  Nested Loop  (cost=1.28..267209.18 rows=2901 width=4) (actual time=0.040..11528.680 rows=2072830 loops=1)
                                      ->  Nested Loop  (cost=0.86..261390.02 rows=13159 width=8) (actual time=0.030..3492.887 rows=3581648 loops=1)
                                            ->  Index Scan using index_users_on_last_seen_at on users u  (cost=0.42..89.71 rows=28 width=4) (actual time=0.010..0.201 rows=78 loops=1)
                                                  Index Cond: (last_seen_at > '2023-04-11 00:22:49.555537'::timestamp without time zone)
                                            ->  Index Scan using index_post_timings_on_user_id on post_timings pt  (cost=0.44..9287.60 rows=4455 width=8) (actual time=0.081..38.542 rows=45919 loops=78)
                                                  Index Cond: (user_id = u.id)
                                      ->  Index Scan using forum_threads_pkey on topics t  (cost=0.42..0.44 rows=1 width=4) (actual time=0.002..0.002 rows=1 loops=3581648)
                                            Index Cond: (id = pt.topic_id)
                                            Filter: ((deleted_at IS NULL) AND ((archetype)::text = 'regular'::text))
                                            Rows Removed by Filter: 0
Planning Time: 0.692 ms
Execution Time: 12612.587 ms
```
After
```
Update on user_stats  (cost=9473.60..12804.30 rows=2828 width=174) (actual time=677.724..677.729 rows=0 loops=1)
  ->  Hash Join  (cost=9473.60..12804.30 rows=2828 width=174) (actual time=672.536..677.706 rows=1 loops=1)
        Hash Cond: (user_stats.user_id = x.user_id)
        Join Filter: (x.c <> user_stats.posts_read_count)
        Rows Removed by Join Filter: 54
        ->  Seq Scan on user_stats  (cost=0.00..3125.34 rows=75534 width=134) (actual time=0.012..23.977 rows=75534 loops=1)
        ->  Hash  (cost=9438.24..9438.24 rows=2829 width=48) (actual time=647.818..647.822 rows=55 loops=1)
              Buckets: 4096  Batches: 1  Memory Usage: 37kB
              ->  Subquery Scan on x  (cost=9381.66..9438.24 rows=2829 width=48) (actual time=647.409..647.805 rows=55 loops=1)
                    ->  HashAggregate  (cost=9381.66..9409.95 rows=2829 width=12) (actual time=647.403..647.786 rows=55 loops=1)
                          Group Key: pt.user_id
                          Batches: 1  Memory Usage: 121kB
                          ->  Nested Loop  (cost=1.86..9367.51 rows=2829 width=4) (actual time=0.056..625.245 rows=120022 loops=1)
                                ->  Nested Loop  (cost=1.44..3692.96 rows=12832 width=8) (actual time=0.047..171.754 rows=217440 loops=1)
                                      ->  Nested Loop  (cost=1.00..254.63 rows=25 width=12) (actual time=0.030..1.407 rows=56 loops=1)
                                            Join Filter: (u.id = user_stats_1.user_id)
                                            ->  Nested Loop  (cost=0.71..243.08 rows=25 width=8) (actual time=0.018..1.207 rows=87 loops=1)
                                                  ->  Index Scan using index_users_on_last_seen_at on users u  (cost=0.42..86.71 rows=27 width=4) (actual time=0.009..0.156 rows=87 loops=1)
                                                        Index Cond: (last_seen_at > '2023-04-11 00:47:07.437568'::timestamp without time zone)
                                                  ->  Index Only Scan using user_stats_pkey on user_stats us  (cost=0.29..5.79 rows=1 width=4) (actual time=0.011..0.011 rows=1 loops=87)
                                                        Index Cond: (user_id = u.id)
