Merge branch 'main' of https://github.com/glitch-soc/mastodon

.browserslistrc

@@ -0,0 +1,7 @@
+[production]
+defaults
+not IE 11
+not dead
+
+[development]
+supports es6-module

.circleci/config.yml

@@ -133,6 +133,12 @@ jobs:
       - run:
           command: ./bin/rails tests:migrations:populate_v2_4
           name: Populate database with test data
+      - run:
+          command: ./bin/rails db:migrate VERSION=20180707154237
+          name: Run migrations up to v2.4.3
+      - run:
+          command: ./bin/rails tests:migrations:populate_v2_4_3
+          name: Populate database with test data
       - run:
           command: ./bin/rails db:migrate
           name: Run all remaining migrations
@@ -167,14 +173,22 @@ jobs:
       - run:
           command: ./bin/rails tests:migrations:populate_v2_4
           name: Populate database with test data
+      - run:
+          command: ./bin/rails db:migrate VERSION=20180707154237
+          name: Run migrations up to v2.4.3
+          environment:
+            SKIP_POST_DEPLOYMENT_MIGRATIONS: true
+      - run:
+          command: ./bin/rails tests:migrations:populate_v2_4_3
+          name: Populate database with test data
       - run:
           command: ./bin/rails db:migrate
-          name: Run all pre-deployment migrations
+          name: Run all remaining pre-deployment migrations
           environment:
             SKIP_POST_DEPLOYMENT_MIGRATIONS: true
       - run:
           command: ./bin/rails db:migrate
-          name: Run all post-deployment remaining migrations
+          name: Run all post-deployment migrations
       - run:
           command: ./bin/rails tests:migrations:check_database
           name: Check migration result

.codeclimate.yml

@@ -26,13 +26,11 @@ plugins:
   bundler-audit:
     enabled: true
   eslint:
-    enabled: true
-    channel: eslint-7
+    enabled: false
   rubocop:
-    enabled: true
-    channel: rubocop-1-9-1
+    enabled: false
   sass-lint:
-    enabled: true
+    enabled: false
 exclude_patterns:
   - spec/
   - vendor/asset/

.devcontainer/devcontainer.json

@@ -11,7 +11,8 @@
   "extensions": [
     "EditorConfig.EditorConfig",
     "dbaeumer.vscode-eslint",
-    "rebornix.Ruby"
+    "rebornix.Ruby",
+    "webben.browserslist"
   ],
 
   // Use 'forwardPorts' to make a list of ports inside the container available locally.

.eslintrc.js

@@ -12,7 +12,7 @@ module.exports = {
     ATTACHMENT_HOST: false,
   },
 
-  parser: 'babel-eslint',
+  parser: '@babel/eslint-parser',
 
   plugins: [
     'react',
@@ -27,7 +27,7 @@ module.exports = {
       experimentalObjectRestSpread: true,
       jsx: true,
     },
-    ecmaVersion: 2018,
+    ecmaVersion: 2021,
   },
 
   settings: {

.github/stylelint-matcher.json

@@ -0,0 +1,21 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "stylelint",
+      "pattern": [
+        {
+          "regexp": "^([^\\s].*)$",
+          "file": 1
+        },
+        {
+          "regexp": "^\\s+((\\d+):(\\d+))?\\s+(✖|×)\\s+(.*)\\s{2,}(.*)$",
+          "line": 2,
+          "column": 3,
+          "message": 5,
+          "code": 6,
+          "loop": true
+        }
+      ]
+    }
+  ]
+}

.github/workflows/build-image.yml

@@ -14,26 +14,26 @@ jobs:
   build-image:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: docker/setup-qemu-action@v1
-      - uses: docker/setup-buildx-action@v1
-      - uses: docker/login-action@v1
+      - uses: actions/checkout@v3
+      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-buildx-action@v2
+      - uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
         if: github.event_name != 'pull_request'
-      - uses: docker/metadata-action@v3
+      - uses: docker/metadata-action@v4
         id: meta
         with:
           images: ghcr.io/${{ github.repository_owner }}/mastodon
           flavor: |
-            latest=true
+            latest=auto
           tags: |
             type=edge,branch=main
             type=match,pattern=v(.*),group=0
             type=ref,event=pr
-      - uses: docker/build-push-action@v2
+      - uses: docker/build-push-action@v3
         with:
           context: .
           platforms: linux/amd64,linux/arm64

.github/workflows/check-i18n.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Install system dependencies
         run: |
           sudo apt-get update

.github/workflows/linter.yml

@@ -0,0 +1,83 @@
+---
+#################################
+#################################
+## Super Linter GitHub Actions ##
+#################################
+#################################
+name: Lint Code Base
+
+#
+# Documentation:
+# https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
+#
+
+#############################
+# Start the job on all push #
+#############################
+on:
+  push:
+    branches-ignore: [main]
+    # Remove the line above to run when pushing to master
+  pull_request:
+    branches: [main]
+
+###############
+# Set the Job #
+###############
+permissions:
+  checks: write
+  contents: read
+  pull-requests: write
+  statuses: write
+
+jobs:
+  build:
+    # Name the Job
+    name: Lint Code Base
+    # Set the agent to run on
+    runs-on: ubuntu-latest
+
+    ##################
+    # Load all steps #
+    ##################
+    steps:
+      ##########################
+      # Checkout the code base #
+      ##########################
+      - name: Checkout Code
+        uses: actions/checkout@v3
+        with:
+          # Full git history is needed to get a proper list of changed files within `super-linter`
+          fetch-depth: 0
+
+      - name: Set-up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16.x
+          cache: yarn
+      - name: Intall dependencies
+        run: yarn install --frozen-lockfile
+      - name: Set-up RuboCop Problem Mathcher
+        uses: r7kamura/rubocop-problem-matchers-action@v1
+      - name: Set-up Stylelint Problem Matcher
+        uses: xt0rted/stylelint-problem-matcher@v1
+      # https://github.com/xt0rted/stylelint-problem-matcher/issues/360
+      - run: echo "::add-matcher::.github/stylelint-matcher.json" 
+
+      ################################
+      # Run Linter against code base #
+      ################################
+      - name: Lint Code Base
+        uses: github/super-linter@v4
+        env:
+          CSS_FILE_NAME: stylelint.config.js
+          DEFAULT_BRANCH: main
+          NO_COLOR: 1 # https://github.com/xt0rted/stylelint-problem-matcher/issues/360
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          JAVASCRIPT_ES_CONFIG_FILE: .eslintrc.js
+          LINTER_RULES_PATH: .
+          RUBY_CONFIG_FILE: .rubocop.yml
+          VALIDATE_ALL_CODEBASE: false
+          VALIDATE_CSS: true
+          VALIDATE_JAVASCRIPT_ES: true
+          VALIDATE_RUBY: true

