ember/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
5857 commits 143 branches 32 tags 16 MiB
Commit graph

5857 commits

This branch
This branch
All branches
Author SHA1 Message Date
Ginger
21324b748f
feat: Enable console feature by default 2025-12-31 19:12:25 +00:00
Jade Ellis
b7bf36443b
docs: Fix typo 2025-12-31 19:03:22 +00:00
ginger
d72192aa32
fix(ci): Stop using nightly to build Debian packages 2025-12-30 14:23:31 -05:00
Jade Ellis
38ecc41780
chore: Release 2025-12-30 17:45:32 +00:00
Jade Ellis
7ae958bb03
docs: Announcement 2025-12-30 17:35:20 +00:00
Jade Ellis
f676fa53f1
chore: Specify the tag body template 2025-12-30 17:34:44 +00:00
Jade Ellis
978bdc6466
docs: Changelog 2025-12-30 17:34:44 +00:00
timedout
7c741e62cf
fix: Forbid creators in power levels 2025-12-30 17:34:43 +00:00
Olivia Lee
12aecf8091
validate membership events returned by remote servers 
This fixes a vulnerability where an attacker with a malicious remote
server and a user on the local server can trick the local server into
signing arbitrary events. The attacker issue a remote leave as the local
user to a room on the malicious server. Without any validation of the
make_leave response, the local server would sign the attacker-controlled
event and pass it back to the malicious server with send_leave.

The join and knock endpoints are also fixed in this commit, but are less
useful for exploitation because the local server replaces the "content"
field returned by the remote server. Remote invites are unaffected
because we already check that the event returned from /invite has the
same event ID as the event passed to it.

Co-authored-by: timedout <git@nexy7574.co.uk>
Co-authored-by: Jade Ellis <jade@ellis.link>
Co-authored-by: Ginger <ginger@gingershaped.computer>
 2025-12-30 15:24:45 +00:00
Renovate Bot
19372f0b15 chore(deps): update dependency cargo-bins/cargo-binstall to v1.16.6 2025-12-29 23:52:04 +00:00
Jade Ellis
a66b90cb3d
ci: Explicitly auto tag latest 2025-12-29 23:45:02 +00:00
Jade Ellis
7234ce6cbe
ci: Don't force tag all versions as latest 2025-12-29 23:45:02 +00:00
Jade Ellis
beb0c2ad9a
fix(ci): Don't double append latest tag suffix 2025-12-29 23:45:02 +00:00
Jade Ellis
39aaf95d09
docs: Changelog 2025-12-29 23:33:12 +00:00
Jade Ellis
5e0edd5a1c
feat: Allow configuring the OTLP protocol 2025-12-29 23:33:12 +00:00
Jade Ellis
d180f5a759
feat: Split otlp exporter into a new, enabled-by-default feature 2025-12-29 23:33:12 +00:00
Jade Ellis
f163264a82
docs: Update example domains 2025-12-29 23:33:12 +00:00
timedout
5e7bc590d2 chore: Apply suggestions 2025-12-29 23:30:49 +00:00
timedout
08df35946b fix: File -> line 2025-12-29 23:30:49 +00:00
timedout
c4ebf289fa fix: Dead link to code style doc 2025-12-29 23:30:49 +00:00
timedout
1fc6010f9a fix: Issue title -> pull request title 2025-12-29 23:30:49 +00:00
timedout
1d91331275 fix: Stray whitespace 2025-12-29 23:30:49 +00:00
timedout
77e62ad772 feat: Add pull request template 2025-12-29 23:30:49 +00:00
timedout
696a1e6a4d
docs: Add information on writing changelog fragments 2025-12-28 00:59:31 +00:00
timedout
f41bbd7361
feat(meta): Set up towncrier 2025-12-28 00:53:44 +00:00
timedout
7350266c80
fix: Don't allow admin room upgrades and fix power levels during upgrade 2025-12-27 04:05:26 +00:00
Julian Anderson
322c0900c6
docs: handle traefik >=3.6.3 "encoded characters" 2025-12-24 22:40:50 -05:00
timedout
1237e60aaf
Revert "feat(ci): Allow running manual workflows against specific commits" 
This reverts commit 9b4845bf8d.
 2025-12-22 13:45:45 +00:00
timedout
9b4845bf8d
feat(ci): Allow running manual workflows against specific commits 2025-12-22 13:29:40 +00:00
aviac
fb5b515f96 chore: update flake lock 2025-12-22 04:11:41 +00:00
Jade Ellis
e6336d694a
chore: Fix escape 2025-12-22 02:42:21 +00:00
Jade Ellis
b7841280d9
chore: Security announcement 2025-12-22 02:36:31 +00:00
Jade Ellis
f4ccb81913
chore: Release 2025-12-22 00:23:20 +00:00
Jade Ellis
710cdfeadb
chore: Update mailmap 2025-12-21 20:34:11 +00:00
Jade Ellis
666849ea87
chore(ci): Unify artifact versions 2025-12-21 19:11:12 +00:00
Jade Ellis
71094803f1
fix(ci): Try use path that exists 2025-12-21 18:50:48 +00:00
Jade Ellis
bf91ce5c7f
feat: Mark v12 as stable 2025-12-21 17:15:16 +00:00
Jade Ellis
8fd15f26ce
style: Fix clippy 2025-12-21 17:12:36 +00:00
Jade Ellis
705fa6c5c6
fix: Simplify visibility check code 2025-12-21 17:12:36 +00:00
Jade Ellis
6f67c27538
fix: Ensure that room ID is present on state events sent to client 
routes

Mostly fixes !1094

The remaining issue is federation routes
 2025-12-21 17:12:35 +00:00
Jade Ellis
8586d747d1
feat: Run visibility checks on bundled relations 2025-12-21 17:12:35 +00:00
Jade Ellis
11012a9ce1
fix: Always return the same 404 message in context 2025-12-21 17:12:35 +00:00
Jade Ellis
07be190507
fix: Return 404 when event is not accessible 2025-12-21 17:12:35 +00:00
Jade Ellis
ae4acc9568
fix: Don't incorrectly add thread root to relation response 2025-12-21 17:12:35 +00:00
Jade Ellis
f83ddecd8c
refactor(perf): Push down visibility check after limit 2025-12-21 17:12:34 +00:00
Jade Ellis
dd87232f1f
refactor: Reduce database lookups in some cases 2025-12-21 17:12:34 +00:00
Jade Ellis
8e33f9a7d0
refactor: Improve code style for bundled aggregations 2025-12-21 17:12:34 +00:00
Jade Ellis
8d3e4eba99
fix: Add aggregations to the search endpoint 2025-12-21 17:12:34 +00:00
Jade Ellis
96bfdb97da
fix: Filter out invalid replacements from bundled aggregations 2025-12-21 17:12:34 +00:00
Jade Ellis
b61010da47
feat: Add bundled aggregations support 
Add support for the m.replace and m.reference bundled
aggregations.
This should fix plenty of subtle client issues.
Threads are not included in the new code as they have
historically been written to the database. Replacing the
old system would result in issues when switching away from
continuwuity, so saved for later.
Some TODOs have been left re event visibility and ignored users.
These should be OK for now, though.
 2025-12-21 17:12:34 +00:00