itepechi/akkoma
1
0
Fork 0
Code Issues Pull requests Releases Activity
akkoma/lib/mix/tasks/pleroma
History
Oneric 96fe080e6e Convert all raw :zip usage to SafeZip 
Notably at least two instances were not properly guarded from path
traversal attack before and are only now fixed by using SafeZip:

 - frontend installation did never check for malicious paths.
   But given a malicious froontend could already, e.g. steal
   all user tokens even without this, in the real world
   admins should only use frontends from trusted sources
   and the practical implications are minimal

 - the emoji pack update/upload API taking a ZIP file
   did not protect against path traversal. While atm
   only admins can use these emoji endpoints, emoji
   packs are typically considered "harmless" and used
   without prior verification from various sources.
   Thus this appears more concerning.
2025-02-14 22:10:25 +01:00
..
ecto Merge branch 'ecto-rollback-in-test-env' into 'develop' 2021-02-26 16:47:53 +00:00
search mix: consistently use shell_info and shell_error 2024-05-31 17:17:42 +02:00
activity.ex mix: consistently use shell_info and shell_error 2024-05-31 17:17:42 +02:00
app.ex Documentation updates for stable release (#73) 2022-07-15 12:27:16 +00:00
benchmark.ex Use finch everywhere (#33) 2022-07-04 16:30:38 +00:00
config.ex argon2 password hashing (#406) 2022-12-30 02:46:58 +00:00
count_statuses.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
database.ex Use LEFT JOIN instead of UNION for hashtag pruning 2024-10-25 12:26:14 -04:00
diagnostics.ex mix: consistently use shell_info and shell_error 2024-05-31 17:17:42 +02:00
digest.ex Documentation updates for stable release (#73) 2022-07-15 12:27:16 +00:00
docs.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
ecto.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
email.ex Documentation updates for stable release (#73) 2022-07-15 12:27:16 +00:00
emoji.ex Convert all raw :zip usage to SafeZip 2025-02-14 22:10:25 +01:00
frontend.ex Documentation updates for stable release (#73) 2022-07-15 12:27:16 +00:00
instance.ex exiftool: strip all non-essential tags 2024-04-25 23:00:42 +02:00
notification_settings.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
openapi_spec.ex OpenAPI spec task: Load pleroma application to get version info 2021-02-09 22:10:09 +03:00
refresh_counter_cache.ex mix: consistently use shell_info and shell_error 2024-05-31 17:17:42 +02:00
relay.ex Documentation updates for stable release (#73) 2022-07-15 12:27:16 +00:00
robots_txt.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
search.ex giant massive dep upgrade and dialyxir-found error emporium (#371) 2022-12-14 12:38:48 +00:00
security.ex mix: consistently use shell_info and shell_error 2024-05-31 17:17:42 +02:00
uploads.ex Documentation updates for stable release (#73) 2022-07-15 12:27:16 +00:00
user.ex mix: consistently use shell_info and shell_error 2024-05-31 17:17:42 +02:00