.rubocop.yml

@@ -281,6 +281,9 @@ Style/RedundantRegexpEscape:
 Style/RedundantReturn:
   Enabled: true
 
+Style/RedundantBegin:
+  Enabled: false
+
 Style/RegexpLiteral:
   Enabled: false
 

.sass-lint.yml

@@ -1,37 +0,0 @@
-# Linter Documentation:
-# https://github.com/sasstools/sass-lint/tree/v1.13.1/docs/options
-
-files:
-  include: app/javascript/styles/**/*.scss
-  ignore:
-    - app/javascript/styles/mastodon/reset.scss
-
-rules:
-  # Disallows
-  no-color-literals: 0
-  no-css-comments: 0
-  no-duplicate-properties: 0
-  no-ids: 0
-  no-important: 0
-  no-mergeable-selectors: 0
-  no-misspelled-properties: 0
-  no-qualifying-elements: 0
-  no-transition-all: 0
-  no-vendor-prefixes: 0
-
-  # Nesting
-  force-element-nesting: 0
-  force-attribute-nesting: 0
-  force-pseudo-nesting: 0
-
-  # Name Formats
-  class-name-format: 0
-  leading-zero: 0
-
-  # Style Guide
-  attribute-quotes: 0
-  hex-length: 0
-  indentation: 0
-  nesting-depth: 0
-  property-sort-order: 0
-  quotes: 0

CHANGELOG.md

@@ -3,6 +3,53 @@ Changelog
 
 All notable changes to this project will be documented in this file.
 
+## [3.5.3] - 2022-05-26
+### Added
+
+- **Add language dropdown to compose form in web UI** ([Gargron](https://github.com/mastodon/mastodon/pull/18420), [ykzts](https://github.com/mastodon/mastodon/pull/18460))
+- **Add warning for limited accounts in web UI** ([Gargron](https://github.com/mastodon/mastodon/pull/18344))
+- Add `limited` attribute to accounts in REST API ([Gargron](https://github.com/mastodon/mastodon/pull/18344))
+
+### Changed
+
+- **Change RSS feeds** ([Gargron](https://github.com/mastodon/mastodon/pull/18356), [tribela](https://github.com/mastodon/mastodon/pull/18406))
+  - Titles are now date and time of post
+  - Bodies now render all content faithfully, including polls and emojis
+  - All media attachments are included with Media RSS
+- Change "dangerous" to "sensitive" in privacy policy and web UI ([Gargron](https://github.com/mastodon/mastodon/pull/18515))
+- Change unconfirmed accounts to not be visible in REST API ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17530))
+- Change `tootctl search deploy` to improve performance ([Gargron](https://github.com/mastodon/mastodon/pull/18463), [Gargron](https://github.com/mastodon/mastodon/pull/18514))
+- Change search indexing to use batches to minimize resource usage ([Gargron](https://github.com/mastodon/mastodon/pull/18451))
+
+### Fixed
+
+- Fix follower and other counters being able to go negative ([Gargron](https://github.com/mastodon/mastodon/pull/18517))
+- Fix unnecessary query on when creating a status ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17901))
+- Fix warning an account outside of a report closing all reports for that account ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18387))
+- Fix error when resolving a link that redirects to a local post ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18314))
+- Fix preferred posting language returning unusable value in REST API ([Gargron](https://github.com/mastodon/mastodon/pull/18428))
+- Fix race condition error when external status is reblogged ([ykzts](https://github.com/mastodon/mastodon/pull/18424))
+- Fix missing string for appeal validation error ([Gargron](https://github.com/mastodon/mastodon/pull/18410))
+- Fix block/mute lists showing a follow button in web UI ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18364))
+- Fix Redis configuration not being changed by `mastodon:setup` ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18383))
+- Fix streaming notifications not using quick filter logic in web UI ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18316))
+- Fix ambiguous wording on appeal actions in admin UI ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18328))
+- Fix floating action button obscuring last element in web UI ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18332))
+- Fix account warnings not being recorded in audit log ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18338))
+- Fix leftover icons for direct visibility statuses ([Steffo99](https://github.com/mastodon/mastodon/pull/18305))
+- Fix link verification requiring case sensitivity on links ([sgolemon](https://github.com/mastodon/mastodon/pull/18320))
+- Fix embeds not setting their height correctly ([rinsuki](https://github.com/mastodon/mastodon/pull/18301))
+
+### Security
+
+- Fix concurrent unfollowing decrementing follower count more than once ([Gargron](https://github.com/mastodon/mastodon/pull/18527))
+- Fix being able to appeal a strike unlimited times ([Gargron](https://github.com/mastodon/mastodon/pull/18529))
+- Fix being able to report otherwise inaccessible statuses ([Gargron](https://github.com/mastodon/mastodon/pull/18528))
+- Fix empty votes arbitrarily increasing voters count in polls ([Gargron](https://github.com/mastodon/mastodon/pull/18526))
+- Fix moderator identity leak when approving appeal of sensitive marked statuses ([Gargron](https://github.com/mastodon/mastodon/pull/18525))
+- Fix suspended users being able to access APIs that don't require a user ([Gargron](https://github.com/mastodon/mastodon/pull/18524))
+- Fix confirmation redirect to app without `Location` header ([Gargron](https://github.com/mastodon/mastodon/pull/18523))
+
 ## [3.5.2] - 2022-05-04
 ### Added
 

