Skip to content

accumulated fixes and improvements from neodb#44

Open
alphatownsman wants to merge 1 commit into
avaraline:mainfrom
neodb-social:contribute-to-incarnator
Open

accumulated fixes and improvements from neodb#44
alphatownsman wants to merge 1 commit into
avaraline:mainfrom
neodb-social:contribute-to-incarnator

Conversation

@alphatownsman

@alphatownsman alphatownsman commented May 23, 2026

Copy link
Copy Markdown
Collaborator

Main fix is QuoteAuthorization which was incomplete in previous implementation.

ActivityPub compatibility

  • accept list-form attributedTo (WriteFreely blog Articles)
  • follow Link rel=alternate to resolve AP Article URLs
  • only accept URL-shaped quote values, validate length and scheme
  • give identity Update/Delete/Move activities unique IDs (deduplication)
  • serve QuoteAuthorization at a dereferenceable URL (FEP-044f)
  • treat image-only Notes as Posts instead of Interactions
  • skip emoji tag ingestion when author has no domain
  • accept Article posts without local Article row (Post-only renderer)
  • coalesce list-typed poll option name to string (pl.fediverse.pl)
  • handle vote-type in PostInteraction undo to prevent ValueError
  • handle UnicodeDecodeError when parsing nodeinfo well-known response
  • ignore Undo Block when block does not exist locally
  • treat 410 Gone as final on POST delivery (no retry)
  • validate URI scheme before fetching posts and replies
  • return 400 for unparseable HTTP signatures
  • return 404 for non-numeric IDs in API pk lookups
  • use ActivityPubError subtypes for invalid inbound activities

Security

  • add SSRF protection to all outbound HTTP requests (core.files)
  • enforce CSRF verification for session-authenticated API requests
  • harden OAuth token exchange against error leak and timing attack
  • force safe Content-Type on media proxy responses
  • use CodeQL-recognized sanitizers for url-redirection
  • fix XXE in host-meta parsing and weak PRNG for tokens
  • fix LD signature creator-actor binding
  • fix inbox signature verification
  • address several CodeQL code-scanning alerts

Performance

  • avoid OR-subquery in notification queries, add partial index
  • match bell-follows by target_id, not Follow id
  • collapse Hashtag stator stats into 2 queries
  • use timestamp ranges in Hashtag stat filters (avoid per-row casts)
  • avoid slow OR query in quote post URL lookup

Robustness

  • translate ClearTimeline deadlocks to TryAgainLater so Stator reschedules
  • less noisy logging for DNS errors
  • use utf-8 encoding for URL hashing in ProxyAbsoluteUrl

@alphatownsman alphatownsman force-pushed the contribute-to-incarnator branch from abdec60 to 2cd26de Compare May 23, 2026 16:37
Contribute fixes and improvements from neodb-incarnator
3068808 
Aggregated, NeoDB-agnostic changes accumulated on neodb-social/neodb-incarnator
since upstream/main diverged. Reviewable as a single squash; happy to split per
maintainer preference.

ActivityPub compatibility
- accept list-form attributedTo (WriteFreely blog Articles)
- follow Link rel=alternate to resolve AP Article URLs
- only accept URL-shaped quote values (validate scheme and length)
- give identity Update/Delete/Move activities unique IDs (deduplication)
- serve QuoteAuthorization at a dereferenceable URL (FEP-044f):
  new QuoteAuthorization model + view + migration
- treat image-only Notes as Posts instead of Interactions
- skip emoji tag ingestion when author has no domain
- handle vote-type in PostInteraction undo to prevent ValueError
- validate URI scheme before fetching posts and replies
- return 400 (VerificationFormatError) for unparseable HTTP signatures
- use ActivityPubError subtypes for invalid inbound activities
  (ActorMismatchError / ActivityPubFormatError instead of ValueError)
- coalesce list-typed poll option name to string (pl.fediverse.pl)
- expose federation.enabled in nodeinfo metadata (FEP-0151)

Security
- add SSRF protection to all outbound HTTP requests
  (core.files.check_url_safety + SSRFAttemptError, attached via httpx
  event_hooks so redirect hops are also checked)
- enforce CSRF verification for session-authenticated API requests
- harden OAuth token exchange against error leak and timing attack
  (constant-time compare for client_id/secret, single-shot code lookup)
- use safer URL-redirection sanitizers (_safe_remote_redirect) so CodeQL
  recognises the sanitiser pattern
- treat DNS resolution failures as httpx.ConnectError instead of
  SSRFAttemptError so logs are less noisy

Performance
- partial index on TimelineEvent(identity, -id) WHERE NOT dismissed; bell
  follows matched by target_id, not Follow id; avoid OR-subquery in
  notification queries
- collapse Hashtag stator stats into 2 queries
- use timestamp ranges in Hashtag stat filters (avoid per-row
  AT TIME ZONE / EXTRACT casts)

Robustness
- translate ClearTimeline deadlocks to TryAgainLater so Stator silently
  reschedules instead of logging OperationalError
- bump sentry-sdk

Article rendering
- preserve full AS Article on inbound by storing type_data = {"object": data}
  so name/summary/source survive (the old ArticleData parse with
  extra="ignore" dropped them)
- add templates/activities/_type_article.html so Article posts render as
  title + body instead of falling through to the unknown-type path

Tests
- QuoteAuthorization, list-form attributedTo, search URL with
  Link rel=alternate fallback, Article type_data shape, ClearTimeline
  deadlock translation, json edge cases, identity RSS feed (with quote link)
@alphatownsman alphatownsman force-pushed the contribute-to-incarnator branch from 2cd26de to 3068808 Compare May 23, 2026 16:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alphatownsman