From 3a6c2aa83563515b2ce02cda289b0271d992e84e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=81=8B=E3=81=A3=E3=81=93=E3=81=8B=E3=82=8A?=
 <67428053+kakkokari-gtyih@users.noreply.github.com>
Date: Thu, 21 Nov 2024 12:10:02 +0900
Subject: [PATCH 1/6] fix(backend): fix type error(s) in security fixes
 (#15009)

* Fix type error in security fixes

(cherry picked from commit fa3cf6c2996741e642955c5e2fca8ad785e83205)

* Fix error in test function calls

(cherry picked from commit 1758f29364eca3cbd13dbb5c84909c93712b3b3b)

* Fix style error

(cherry picked from commit 23c4aa25714af145098baa7edd74c1d217e51c1a)

* Fix another style error

(cherry picked from commit 36af07abe28bec670aaebf9f5af5694bb582c29a)

* Fix `.punyHost` misuse

(cherry picked from commit 6027b516e1c82324d55d6e54d0e17cbd816feb42)

* attempt to fix test: make yaml valid

---------

Co-authored-by: Julia Johannesen <julia@insertdomain.name>
---
 packages/backend/src/core/HttpRequestService.ts   | 12 ++++++------
 .../backend/src/core/RemoteUserResolveService.ts  |  2 +-
 .../core/activitypub/models/ApPersonService.ts    | 15 +++++++++------
 .../test-federation/.config/example.default.yml   |  7 +++----
 packages/backend/test/unit/activitypub.ts         |  4 ++--
 5 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/packages/backend/src/core/HttpRequestService.ts b/packages/backend/src/core/HttpRequestService.ts
index 0ad5667049..083153940a 100644
--- a/packages/backend/src/core/HttpRequestService.ts
+++ b/packages/backend/src/core/HttpRequestService.ts
@@ -54,19 +54,19 @@ class HttpRequestServiceAgent extends http.Agent {
 				}
 			});
 		return socket;
-	};
+	}
 
 	@bindThis
 	private isPrivateIp(ip: string): boolean {
 		const parsedIp = ipaddr.parse(ip);
-	
+
 		for (const net of this.config.allowedPrivateNetworks ?? []) {
 			const cidr = ipaddr.parseCIDR(net);
 			if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {
 				return false;
 			}
 		}
-	
+
 		return parsedIp.range() !== 'unicast';
 	}
 }
@@ -93,19 +93,19 @@ class HttpsRequestServiceAgent extends https.Agent {
 				}
 			});
 		return socket;
-	};
+	}
 
 	@bindThis
 	private isPrivateIp(ip: string): boolean {
 		const parsedIp = ipaddr.parse(ip);
-	
+
 		for (const net of this.config.allowedPrivateNetworks ?? []) {
 			const cidr = ipaddr.parseCIDR(net);
 			if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {
 				return false;
 			}
 		}
-	
+
 		return parsedIp.range() !== 'unicast';
 	}
 }
diff --git a/packages/backend/src/core/RemoteUserResolveService.ts b/packages/backend/src/core/RemoteUserResolveService.ts
index 678da0cfa6..098b5e1706 100644
--- a/packages/backend/src/core/RemoteUserResolveService.ts
+++ b/packages/backend/src/core/RemoteUserResolveService.ts
@@ -54,7 +54,7 @@ export class RemoteUserResolveService {
 			}) as MiLocalUser;
 		}
 
-		host = this.utilityService.punyHost(host);
+		host = this.utilityService.toPuny(host);
 
 		if (host === this.utilityService.toPuny(this.config.host)) {
 			this.logger.info(`return local user: ${usernameLower}`);
diff --git a/packages/backend/src/core/activitypub/models/ApPersonService.ts b/packages/backend/src/core/activitypub/models/ApPersonService.ts
index 026ddb6ece..8590861ca0 100644
--- a/packages/backend/src/core/activitypub/models/ApPersonService.ts
+++ b/packages/backend/src/core/activitypub/models/ApPersonService.ts
@@ -163,13 +163,16 @@ export class ApPersonService implements OnModuleInit {
 		}
 