Dockerfile

@@ -5,7 +5,7 @@ SHELL ["/bin/bash", "-c"]
 RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
 
 # Install Node v16 (LTS)
-ENV NODE_VER="16.14.2"
+ENV NODE_VER="16.15.1"
 RUN ARCH= && \
     dpkgArch="$(dpkg --print-architecture)" && \
   case "${dpkgArch##*-}" in \

Gemfile

@@ -7,18 +7,18 @@ gem 'pkg-config', '~> 1.4'
 gem 'rexml', '~> 3.2'
 
 gem 'puma', '~> 5.6'
-gem 'rails', '~> 6.1.5'
+gem 'rails', '~> 6.1.6'
 gem 'sprockets', '~> 3.7.2'
 gem 'thor', '~> 1.2'
 gem 'rack', '~> 2.2.3'
 
 gem 'hamlit-rails', '~> 0.2'
-gem 'pg', '~> 1.3'
+gem 'pg', '~> 1.4'
 gem 'makara', '~> 0.5'
 gem 'pghero', '~> 2.8'
 gem 'dotenv-rails', '~> 2.7'
 
-gem 'aws-sdk-s3', '~> 1.113', require: false
+gem 'aws-sdk-s3', '~> 1.114', require: false
 gem 'fog-core', '<= 2.1.0'
 gem 'fog-openstack', '~> 0.3', require: false
 gem 'kt-paperclip', '~> 7.1'
@@ -26,7 +26,7 @@ gem 'blurhash', '~> 0.1'
 
 gem 'active_model_serializers', '~> 0.10'
 gem 'addressable', '~> 2.8'
-gem 'bootsnap', '~> 1.11.1', require: false
+gem 'bootsnap', '~> 1.12.0', require: false
 gem 'browser'
 gem 'charlock_holmes', '~> 0.7.7'
 gem 'chewy', '~> 7.2'
@@ -53,7 +53,7 @@ gem 'fastimage'
 gem 'hiredis', '~> 0.6'
 gem 'redis-namespace', '~> 1.8'
 gem 'htmlentities', '~> 4.3'
-gem 'http', '~> 5.0'
+gem 'http', '~> 5.1'
 gem 'http_accept_language', '~> 2.1'
 gem 'httplog', '~> 1.5.0'
 gem 'idn-ruby', require: 'idn'
@@ -79,13 +79,13 @@ gem 'ruby-progressbar', '~> 1.11'
 gem 'sanitize', '~> 6.0'
 gem 'scenic', '~> 1.6'
 gem 'sidekiq', '~> 6.4'
-gem 'sidekiq-scheduler', '~> 3.2'
+gem 'sidekiq-scheduler', '~> 4.0'
 gem 'sidekiq-unique-jobs', '~> 7.1'
-gem 'sidekiq-bulk', '~>0.2.0'
-gem 'simple-navigation', '~> 4.3'
+gem 'sidekiq-bulk', '~> 0.2.0'
+gem 'simple-navigation', '~> 4.4'
 gem 'simple_form', '~> 5.1'
 gem 'sprockets-rails', '~> 3.4', require: 'sprockets/railtie'
-gem 'stoplight', '~> 2.2.1'
+gem 'stoplight', '~> 3.0.0'
 gem 'strong_migrations', '~> 0.7'
 gem 'tty-prompt', '~> 0.23', require: false
 gem 'twitter-text', '~> 3.1.0'
@@ -114,10 +114,10 @@ group :production, :test do
 end
 
 group :test do
-  gem 'capybara', '~> 3.36'
+  gem 'capybara', '~> 3.37'
   gem 'climate_control', '~> 0.2'
-  gem 'faker', '~> 2.20'
-  gem 'microformats', '~> 4.2'
+  gem 'faker', '~> 2.21'
+  gem 'microformats', '~> 4.4'
   gem 'rails-controller-testing', '~> 1.0'
   gem 'rspec-sidekiq', '~> 3.1'
   gem 'simplecov', '~> 0.21', require: false
@@ -134,8 +134,8 @@ group :development do
   gem 'letter_opener', '~> 1.8'
   gem 'letter_opener_web', '~> 2.0'
   gem 'memory_profiler'
-  gem 'rubocop', '~> 1.28', require: false
-  gem 'rubocop-rails', '~> 2.14', require: false
+  gem 'rubocop', '~> 1.30', require: false
+  gem 'rubocop-rails', '~> 2.15', require: false
   gem 'brakeman', '~> 5.2', require: false
   gem 'bundler-audit', '~> 0.9', require: false
 
@@ -157,3 +157,4 @@ gem 'connection_pool', require: false
 gem 'xorcist', '~> 1.1'
 
 gem 'hcaptcha', '~> 7.1'
+gem 'cocoon', '~> 1.2'

