aiden
/
mastodon
mirror of https://github.com/mastodon/mastodon
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
16,925 Commits
142 Branches
269 Tags
993 MiB
i18n/crowdin/translations
renovate/eslint-(non-major)
renovate/sanitize-7.x
renovate/yarn-monorepo
renovate/postcss-preset-env-10.x-lockfile
renovate/bufferutil-4.x-lockfile
renovate/docker.io-ruby-3.x
renovate/ox-2.x-lockfile
renovate/rubocop-(non-major)
renovate/nokogiri-1.x-lockfile
renovate/rack-test-2.x-lockfile
renovate/pino-9.x-lockfile
renovate/csv-3.x-lockfile
main
feat/fasp
renovate/definitelytyped-types-(non-major)
features/numeric-identifiers
renovate/omniauth-packages
renovate/major-react-monorepo
fixes/notification-trailing-groups
renovate/reduxjs-toolkit-2.x-lockfile
renovate/webpush-digest
feature-streaming-profile
renovate/formatjs-monorepo
feature-starter-packs
refactor-status-content-typescript
renovate/glob-11.x
renovate/react-test-renderer-19.x
fixes/embed-requestAnimationFrame
renovate/immutable-5.x
stable-4.3
stable-4.1
stable-4.2
renovate/net-http-0.x
renovate/major-formatjs-monorepo
features/lock-icon-on-hover-card
renovate/typescript-5.x-lockfile
feature-language-dropdown-warning
feature-admin-report-forward
feature-reports-batch-actions
fix-admin-dashboard-slow
fix-future-date-trend
redesign/content-warning-filters-4.3
fixes/filtered-follows
remove/trendable-provider-attribution
activitypub/summary-over-name
build-stable-nightly
fixes/notification-excerpt-paragraph
fixes/mastodon-setup-task-redis
fixes/out-of-order-private-posts
fixes/regexp-timeout-optional
fixes/small-otp-secret-length-4.1
fixes/small-otp-secret-length-4.2
fixes/dashboard-quick-access-overflow
fixes/middle-column-size
fix-context-socialweb-miscellany
cleanup/remove-old-notifications
fixes/detect-missing-indexes2
cleanup/simplify-css
feature-post-layout
features/media-description-in-embedded-status
design/notifications-grid
fix-lookup-domain
flaky-conversations-test
fixes/crash-orphaned-notification
fixes/report-links
features/filtered-dismiss-accept-all
feat/clean-up-notifications
fixes/everyone-role-n+1
redesign/notification-request
experimental/notification-groups-api-shape
fixes/thread-resolve-worker-skip_fetching
spike/resolve-urls-on-click
cleanup/drop-atomuri
fixes/dismissing-notification-requests-dismisses-too-much
revert-system-check
feature-redirect
fix-unusable-hashtag
tests/flaky-tests-performance-logs
feature-grouped-notifications-ui
drop-redis-below-6.2
fix-mute-buttons
features/local-preview-cards-2nd-take
fix-conversations-background
revert-severed-relationships-feature
features/local-preview-cards
stable-3.5
stable-4.0
stable-3.4
releases/v3.5.17
releases/v4.1.13
releases/v4.2.5
version/v4.3.0-alpha.1
fix/build-env
feature-color-scheme
revert/follow-back-mutual
gh-readonly-queue/main/pr-28626-1ad908e0c08c236389967d86b4f238f428de9fef
fixes/per-user-authorized-fetch
fixes/import-many-follows-overlap
fix-web-thread-sort
test-new-container-build
fixes/24px-icons
features/registration-invite-api
fixes/service-worker-caching
fixes/account-refresh-link-verification