 		for (const collection of ['outbox', 'followers', 'following'] as (keyof IActor)[]) {
-			const collectionUri = getApId((x as IActor)[collection]);
-			if (typeof collectionUri === 'string' && collectionUri.length > 0) {
-				if (this.utilityService.punyHost(collectionUri) !== expectHost) {
-					throw new Error(`invalid Actor: ${collection} has different host`);
+			const xCollection = (x as IActor)[collection];
+			if (xCollection != null) {
+				const collectionUri = getApId(xCollection);
+				if (typeof collectionUri === 'string' && collectionUri.length > 0) {
+					if (this.utilityService.punyHost(collectionUri) !== expectHost) {
+						throw new Error(`invalid Actor: ${collection} has different host`);
+					}
+				} else if (collectionUri != null) {
+					throw new Error(`invalid Actor: wrong ${collection}`);
 				}
-			} else if (collectionUri != null) {
-				throw new Error(`invalid Actor: wrong ${collection}`);
 			}
 		}
 
diff --git a/packages/backend/test-federation/.config/example.default.yml b/packages/backend/test-federation/.config/example.default.yml
index ff1760a5a6..28d51ac86e 100644
--- a/packages/backend/test-federation/.config/example.default.yml
+++ b/packages/backend/test-federation/.config/example.default.yml
@@ -19,7 +19,6 @@ proxyBypassHosts:
   - challenges.cloudflare.com
 proxyRemoteFiles: true
 signToActivityPubGet: true
-allowedPrivateNetworks: [
-  '127.0.0.1/32',
-  '172.20.0.0/16'
-]
+allowedPrivateNetworks:
+  - 127.0.0.1/32
+  - 172.20.0.0/16
diff --git a/packages/backend/test/unit/activitypub.ts b/packages/backend/test/unit/activitypub.ts
index 2fc08aec91..9df947982b 100644
--- a/packages/backend/test/unit/activitypub.ts
+++ b/packages/backend/test/unit/activitypub.ts
@@ -176,7 +176,7 @@ describe('ActivityPub', () => {
 			resolver.register(actor.id, actor);
 			resolver.register(post.id, post);
 
-			const note = await noteService.createNote(post.id, resolver, true);
+			const note = await noteService.createNote(post.id, undefined, resolver, true);
 
 			assert.deepStrictEqual(note?.uri, post.id);
 			assert.deepStrictEqual(note.visibility, 'public');
@@ -336,7 +336,7 @@ describe('ActivityPub', () => {
 			resolver.register(actor.featured, featured);
 			resolver.register(firstNote.id, firstNote);
 
-			const note = await noteService.createNote(firstNote.id as string, resolver);
+			const note = await noteService.createNote(firstNote.id as string, undefined, resolver);
 			assert.strictEqual(note?.uri, firstNote.id);
 		});
 	});

From c1f19fad1e7e1717898b37bbb4e863e0f26b306b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=81=8B=E3=81=A3=E3=81=93=E3=81=8B=E3=82=8A?=
 <67428053+kakkokari-gtyih@users.noreply.github.com>
Date: Thu, 21 Nov 2024 14:36:24 +0900
Subject: [PATCH 2/6] fix(backend): fix apResolver (#15010)

* fix(backend): fix apResolver

* fix

* add comments

* tweak comment
---
 packages/backend/src/core/activitypub/ApInboxService.ts | 3 ++-
 packages/backend/src/server/api/endpoints/ap/show.ts    | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/packages/backend/src/core/activitypub/ApInboxService.ts b/packages/backend/src/core/activitypub/ApInboxService.ts
index 9838e3bd30..ee3f691c51 100644
--- a/packages/backend/src/core/activitypub/ApInboxService.ts
+++ b/packages/backend/src/core/activitypub/ApInboxService.ts
@@ -130,7 +130,8 @@ export class ApInboxService {
 		if (actor.uri) {
 			if (actor.lastFetchedAt == null || Date.now() - actor.lastFetchedAt.getTime() > 1000 * 60 * 60 * 24) {
 				setImmediate(() => {
-					this.apPersonService.updatePerson(actor.uri, resolver);
+					// 同一ユーザーの情報を再度処理するので、使用済みのresolverを再利用してはいけない
+					this.apPersonService.updatePerson(actor.uri);
 				});
 			}
 		}
diff --git a/packages/backend/src/server/api/endpoints/ap/show.ts b/packages/backend/src/server/api/endpoints/ap/show.ts
index bf99834c17..24d5a7b0f1 100644
--- a/packages/backend/src/server/api/endpoints/ap/show.ts
+++ b/packages/backend/src/server/api/endpoints/ap/show.ts
@@ -137,10 +137,11 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			if (local != null) return local;
 		}
 