Gemfile.lock

@@ -1,40 +1,40 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (6.1.5.1)
-      actionpack (= 6.1.5.1)
-      activesupport (= 6.1.5.1)
+    actioncable (6.1.6)
+      actionpack (= 6.1.6)
+      activesupport (= 6.1.6)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.1.5.1)
-      actionpack (= 6.1.5.1)
-      activejob (= 6.1.5.1)
-      activerecord (= 6.1.5.1)
-      activestorage (= 6.1.5.1)
-      activesupport (= 6.1.5.1)
+    actionmailbox (6.1.6)
+      actionpack (= 6.1.6)
+      activejob (= 6.1.6)
+      activerecord (= 6.1.6)
+      activestorage (= 6.1.6)
+      activesupport (= 6.1.6)
       mail (>= 2.7.1)
-    actionmailer (6.1.5.1)
-      actionpack (= 6.1.5.1)
-      actionview (= 6.1.5.1)
-      activejob (= 6.1.5.1)
-      activesupport (= 6.1.5.1)
+    actionmailer (6.1.6)
+      actionpack (= 6.1.6)
+      actionview (= 6.1.6)
+      activejob (= 6.1.6)
+      activesupport (= 6.1.6)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.1.5.1)
-      actionview (= 6.1.5.1)
-      activesupport (= 6.1.5.1)
+    actionpack (6.1.6)
+      actionview (= 6.1.6)
+      activesupport (= 6.1.6)
       rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.1.5.1)
-      actionpack (= 6.1.5.1)
-      activerecord (= 6.1.5.1)
-      activestorage (= 6.1.5.1)
-      activesupport (= 6.1.5.1)
+    actiontext (6.1.6)
+      actionpack (= 6.1.6)
+      activerecord (= 6.1.6)
+      activestorage (= 6.1.6)
+      activesupport (= 6.1.6)
       nokogiri (>= 1.8.5)
-    actionview (6.1.5.1)
-      activesupport (= 6.1.5.1)
+    actionview (6.1.6)
+      activesupport (= 6.1.6)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
@@ -45,22 +45,22 @@ GEM
       case_transform (>= 0.2)
       jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
     active_record_query_trace (1.8)
-    activejob (6.1.5.1)
-      activesupport (= 6.1.5.1)
+    activejob (6.1.6)
+      activesupport (= 6.1.6)
       globalid (>= 0.3.6)
-    activemodel (6.1.5.1)
-      activesupport (= 6.1.5.1)
-    activerecord (6.1.5.1)
-      activemodel (= 6.1.5.1)
-      activesupport (= 6.1.5.1)
-    activestorage (6.1.5.1)
-      actionpack (= 6.1.5.1)
-      activejob (= 6.1.5.1)
-      activerecord (= 6.1.5.1)
-      activesupport (= 6.1.5.1)
+    activemodel (6.1.6)
+      activesupport (= 6.1.6)
+    activerecord (6.1.6)
+      activemodel (= 6.1.6)
+      activesupport (= 6.1.6)
+    activestorage (6.1.6)
+      actionpack (= 6.1.6)
+      activejob (= 6.1.6)
+      activerecord (= 6.1.6)
+      activesupport (= 6.1.6)
       marcel (~> 1.0)
       mini_mime (>= 1.1.0)
-    activesupport (6.1.5.1)
+    activesupport (6.1.6)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
@@ -81,7 +81,7 @@ GEM
     attr_required (1.0.1)
     awrence (1.1.1)
     aws-eventstream (1.2.0)
-    aws-partitions (1.582.0)
+    aws-partitions (1.587.0)
     aws-sdk-core (3.130.2)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.525.0)
@@ -90,7 +90,7 @@ GEM
     aws-sdk-kms (1.56.0)
       aws-sdk-core (~> 3, >= 3.127.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.113.2)
+    aws-sdk-s3 (1.114.0)
       aws-sdk-core (~> 3, >= 3.127.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.4)
@@ -114,7 +114,7 @@ GEM
       debug_inspector (>= 0.0.1)
     blurhash (0.1.6)
       ffi (~> 1.14)
-    bootsnap (1.11.1)
+    bootsnap (1.12.0)
       msgpack (~> 1.2)
     brakeman (5.2.3)
     browser (4.2.0)
@@ -122,10 +122,10 @@ GEM
       concurrent-ruby (~> 1.0, >= 1.0.5)
       redis (>= 1.0, <= 5.0)
     builder (3.2.4)
-    bullet (7.0.1)
+    bullet (7.0.2)
       activesupport (>= 3.0.0)
       uniform_notifier (~> 1.11)
-    bundler-audit (0.9.0.1)
+    bundler-audit (0.9.1)
       bundler (>= 1.2.0, < 3)
       thor (~> 1.0)
     byebug (11.1.3)
@@ -144,7 +144,7 @@ GEM
       sshkit (~> 1.3)
     capistrano-yarn (2.0.2)
       capistrano (~> 3.0)
-    capybara (3.36.0)
+    capybara (3.37.1)
       addressable
       matrix
       mini_mime (>= 0.1.3)
@@ -163,6 +163,7 @@ GEM
       elasticsearch-dsl
     chunky_png (1.4.0)
     climate_control (0.2.0)
+    cocoon (1.2.15)
     coderay (1.1.3)
     color_diff (0.1)
     concurrent-ruby (1.1.10)
@@ -203,7 +204,6 @@ GEM
     dotenv-rails (2.7.6)
       dotenv (= 2.7.6)
       railties (>= 3.2)
-    e2mmap (0.1.0)
     ed25519 (1.3.0)
     elasticsearch (7.13.3)
       elasticsearch-api (= 7.13.3)
@@ -220,7 +220,7 @@ GEM
       tzinfo
     excon (0.76.0)
     fabrication (2.28.0)
-    faker (2.20.0)
+    faker (2.21.0)
       i18n (>= 1.8.11, < 2)
     faraday (1.9.3)
       faraday-em_http (~> 1.0)
@@ -294,12 +294,12 @@ GEM
     hkdf (0.3.0)
     html_tokenizer (0.0.7)
     htmlentities (4.3.4)
-    http (5.0.4)
+    http (5.1.0)
       addressable (~> 2.8)
       http-cookie (~> 1.0)
       http-form_data (~> 2.2)
       llhttp-ffi (~> 0.4.0)
-    http-cookie (1.0.4)
+    http-cookie (1.0.5)
       domain_name (~> 0.5)
     http-form_data (2.3.0)
     http_accept_language (2.1.1)
@@ -309,7 +309,7 @@ GEM
       rainbow (>= 2.0.0)
     i18n (1.10.0)
       concurrent-ruby (~> 1.0)
-    i18n-tasks (1.0.9)
+    i18n-tasks (1.0.11)
       activesupport (>= 4.0.2)
       ast (>= 2.1.0)
       better_html (~> 1.0)
@@ -323,7 +323,7 @@ GEM
     idn-ruby (0.1.4)
     ipaddress (0.8.3)
     jmespath (1.6.1)
-    json (2.5.1)
+    json (2.6.2)
     json-canonicalization (0.3.0)
     json-jwt (1.13.0)
       activesupport (>= 4.2)
@@ -377,7 +377,7 @@ GEM
       activesupport (>= 4)
       railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.17.0)