feature-like
tests/introduce-error
fixes/lint-fix
fixes/object-has-own-polyfill
fixes/audio-passthrough
fixes/audit-log-external-confirmation
features/banners
refactor/search-query-parser
remove-profile-directory
redesign/notification-settings
feature-separate-hashtags
fixes/self-destruct-throttle
fixes/subdomain-block-4.1.6
redesign/hashtag-column-follow-button
feature-trend-highlights
revert-23460-fixes/activitypub-hashtag
pg15
prevent-unauthenticated-access-tag-timeline
support-rich-oembed
fix-caniuselite-lockfile
track_unsalvageable_errors
add-publish-button-text-site-setting
nolan/button-a11y
i18n/manage-translations
deps/shakapacker
rubocop-fixes
react18
stable-3.3
stable-3.2
stable-3.1
stable-3.0
stable-2.9
stable-2.8
stable-2.7
stable-2.5
stable-2.6
stable-2.4
v0.1.2
v0.1.1
v0.1.0
v0.6
v0.7
v0.8
v0.9
v0.9.9
v1.0
v1.1
v1.1.1
v1.1.2
v1.2
v1.2.1
v1.2.2
v1.3
v1.3.1
v1.3.2
v1.3.3
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4rc1
v1.4rc2
v1.4rc3
v1.4rc4
v1.4rc5
v1.4rc6
v1.5.0
v1.5.0rc1
v1.5.0rc2
v1.5.0rc3
v1.5.1
v1.6.0
v1.6.0rc1
v1.6.0rc2
v1.6.0rc3
v1.6.0rc4
v1.6.0rc5
v1.6.1
v2.0.0
v2.0.0rc1
v2.0.0rc2
v2.0.0rc3
v2.0.0rc4
v2.1.0
v2.1.0rc1
v2.1.0rc2
v2.1.0rc3
v2.1.0rc4
v2.1.0rc5
v2.1.0rc6
v2.1.1
v2.1.2
v2.1.3
v2.2.0
v2.2.0rc1
v2.2.0rc2
v2.3.0
v2.3.0rc1
v2.3.0rc2
v2.3.0rc3
v2.3.1
v2.3.1rc1
v2.3.1rc2
v2.3.1rc3
v2.3.2
v2.3.2rc1
v2.3.2rc2
v2.3.2rc3
v2.3.2rc4
v2.3.2rc5
v2.3.3
v2.4.0
v2.4.0rc1
v2.4.0rc2
v2.4.0rc3
v2.4.0rc4
v2.4.0rc5
v2.4.1
v2.4.1rc1
v2.4.1rc2
v2.4.1rc3
v2.4.1rc4
v2.4.2
v2.4.2rc1
v2.4.2rc2
v2.4.2rc3
v2.4.3
v2.4.3rc1
v2.4.3rc2
v2.4.3rc3
v2.4.4
v2.4.5
v2.5.0
v2.5.0rc1
v2.5.0rc2
v2.5.1
v2.5.2
v2.6.0
v2.6.0rc1
v2.6.0rc2
v2.6.0rc3
v2.6.0rc4
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.7.0
v2.7.0rc1
v2.7.0rc2
v2.7.0rc3
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.8.0
v2.8.0rc1
v2.8.0rc2
v2.8.0rc3
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0
v2.9.0rc1
v2.9.0rc2
v2.9.1
v2.9.2
v2.9.3
v2.9.4
v3.0.0
v3.0.0rc1
v3.0.0rc2
v3.0.0rc3
v3.0.1
v3.0.2
v3.1.0
v3.1.0rc1
v3.1.0rc2
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.2.0
v3.2.0rc1
v3.2.0rc2
v3.2.1
v3.2.2
v3.3.0
v3.3.0rc1
v3.3.0rc2
v3.3.0rc3
v3.3.1
v3.3.2
v3.3.3
v3.4.0
v3.4.0rc1
v3.4.0rc2
v3.4.1
v3.4.10
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v3.5.0
v3.5.0rc1
v3.5.0rc2
v3.5.0rc3
v3.5.1
v3.5.10
v3.5.11
v3.5.12
v3.5.13
v3.5.14
v3.5.15
v3.5.16
v3.5.17
v3.5.18
v3.5.19
v3.5.2
v3.5.3
v3.5.4
v3.5.5
v3.5.6
v3.5.7
v3.5.8
v3.5.9
v4.0.0
v4.0.0rc1
v4.0.0rc2
v4.0.0rc3
v4.0.0rc4
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.0rc1
v4.1.0rc2
v4.1.0rc3
v4.1.1
v4.1.10
v4.1.11
v4.1.12
v4.1.13
v4.1.14
v4.1.15
v4.1.16
v4.1.17
v4.1.18
v4.1.19
v4.1.2
v4.1.20
v4.1.21
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.2.0
v4.2.0-beta1
v4.2.0-beta2
v4.2.0-beta3
v4.2.0-rc1
v4.2.0-rc2
v4.2.1
v4.2.10
v4.2.11
v4.2.12
v4.2.13
v4.2.14
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v4.3.0
v4.3.0-beta.1
v4.3.0-beta.2
v4.3.0-rc.1
v4.3.1
v4.3.2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '36ccdcc9e1'
${ noResults }
Commit Graph