+		// 同一ユーザーの情報を再度処理するので、使用済みのresolverを再利用してはいけない
 		return await this.mergePack(
 			me,
-			isActor(object) ? await this.apPersonService.createPerson(getApId(object), resolver) : null,
-			isPost(object) ? await this.apNoteService.createNote(getApId(object), undefined, resolver, true) : null,
+			isActor(object) ? await this.apPersonService.createPerson(getApId(object)) : null,
+			isPost(object) ? await this.apNoteService.createNote(getApId(object), undefined, undefined, true) : null,
 		);
 	}
 

From a21a2c52d7c3cf75cf67e001e664cb083188e2b8 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 21 Nov 2024 06:27:16 +0000
Subject: [PATCH 3/6] Bump version to 2024.11.0-alpha.3

---
 package.json                     | 2 +-
 packages/misskey-js/package.json | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 4dd411c10f..9ee1cac90e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "misskey",
-	"version": "2024.11.0-alpha.2",
+	"version": "2024.11.0-alpha.3",
 	"codename": "nasubi",
 	"repository": {
 		"type": "git",
diff --git a/packages/misskey-js/package.json b/packages/misskey-js/package.json
index f57656db0b..ac585b5573 100644
--- a/packages/misskey-js/package.json
+++ b/packages/misskey-js/package.json
@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "misskey-js",
-	"version": "2024.11.0-alpha.2",
+	"version": "2024.11.0-alpha.3",
 	"description": "Misskey SDK for JavaScript",
 	"license": "MIT",
 	"main": "./built/index.js",

From 9871035597708815d92ff210ae4d2161d8102d14 Mon Sep 17 00:00:00 2001
From: syuilo <4439005+syuilo@users.noreply.github.com>
Date: Thu, 21 Nov 2024 15:41:01 +0900
Subject: [PATCH 4/6] Update CHANGELOG.md

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0718150fc4..02566ff87f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -67,6 +67,7 @@
 - Fix: User Webhookテスト機能のMock Payloadを修正  
 - Fix: アカウント削除のモデレーションログが動作していないのを修正 (#14996)  
 - Fix: リノートミュートが新規投稿通知に対して作用していなかった問題を修正
+- Fix: セキュリティに関する修正
 
 ### Misskey.js
 - Fix: Stream初期化時、別途WebSocketを指定する場合の型定義を修正

From 7f0ae038d418e65bc39d350ea5eefbda260cb1ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=81=8B=E3=81=A3=E3=81=93=E3=81=8B=E3=82=8A?=
 <67428053+kakkokari-gtyih@users.noreply.github.com>
Date: Thu, 21 Nov 2024 17:16:06 +0900
Subject: [PATCH 5/6] Update CHANGELOG.md

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 02566ff87f..39ce36d678 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,9 +8,9 @@
 ### General
 - Feat: コンテンツの表示にログインを必須にできるように
 - Feat: 過去のノートを非公開化/フォロワーのみ表示可能にできるように
-- Fix: お知らせ作成時に画像URL入力欄を空欄に変更できないのを修正 ( #14976 )
 - Enhance: 依存関係の更新
 - Enhance: l10nの更新
+- Fix: お知らせ作成時に画像URL入力欄を空欄に変更できないのを修正 ( #14976 )
 
 ### Client
 - Enhance: Bull DashboardでRelationship Queueの状態も確認できるように  

From 752606fe887abe4767b9fff194e8694a4ea484ac Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 21 Nov 2024 08:21:54 +0000
Subject: [PATCH 6/6] Bump version to 2024.11.0-beta.4

---
 package.json                     | 2 +-
 packages/misskey-js/package.json | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 9ee1cac90e..ccb6170a16 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "misskey",
-	"version": "2024.11.0-alpha.3",
+	"version": "2024.11.0-beta.4",
 	"codename": "nasubi",
 	"repository": {
 		"type": "git",
diff --git a/packages/misskey-js/package.json b/packages/misskey-js/package.json
index ac585b5573..cda4c183fa 100644
--- a/packages/misskey-js/package.json
+++ b/packages/misskey-js/package.json
@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "misskey-js",
-	"version": "2024.11.0-alpha.3",
+	"version": "2024.11.0-beta.4",
 	"description": "Misskey SDK for JavaScript",
 	"license": "MIT",
 	"main": "./built/index.js",