+    loofah (2.18.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -390,7 +390,7 @@ GEM
     matrix (0.4.2)
     memory_profiler (1.0.0)
     method_source (1.0.0)
-    microformats (4.3.1)
+    microformats (4.4.1)
       json (~> 2.2)
       nokogiri (~> 1.10)
     mime-types (3.4.1)
@@ -398,16 +398,16 @@ GEM
     mime-types-data (3.2022.0105)
     mini_mime (1.1.2)
     mini_portile2 (2.8.0)
-    minitest (5.15.0)
-    msgpack (1.5.1)
+    minitest (5.16.0)
+    msgpack (1.5.2)
     multi_json (1.15.0)
     multipart-post (2.1.1)
-    net-ldap (0.17.0)
+    net-ldap (0.17.1)
     net-scp (3.0.0)
       net-ssh (>= 2.6.5, < 7.0.0)
     net-ssh (6.1.0)
     nio4r (2.5.8)
-    nokogiri (1.13.4)
+    nokogiri (1.13.6)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     nsa (0.2.8)
@@ -415,7 +415,7 @@ GEM
       concurrent-ruby (~> 1.0, >= 1.0.2)
       sidekiq (>= 3.5)
       statsd-ruby (~> 1.4, >= 1.4.0)
-    oj (3.13.11)
+    oj (3.13.14)
     omniauth (1.9.1)
       hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
@@ -449,7 +449,7 @@ GEM
     parslet (2.0.0)
     pastel (0.8.0)
       tty-color (~> 0.5)
-    pg (1.3.5)
+    pg (1.4.0)
     pghero (2.8.3)
       activerecord (>= 5)
     pkg-config (1.4.7)
@@ -470,14 +470,14 @@ GEM
       pry (~> 0.13.0)
     pry-rails (0.3.9)
       pry (>= 0.10.4)
-    public_suffix (4.0.6)
+    public_suffix (4.0.7)
     puma (5.6.4)
       nio4r (~> 2.0)
     pundit (2.2.0)
       activesupport (>= 3.0.0)
     raabro (1.4.0)
     racc (1.6.0)
-    rack (2.2.3)
+    rack (2.2.3.1)
     rack-attack (6.6.1)
       rack (>= 1.0, < 3)
     rack-cors (1.1.1)
@@ -492,20 +492,20 @@ GEM
       rack
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.1.5.1)
-      actioncable (= 6.1.5.1)
-      actionmailbox (= 6.1.5.1)
-      actionmailer (= 6.1.5.1)
-      actionpack (= 6.1.5.1)
-      actiontext (= 6.1.5.1)
-      actionview (= 6.1.5.1)
-      activejob (= 6.1.5.1)
-      activemodel (= 6.1.5.1)
-      activerecord (= 6.1.5.1)
-      activestorage (= 6.1.5.1)
-      activesupport (= 6.1.5.1)
+    rails (6.1.6)
+      actioncable (= 6.1.6)
+      actionmailbox (= 6.1.6)
+      actionmailer (= 6.1.6)
+      actionpack (= 6.1.6)
+      actiontext (= 6.1.6)
+      actionview (= 6.1.6)
+      activejob (= 6.1.6)
+      activemodel (= 6.1.6)
+      activerecord (= 6.1.6)
+      activestorage (= 6.1.6)
+      activesupport (= 6.1.6)
       bundler (>= 1.15.0)
-      railties (= 6.1.5.1)
+      railties (= 6.1.6)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
@@ -514,16 +514,16 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.2)
+    rails-html-sanitizer (1.4.3)
       loofah (~> 2.3)
     rails-i18n (6.0.0)
       i18n (>= 0.7, < 2)
       railties (>= 6.0.0, < 7)
     rails-settings-cached (0.6.6)
       rails (>= 4.2.0)
-    railties (6.1.5.1)
-      actionpack (= 6.1.5.1)
-      activesupport (= 6.1.5.1)
+    railties (6.1.6)
+      actionpack (= 6.1.6)
+      activesupport (= 6.1.6)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)
@@ -537,7 +537,7 @@ GEM
     redis (4.5.1)
     redis-namespace (1.8.2)
       redis (>= 3.0.4)
-    regexp_parser (2.3.1)
+    regexp_parser (2.5.0)
     request_store (1.5.1)
       rack (>= 1.4)
     responders (3.0.1)
@@ -572,18 +572,18 @@ GEM
     rspec-support (3.11.0)
     rspec_junit_formatter (0.5.1)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (1.28.2)
+    rubocop (1.30.1)
       parallel (~> 1.10)
       parser (>= 3.1.0.0)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
-      rexml
-      rubocop-ast (>= 1.17.0, < 2.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.18.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.17.0)
+    rubocop-ast (1.18.0)
       parser (>= 3.1.1.0)
-    rubocop-rails (2.14.2)
+    rubocop-rails (2.15.0)
       activesupport (>= 4.2.0)
       rack (>= 1.1)
       rubocop (>= 1.7.0, < 2.0)
@@ -604,25 +604,23 @@ GEM
       railties (>= 4.0.0)
     securecompare (1.0.0)
     semantic_range (3.0.0)
-    sidekiq (6.4.1)
+    sidekiq (6.4.2)
       connection_pool (>= 2.2.2)
       rack (~> 2.0)
       redis (>= 4.2.0)
     sidekiq-bulk (0.2.0)
       sidekiq
-    sidekiq-scheduler (3.2.0)
-      e2mmap
-      redis (>= 3, < 5)
+    sidekiq-scheduler (4.0.1)
+      redis (>= 4.2.0)
       rufus-scheduler (~> 3.2)
-      sidekiq (>= 3)
-      thwait
+      sidekiq (>= 4)
       tilt (>= 1.4.0)
-    sidekiq-unique-jobs (7.1.21)
+    sidekiq-unique-jobs (7.1.25)
       brpoplpush-redis_script (> 0.1.1, <= 2.0.0)
       concurrent-ruby (~> 1.0, >= 1.0.5)
       sidekiq (>= 5.0, < 8.0)
       thor (>= 0.20, < 3.0)
-    simple-navigation (4.3.0)
+    simple-navigation (4.4.0)
       activesupport (>= 2.3.2)
     simple_form (5.1.0)
       actionpack (>= 5.2)
@@ -646,7 +644,7 @@ GEM
       net-ssh (>= 2.8.0)
     stackprof (0.2.19)
     statsd-ruby (1.5.0)
-    stoplight (2.2.1)
+    stoplight (3.0.0)
     strong_migrations (0.7.9)
       activerecord (>= 5)
     swd (1.3.0)
@@ -659,8 +657,6 @@ GEM
     terrapin (0.6.0)
       climate_control (>= 0.0.3, < 1.0)
     thor (1.2.1)
-    thwait (0.2.0)
-      e2mmap
     tilt (2.0.10)
     tpm-key_attestation (0.9.0)
       bindata (~> 2.4)
@@ -684,9 +680,9 @@ GEM
       tzinfo (>= 1.0.0)
     unf (0.1.4)
       unf_ext
-    unf_ext (0.0.8)
+    unf_ext (0.0.8.2)
     unicode-display_width (2.1.0)
-    uniform_notifier (1.14.2)
+    uniform_notifier (1.16.0)
     validate_email (0.1.6)
       activemodel (>= 3.0)
       mail (>= 2.2.5)
@@ -727,7 +723,7 @@ GEM
     xorcist (1.1.2)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.5.4)
+    zeitwerk (2.6.0)
 