43 Commits (36ccdcc9e12d35399742cbe05c2589d69dbbbc99)

Author SHA1 Message Date
Claire eaedd52def
Fix incorrect rate limit on PUT requests (#31356) 5 months ago
Claire 73a78cc19d
Fix rate-limiting incorrectly triggering a session cookie on most endpoints (#30483) 7 months ago
Claire 3fa0dd0b88
Merge pull request from GHSA-c2r5-cfqr-c553 
* Add hardening monkey-patch to prevent IP spoofing on misconfigured installations

* Remove rack-attack safelist
 7 months ago
Claire 16249946ae
Merge pull request from GHSA-q3rg-xx5v-4mxh 7 months ago
Emelia Smith d20a5c3ec9
Fix: remove broken OAuth Application vacuuming & throttle OAuth Application registrations (#30316) 
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
 7 months ago
Matt Jankowski 933189887b
Fix `Style/StringLiterals` cop (#30005) 9 months ago
Nick Schonning 85db392464
Autofix Rubocop cops for config/ (#24145) 1 year ago
Matt Jankowski 2e1391fdd2
Fix `Naming/MemoizedInstanceVariableName` cop (#25928) 1 year ago
Nick Schonning c66250abf1
Autofix Rubocop Regex Style rules (#23690) 
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
 2 years ago
Nick Schonning cee4369cf5
Autofix Rubocop Lint/AmbiguousOperatorPrecedence (#25002) 2 years ago
Nick Schonning 49fad26eca
Drop EOL Ruby 2.7 (#24237) 2 years ago
Eugen Rochko c6ef56fd5e
Change rate limits to 1,500/5m per user, 300/5m per app (#23347) 2 years ago
Eugen Rochko 21fd25a269
Fix rate limiting for paths with formats (#20675) 2 years ago
dependabot[bot] 46ad7fea9d
Bump rack-attack from 6.5.0 to 6.6.0 (#17405) 
* Bump rack-attack from 6.5.0 to 6.6.0

Bumps [rack-attack](https://github.com/rack/rack-attack) from 6.5.0 to 6.6.0.
- [Release notes](https://github.com/rack/rack-attack/releases)
- [Changelog](https://github.com/rack/rack-attack/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rack/rack-attack/compare/v6.5.0...v6.6.0)

---
updated-dependencies:
- dependency-name: rack-attack
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Fix usage of deprecated API

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
 3 years ago
Claire 8603a07504
Fix error when trying to register (#17600) 3 years ago
zunda f9e7f2e409
Avoid return within block (#17590) 
This prevents the error: LocalJumpError (unexpected return)
 3 years ago
Jeong Arm 1de2e3f980
Throttle IPv6 signup for subnet (#17588) 3 years ago
Jeong Arm ea61d3acd6
Fix media API limit (#17272) 3 years ago
Eugen Rochko ee1119208c
Add `POST /api/v1/emails/confirmations` to REST API (#15816) 
Only available to the application the user originally signed-up with
 4 years ago
luigi eb51e43fb4
Optimize some regex matching (#15528) 
* Use Regex#match?

