Neil Matatall (@[email protected])

So mastodon is a rails app (like twitter originally was) so CLEARLY it won't scale 🙄. Let's see what I can tell from a quick appsec glance at the code. * Only 2 open CVEs. One is libxml2 because one is always libxml2. Another is around omniauth that requires a major version upgrade. I'd prefer to see that happeen but I don't haven enough context. * [CSP](https://github.com/mastodon/mastodon/blob/58fc889c6fe697da4f880cb43e75d97d3a604d79/config/initializers/content_security_policy.rb) (obviously most important): Allows eval and 'self'. Eval can be mandated by front end stuff unfortunately. Inline scripts are only allowed in development mode/PGHero interface. Not great, but definitely not terrible. It looks SPA-ish at least so good luck getting by that eval dependency. * [Uses SRI](https://github.com/mastodon/mastodon/pull/15096) for scripts and CSS. * Their [brakeman.ignore](https://github.com/mastodon/mastodon/blob/58fc889c6fe697da4f880cb43e75d97d3a604d79/config/brakeman.ignore) is not empty. Some potential mass assignment/authz issues and a few meh. I might look at the blame on these for more context. * [Ruby version](https://github.com/mastodon/mastodon/blob/58fc889c6fe697da4f880cb43e75d97d3a604d79/.ruby-version): `3.0.4` - supported but not most recent. * [Rails version](https://github.com/mastodon/mastodon/blob/58fc889c6fe697da4f880cb43e75d97d3a604d79/Gemfile#L10): `6.1.7` - the most recent in the `6.x.x` series. `7.x.x` is more recent but I suspect many apps haven't migrated. * Non-zero amount of building HTML via concat/interpolation ([example](https://github.dev/mastodon/mastodon/blob/58fc889c6fe697da4f880cb43e75d97d3a604d79/app/helpers/formatting_helper.rb#L21-L38)). No blaringly obvious SQLi problems. * Random aside, repo size seems kinda large? It has 23MB of assets and 17MB of JS in the repo (vendored assets I guess?). * Only one open brakeman finding (missing `rel` attribute overridden by the `referrer-policy` set [here](https://github.dev/mastodon/mastodon/blob/58fc889c6fe697da4f880cb43e75d97d3a604d79/app/controllers/concerns/web_app_controller_concern.rb#L17). Overall? I spent like 20 minutes, don't listen to me.