 PLATFORMS
   ruby
@@ -737,11 +733,11 @@ DEPENDENCIES
   active_record_query_trace (~> 1.8)
   addressable (~> 2.8)
   annotate (~> 3.2)
-  aws-sdk-s3 (~> 1.113)
+  aws-sdk-s3 (~> 1.114)
   better_errors (~> 2.9)
   binding_of_caller (~> 1.0)
   blurhash (~> 0.1)
-  bootsnap (~> 1.11.1)
+  bootsnap (~> 1.12.0)
   brakeman (~> 5.2)
   browser
   bullet (~> 7.0)
@@ -750,10 +746,11 @@ DEPENDENCIES
   capistrano-rails (~> 1.6)
   capistrano-rbenv (~> 2.2)
   capistrano-yarn (~> 2.0)
-  capybara (~> 3.36)
+  capybara (~> 3.37)
   charlock_holmes (~> 0.7.7)
   chewy (~> 7.2)
   climate_control (~> 0.2)
+  cocoon (~> 1.2)
   color_diff (~> 0.1)
   concurrent-ruby
   connection_pool
@@ -765,7 +762,7 @@ DEPENDENCIES
   dotenv-rails (~> 2.7)
   ed25519 (~> 1.3)
   fabrication (~> 2.28)
-  faker (~> 2.20)
+  faker (~> 2.21)
   fast_blank (~> 1.0)
   fastimage
   fog-core (<= 2.1.0)
@@ -776,7 +773,7 @@ DEPENDENCIES
   hcaptcha (~> 7.1)
   hiredis (~> 0.6)
   htmlentities (~> 4.3)
-  http (~> 5.0)
+  http (~> 5.1)
   http_accept_language (~> 2.1)
   httplog (~> 1.5.0)
   i18n-tasks (~> 1.0)
@@ -792,7 +789,7 @@ DEPENDENCIES
   makara (~> 0.5)
   mario-redis-lock (~> 1.2)
   memory_profiler
-  microformats (~> 4.2)
+  microformats (~> 4.4)
   mime-types (~> 3.4.1)
   net-ldap (~> 0.17)
   nokogiri (~> 1.13)
@@ -804,7 +801,7 @@ DEPENDENCIES
   omniauth-saml (~> 1.10)
   ox (~> 2.14)
   parslet
-  pg (~> 1.3)
+  pg (~> 1.4)
   pghero (~> 2.8)
   pkg-config (~> 1.4)
   posix-spawn
@@ -817,7 +814,7 @@ DEPENDENCIES
   rack (~> 2.2.3)
   rack-attack (~> 6.6)
   rack-cors (~> 1.1)
-  rails (~> 6.1.5)
+  rails (~> 6.1.6)
   rails-controller-testing (~> 1.0)
   rails-i18n (~> 6.0)
   rails-settings-cached (~> 0.6)
@@ -830,22 +827,22 @@ DEPENDENCIES
   rspec-rails (~> 5.1)
   rspec-sidekiq (~> 3.1)
   rspec_junit_formatter (~> 0.5)
-  rubocop (~> 1.28)
-  rubocop-rails (~> 2.14)
+  rubocop (~> 1.30)
+  rubocop-rails (~> 2.15)
   ruby-progressbar (~> 1.11)
   sanitize (~> 6.0)
   scenic (~> 1.6)
   sidekiq (~> 6.4)
   sidekiq-bulk (~> 0.2.0)
-  sidekiq-scheduler (~> 3.2)
+  sidekiq-scheduler (~> 4.0)
   sidekiq-unique-jobs (~> 7.1)
-  simple-navigation (~> 4.3)
+  simple-navigation (~> 4.4)
   simple_form (~> 5.1)
   simplecov (~> 0.21)
   sprockets (~> 3.7.2)
   sprockets-rails (~> 3.4)
   stackprof
-  stoplight (~> 2.2.1)
+  stoplight (~> 3.0.0)
   strong_migrations (~> 0.7)
   thor (~> 1.2)
   tty-prompt (~> 0.23)