* Replace =~ too

* Avoid to call match? from Nil

* Keep value of Regexp.last_match
 4 years ago
Eugen Rochko 5e1364c448
Add IP-based rules (#14963) 4 years ago
Eugen Rochko 81a3db1564
Change rate limits for various paths (#14253) 
- Rate limit login attempts by target account
- Rate limit password resets and e-mail re-confirmations by target account
- Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before
 5 years ago
Eugen Rochko 9241cbf861
Fix re-sending of e-mail confirmation not being rate limited (#13360) 
Fix #13330
 5 years ago
Eugen Rochko 339ce1c4e9
Add specific rate limits for posting and following (#13172) 5 years ago
Eugen Rochko 09d54d1f62
Fix uncaught query param encoding errors (#12741) 5 years ago
Yamagishi Kazutoshi 4e1b742cb2 Change rate limit for media proxy (#11814) 5 years ago
Hinaloe b793722d7d Fix undefined method error (#10868) 6 years ago
mayaeh afb17b7045 Fix undefined method error. (#10867) 6 years ago
ThibG 0e9b8be18a Improve rate limiting (#10860) 
* Rate limit based on remote address IP, not on potential reverse proxy

* Limit rate of unauthenticated API requests further

* Rate-limit paging requests to one every 3 seconds
 6 years ago
Eugen Rochko 0e8819f0e8
Add rate limit for media proxy requests (#10490) 
30 per 30 minutes, like media uploads
 6 years ago
Eugen Rochko 99fa1ce93d
Add tight rate-limit for API deletions (#10042) 
Deletions take a lot of resources to execute and cause a lot of
federation traffic, so it makes sense to decrease the number
someone can queue up through the API.

30 per 30 minutes
 6 years ago
Eugen Rochko 5d2fc6de32
Add REST API for creating an account (#9572) 
* Add REST API for creating an account

The method is available to apps with a token obtained via the client
credentials grant. It creates a user and account records, as well as
an access token for the app that initiated the request. The user is
unconfirmed, and an e-mail is sent as usual.

The method returns the access token, which the app should save for
later. The REST API is not available to users with unconfirmed
accounts, so the app must be smart to wait for the user to click a
link in their e-mail inbox.

The method is rate-limited by IP to 5 requests per 30 minutes.

* Redirect users back to app from confirmation if they were created with an app

* Add tests

* Return 403 on the method if registrations are not open

* Require agreement param to be true in the API when creating an account
 6 years ago
aus-social 0a4739c732 lint pass 2 (#8878) 
* Code quality pass

* Typofix

* Update applications_controller_spec.rb

* Update applications_controller_spec.rb
 6 years ago
Akihiko Odaki a7e71bbd08 Add a missing question mark in rack_attack.rb (#7338) 7 years ago
Akihiko Odaki b1d4471e36 Throttle media post (#7337) 
The previous rate limit allowed to post media so fast that it is possible
to fill up the disk space even before an administrator notices. The new
rate limit is configured so that it takes 24 hours to eat 10 gigabytes:
10 * 1024 / 8 / (24 * 60 / 30) = 27 (which rounded to 30)

The period is set long so that it does not prevent from attaching several
media to one post, which would happen in a short period. For example,
if the period is 5 minutes, the rate limit would be:
10 * 1024 / 8 / (24 * 60 / 5) = 4

This long period allows to lift the limit up.
 7 years ago
Eugen Rochko 921b781909
Increase rate limit on protected paths (#6229) 
Previously each protected path had a separate rate limit. Now they're all in the same bucket, so people are more likely to hit one with register->login. Increasing to 25 per 5 minutes should be fine.
 7 years ago
Eugen Rochko feed07227b
Apply a 25x rate limit by IP even to authenticated requests (#5948) 7 years ago
Naoki Kosaka 4bce376fdc Missing require 'authorization_decorator'. (#5947) 7 years ago
Eugen Rochko a865b62efc
Rate limit by user instead of IP when API user is authenticated (#5923) 
* Fix #668 - Rate limit by user instead of IP when API user is authenticated

* Fix code style issue

* Use request decorator provided by Doorkeeper
 7 years ago
unarist b42c018bb8 Add Content-Type header on throttled response to fix mojibake (#4558) 
application/json only allows Unicode, so this prevents from wrong charset detection.
 8 years ago
alpaca-tc db92eec876 Localize 'throttled' (#2755) 8 years ago
Tristan Mahé 964035b118 allow localhost to bypass the ratelimit (#2554) 8 years ago
Eugen ff5baa5349 Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079) 
* Add rate limits for logins and sign-ups by IP (5 in 5 minutes)
Should be enough for normal attempts

* Add rate limit for forgotten password form as well
 8 years ago