                                                        Heap Fetches: 87
                                            ->  Index Scan using user_stats_pkey on user_stats user_stats_1  (cost=0.29..0.45 rows=1 width=4) (actual time=0.002..0.002 rows=1 loops=87)
                                                  Index Cond: (user_id = us.user_id)
                                                  Filter: (posts_read_count < 10000)
                                                  Rows Removed by Filter: 0
                                      ->  Index Scan using index_post_timings_on_user_id on post_timings pt  (cost=0.44..92.98 rows=4455 width=8) (actual time=0.036..2.492 rows=3883 loops=56)
                                            Index Cond: (user_id = user_stats_1.user_id)
                                ->  Index Scan using forum_threads_pkey on topics t  (cost=0.42..0.44 rows=1 width=4) (actual time=0.002..0.002 rows=1 loops=217440)
                                      Index Cond: (id = pt.topic_id)
                                      Filter: ((deleted_at IS NULL) AND ((archetype)::text = 'regular'::text))
                                      Rows Removed by Filter: 0
Planning Time: 1.406 ms
Execution Time: 677.817 ms
```
2023-04-18 10:04:50 +10:00
Penar Musaraj 7468b78885
SECURITY: strip `xlink:href` from uploaded SVGs (#21058)
This was inadvertently removed in 4c46c7e. In very specific scenarios,
this could be used execute arbitrary JavaScript.

Only affects instances where SVGs are allowed as uploads and CDN is not
configured.
2023-04-11 14:15:41 -04:00
Discourse Translator Bot dc3aaf852b
Update translations (#21056) 2023-04-11 15:44:29 +02:00
Discourse Translator Bot b2c7e65f38
Update translations (#20862) 2023-04-05 09:12:44 +02:00
Alan Guo Xiang Tan 75446832b2
SECURITY: Update URI gem to 0.12.1 to address CVE-2023-28755 (#20907)
See https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
2023-03-31 07:51:55 +08:00
David Taylor 428b0c91ac
SECURITY: Limit URL length for theme remote (stable) (#20788) 2023-03-23 12:07:02 +00:00
Discourse Translator Bot 8464573baa
Update translations (#20761) 2023-03-22 12:13:48 +01:00
Blake Erickson e54f52a756
Version bump to v3.0.2 (#20714) 2023-03-16 18:12:53 -06:00
Blake Erickson 92ffbcaece SECURITY: Bump Rails to v7.0.4.3 (#20675) 2023-03-16 16:25:48 -06:00
Ted Johansson d133692605 SECURITY: Add FinalDestination::FastImage that's SSRF safe 2023-03-16 16:25:48 -06:00
Alan Guo Xiang Tan 87032e87ea SECURITY: SSRF protection bypass with IPv4-mapped IPv6 addresses
As part of this commit, we've also expanded our list of private IP
ranges based on
https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
and https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
2023-03-16 16:25:48 -06:00
Alan Guo Xiang Tan 3c49c4ee35 SECURITY: Monkey-patch web-push gem to use safer HTTP client
`FinalDestination::HTTP` is our patch of `Net::HTTP` which defend us
against SSRF and DNS rebinding attacks.
2023-03-16 16:25:48 -06:00
Blake Erickson 3374457c44 SECURITY: Fix XSS in full name composer reply
We are using htmlSafe when rendering the name field so we need to escape
any html being passed in.
2023-03-16 16:25:48 -06:00
Loïc Guitaut 78a3efa710 SECURITY: Rate limit the creation of backups 2023-03-16 16:09:08 +01:00
Discourse Translator Bot b5bee9d331
Update translations (#20672) 2023-03-14 15:29:08 +01:00
Alan Guo Xiang Tan 749a4c5937 DEV: Introduce `stub_ip_lookup` spec helper (#20571) 2023-03-09 08:46:41 +08:00
Sam f6dc6da3f8 DEV: avoid mocking FinalDestination (#20570) 2023-03-09 08:46:41 +08:00
Discourse Translator Bot 05b03ca562
Update translations (#20560) 2023-03-07 14:58:27 +01:00