SECURITY.md

@@ -14,7 +14,7 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through
 | ------- | ------------------ |
 | 3.5.x   | Yes                |
 | 3.4.x   | Yes                |
-| 3.3.x   | Yes                |
+| 3.3.x   | No                 |
 | < 3.3   | No                 |
 
 [bug-bounty]: https://app.intigriti.com/programs/mastodon/mastodonio/detail

app/chewy/accounts_index.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class AccountsIndex < Chewy::Index
-  settings index: { refresh_interval: '5m' }, analysis: {
+  settings index: { refresh_interval: '30s' }, analysis: {
     analyzer: {
       content: {
         tokenizer: 'whitespace',
@@ -23,7 +23,7 @@ class AccountsIndex < Chewy::Index
     },
   }
 
-  index_scope ::Account.searchable.includes(:account_stat), delete_if: ->(account) { account.destroyed? || !account.searchable? }
+  index_scope ::Account.searchable.includes(:account_stat)
 
   root date_detection: false do
     field :id, type: 'long'
@@ -36,8 +36,8 @@ class AccountsIndex < Chewy::Index
       field :edge_ngram, type: 'text', analyzer: 'edge_ngram', search_analyzer: 'content'
     end
 
-    field :following_count, type: 'long', value: ->(account) { account.following.local.count }
-    field :followers_count, type: 'long', value: ->(account) { account.followers.local.count }
+    field :following_count, type: 'long', value: ->(account) { account.following_count }
+    field :followers_count, type: 'long', value: ->(account) { account.followers_count }
     field :last_status_at, type: 'date', value: ->(account) { account.last_status_at || account.created_at }
   end
 end

app/chewy/statuses_index.rb

@@ -3,7 +3,7 @@
 class StatusesIndex < Chewy::Index
   include FormattingHelper
 
-  settings index: { refresh_interval: '15m' }, analysis: {
+  settings index: { refresh_interval: '30s' }, analysis: {
     filter: {
       english_stop: {
         type: 'stop',
@@ -33,6 +33,8 @@ class StatusesIndex < Chewy::Index
     },
   }
 
+  # We do not use delete_if option here because it would call a method that we
+  # expect to be called with crutches without crutches, causing n+1 queries
   index_scope ::Status.unscoped.kept.without_reblogs.includes(:media_attachments, :preloadable_poll)
 
   crutch :mentions do |collection|

app/chewy/tags_index.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class TagsIndex < Chewy::Index
-  settings index: { refresh_interval: '15m' }, analysis: {
+  settings index: { refresh_interval: '30s' }, analysis: {
     analyzer: {
       content: {
         tokenizer: 'keyword',
@@ -23,7 +23,11 @@ class TagsIndex < Chewy::Index
     },
   }
 
-  index_scope ::Tag.listable, delete_if: ->(tag) { tag.destroyed? || !tag.listable? }
+  index_scope ::Tag.listable
+
+  crutch :time_period do
+    7.days.ago.to_date..0.days.ago.to_date
+  end
 
   root date_detection: false do
     field :name, type: 'text', analyzer: 'content' do
@@ -31,7 +35,7 @@ class TagsIndex < Chewy::Index
     end
 
     field :reviewed, type: 'boolean', value: ->(tag) { tag.reviewed? }
-    field :usage, type: 'long', value: ->(tag) { tag.history.reduce(0) { |total, day| total + day.accounts } }
+    field :usage, type: 'long', value: ->(tag, crutches) { tag.history.aggregate(crutches.time_period).accounts }
     field :last_status_at, type: 'date', value: ->(tag) { tag.last_status_at || tag.created_at }
   end
 end

app/controllers/accounts_controller.rb

@@ -45,7 +45,6 @@ class AccountsController < ApplicationController
         limit     = params[:limit].present? ? [params[:limit].to_i, PAGE_SIZE_MAX].min : PAGE_SIZE
         @statuses = filtered_statuses.without_reblogs.limit(limit)
         @statuses = cache_collection(@statuses, Status)
-        render xml: RSS::AccountSerializer.render(@account, @statuses, params[:tag])
       end
 
       format.json do

app/controllers/activitypub/base_controller.rb

@@ -2,6 +2,7 @@
 
 class ActivityPub::BaseController < Api::BaseController
   skip_before_action :require_authenticated_user!
+  skip_before_action :require_not_suspended!
   skip_around_action :set_locale
 
   private

app/controllers/admin/domain_blocks_controller.rb

@@ -4,6 +4,17 @@ module Admin
   class DomainBlocksController < BaseController
     before_action :set_domain_block, only: [:show, :destroy, :edit, :update]
 
