From f8f67b8908ae7612631ee806b99a078b0efac41f Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Fri, 5 Jul 2024 11:56:50 +0200
Subject: [PATCH] security: update mastodon to 4.2.10

https://github.com/mastodon/mastodon/releases/tag/v4.2.10
* Fix incorrect permission checking on multiple API endpoints (GHSA-58x8-3qxw-6hm7)
* Fix incorrect authorship checking when processing some activities (CVE-2024-37903, GHSA-xjvf-fm67-4qc3)
* Fix ongoing streaming sessions not being invalidated when application tokens get revoked (GHSA-vp5r-5pgw-jwqx)
---
 flake.lock           | 17 +++++++++++++++++
 flake.nix            |  1 +
 overlays/default.nix | 16 ++++++++++++++++
 3 files changed, 34 insertions(+)

diff --git a/flake.lock b/flake.lock
index 8f2c047..cdc0256 100644
--- a/flake.lock
+++ b/flake.lock
@@ -360,6 +360,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-head": {
+      "locked": {
+        "lastModified": 1720137366,
+        "narHash": "sha256-Xn+WAX2t2yjNdgZEyEtjCLvkqjrGPVhKRGsM6ujUf8c=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "f2a40608e6b55661cac28e473e28b6208da53c01",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "release-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-lib": {
       "locked": {
         "lastModified": 1717284937,
@@ -386,6 +402,7 @@
         "nixos-flake": "nixos-flake",
         "nixpkgs": "nixpkgs",
         "nixpkgs-2205": "nixpkgs-2205",
+        "nixpkgs-head": "nixpkgs-head",
         "simple-nixos-mailserver": "simple-nixos-mailserver",
         "triton-vmtools": "triton-vmtools",
         "unstable": "unstable"
diff --git a/flake.nix b/flake.nix
index b5473e1..1e9c3f3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,6 +5,7 @@
     unstable.url = "github:nixos/nixpkgs/nixos-unstable";
 
     nixpkgs-2205.url = "github:nixos/nixpkgs/nixos-22.05";
+    nixpkgs-head.url = "github:nixos/nixpkgs/release-24.05";
 
     nix-darwin.url = "github:lnl7/nix-darwin/master";
     nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
diff --git a/overlays/default.nix b/overlays/default.nix
index af9faa9..5e60e51 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -16,6 +16,22 @@
                 element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
                   inherit (inputs) element-stickers maunium-stickerpicker;
                 };
+                mastodon = prev.mastodon.override {
+                  version = "4.2.10";
+                  patches = [
+                    (final.fetchpatch {
+                      url = "https://github.com/mastodon/mastodon/compare/v4.2.9...v4.2.10.patch";
+                      hash = "sha256-268iq+2E5OOlhaJE1u5q7AFPdsloXpZCEXoyRMLtRys=";
+                    })
+                  ];
+
+                  # Mastodon has been upgraded on master, the backport is still
+                  # in progress. This is a temporary hack until the backport
+                  # makes it to the branch nixos-24.05.
+                  # https://github.com/NixOS/nixpkgs/pull/324587
+                  # https://nixpk.gs/pr-tracker.html?pr=324587
+                  gemset = import "${inputs.nixpkgs-head.sourceInfo.outPath}/pkgs/servers/mastodon/gemset.nix";
+                };
               }
             )
           ];