+    def batch
+      @form = Form::DomainBlockBatch.new(form_domain_block_batch_params.merge(current_account: current_account, action: action_from_button))
+      @form.save
+    rescue ActionController::ParameterMissing
+      flash[:alert] = I18n.t('admin.email_domain_blocks.no_domain_block_selected')
+    rescue Mastodon::NotPermittedError
+      flash[:alert] = I18n.t('admin.domain_blocks.created_msg')
+    else
+      redirect_to admin_instances_path(limited: '1'), notice: I18n.t('admin.domain_blocks.created_msg')
+    end
+
     def new
       authorize :domain_block, :create?
       @domain_block = DomainBlock.new(domain: params[:_domain])
@@ -76,5 +87,15 @@ module Admin
     def resource_params
       params.require(:domain_block).permit(:domain, :severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate)
     end
+
+    def form_domain_block_batch_params
+      params.require(:form_domain_block_batch).permit(domain_blocks_attributes: [:enabled, :domain, :severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate])
+    end
+
+    def action_from_button
+      if params[:save]
+        'save'
+      end
+    end
   end
 end

app/controllers/admin/export_domain_allows_controller.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'csv'
+
+module Admin
+  class ExportDomainAllowsController < BaseController
+    include AdminExportControllerConcern
+
+    before_action :set_dummy_import!, only: [:new]
+
+    ROWS_PROCESSING_LIMIT = 20_000
+
+    def new
+      authorize :domain_allow, :create?
+    end
+
+    def export
+      authorize :instance, :index?
+      send_export_file
+    end
+
+    def import
+      authorize :domain_allow, :create?
+      begin
+        @import = Admin::Import.new(import_params)
+        parse_import_data!(export_headers)
+
+        @data.take(ROWS_PROCESSING_LIMIT).each do |row|
+          domain = row['#domain'].strip
+          next if DomainAllow.allowed?(domain)
+
+          domain_allow = DomainAllow.new(domain: domain)
+          log_action :create, domain_allow if domain_allow.save
+        end
+        flash[:notice] = I18n.t('admin.domain_allows.created_msg')
+      rescue ActionController::ParameterMissing
+        flash[:error] = I18n.t('admin.export_domain_allows.no_file')
+      end
+      redirect_to admin_instances_path
+    end
+
+    private
+
+    def export_filename
+      'domain_allows.csv'
+    end
+
+    def export_headers
+      %w(#domain)
+    end
+
+    def export_data
+      CSV.generate(headers: export_headers, write_headers: true) do |content|
+        DomainAllow.allowed_domains.each do |instance|
+          content << [instance.domain]
+        end
+      end
+    end
+  end
+end

app/controllers/admin/export_domain_blocks_controller.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'csv'
+
+module Admin
+  class ExportDomainBlocksController < BaseController
+    include AdminExportControllerConcern
+
+    before_action :set_dummy_import!, only: [:new]
+
+    ROWS_PROCESSING_LIMIT = 20_000
+
+    def new
+      authorize :domain_block, :create?
+    end
+
+    def export
+      authorize :instance, :index?
+      send_export_file
+    end
+
+    def import
+      authorize :domain_block, :create?
+
+      @import = Admin::Import.new(import_params)
+      parse_import_data!(export_headers)
+
+      @global_private_comment = I18n.t('admin.export_domain_blocks.import.private_comment_template', source: @import.data_file_name, date: I18n.l(Time.now.utc))
+
+      @form = Form::DomainBlockBatch.new
+      @domain_blocks = @data.take(ROWS_PROCESSING_LIMIT).filter_map do |row|
+        domain = row['#domain'].strip
+        next if DomainBlock.rule_for(domain).present?
+
+        domain_block = DomainBlock.new(domain: domain,
+                                       severity: row['#severity'].strip,
+                                       reject_media: row['#reject_media'].strip,
+                                       reject_reports: row['#reject_reports'].strip,
+                                       private_comment: @global_private_comment,
+                                       public_comment: row['#public_comment']&.strip,
+                                       obfuscate: row['#obfuscate'].strip)
+
+        domain_block if domain_block.valid?
+      end
+
+      @warning_domains = Instance.where(domain: @domain_blocks.map(&:domain)).where('EXISTS (SELECT 1 FROM follows JOIN accounts ON follows.account_id = accounts.id OR follows.target_account_id = accounts.id WHERE accounts.domain = instances.domain)').pluck(:domain)
+    rescue ActionController::ParameterMissing
+      flash.now[:alert] = I18n.t('admin.export_domain_blocks.no_file')
+      set_dummy_import!
+      render :new
+    end
+
+    private
+
+    def export_filename
+      'domain_blocks.csv'
+    end
+
+    def export_headers
+      %w(#domain #severity #reject_media #reject_reports #public_comment #obfuscate)
+    end
+
+    def export_data
+      CSV.generate(headers: export_headers, write_headers: true) do |content|
+        DomainBlock.with_user_facing_limitations.each do |instance|
+          content << [instance.domain, instance.severity, instance.reject_media, instance.reject_reports, instance.public_comment, instance.obfuscate]
+        end
+      end
+    end
+  end
+end

app/controllers/admin/webhooks/secrets_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Admin
+  class Webhooks::SecretsController < BaseController
+    before_action :set_webhook
+
+    def rotate
+      authorize @webhook, :rotate_secret?
+      @webhook.rotate_secret!
+      redirect_to admin_webhook_path(@webhook)
+    end
+
+    private
+