So, I wrote the first thing for Balormo's backend tonight. I wanted to do dice rolls, or really RNG (random number generation) broadly, and in this case I wrote the simplest form of it in the TTRPG space: rolling XdY, take the sum.
I did not write an FE for this yet. That's because I want to discuss the way I designed it. Now would be the time to refactor things or change around how it's structured. This is backend proof of concept phase.
For the time being, you can use curl to try it out once you have an account on dev.iddqd.social:
curl -X POST "https://dev.iddqd.social/api/v1/statuses" \ -H "Authorization: Bearer REDACTED" \ -H "Content-Type: multipart/form-data" \ -F "status=Rolling CON for AD&D 2e style" \ -F "source=Pleroma FE" \ -F "visibility=public" \ -F "content_type=text/plain" \ -F "balormo[rng][system]=dice_sum" \ -F "balormo[rng][denomination]=6" \ -F "balormo[rng][quantity]=3"You can find my commit for it here: https://gitgud.io/thestranjer/balormo/-/commit/483800ea9c2e5f913ecc5f1523625c9ad535917d
Unfortunately, Soapbox and Pleroma seem to drop the balormo object in federation. However, quite fortunately, it delivers the Object URL, which does retain that information:
{ "@context": [ "https://www.w3.org/ns/activitystreams", "https://dev.iddqd.social/schemas/litepub-0.1.jsonld", {"@language": "und"} ], "actor": "https://dev.iddqd.social/users/NEETzsche", "attachment": [], "attributedTo": "https://dev.iddqd.social/users/NEETzsche", "balormo": { "rng": { "denomination": 6, "quantity": 3, "results": [1,1,6], "sum": 8, "system": "dice_sum" } }, "cc": ["https://dev.iddqd.social/users/NEETzsche/followers"], "content": "Rolling CON for AD&D 2e style<br/><i>Rolling 3d6, taking the sum.</i><br/><b>Results:</b> 1, 1, 6<br/><b>Sum:</b> 8", "context": "https://dev.iddqd.social/contexts/c2ceeca0-5369-41b9-8be7-2d0a647a7907", "conversation": "https://dev.iddqd.social/contexts/c2ceeca0-5369-41b9-8be7-2d0a647a7907", "id": "https://dev.iddqd.social/objects/48f97fc0-5a63-406f-8822-3ea4493713d9", "published": "2024-05-10T09:13:21.883623Z", "sensitive": null, "source": { "content": "Rolling CON for AD&D 2e style", "mediaType": "text/plain" }, "summary": "", "tag": [],"to": ["https://www.w3.org/ns/activitystreams#Public"], "type": "Note" }The way I wrote this is you just add more fields to the /api/v1/statuses endpoint and give it extra fields. In this case, the system field can be changed and the pattern matching will pick up on the right one and then generate dice rolls etc in the right fashion. For example, I might write a Shadowrun dice roller that rolls d6s given only a pool value and re-rolls 6s until you don't get anymore.
The reason to bake this into the protocol is so that you can manage the data better and change the way it's displayed in the future. The appended roll text to the status will be put in a <div> with a class on it that's invisible for the FE.
Thoughts on how to improve this before I move on to the FE?
@sun @p @jeffcliff @rees @crunklord420 @caekislove @mint @LukeAlmighty @lain
So here’s an example of one of the maliciously-crafted payloads that resulted in a 9.8 severity CVE (CVE-2024-23832) against Mastodon:
{ "@context": ["https://www.w3.org/ns/activitystreams"], "id": "https://mastodon.social/users/Gargron/posts/123456", "type": "Note", "actor": "https://mastodon.social/users/Gargron", "attributedTo": "https://mastodon.social/users/Gargron", "content": "Well, this is an extremely concerning vulnerability I should have accounted for.", "to": [ "https://www.w3.org/ns/activitystreams#Public" ], "cc": [ "https://mastodon.social/users/Gargron/followers" ], "published": "2024-01-28T22:00:00Z" }I have previously double-checked with one of the Mastodon developers (while CC’ing the Mastodon Security email) to confirm that I’m free to release the details at this scheduled time (Feb 15th 15:00 UTC). According to the current observed metrics on FediDB, >73.6% of Mastodon instances are patched against CVE-2024-23832, as manually tabulated.
For more details on the vulnerability, the original security report as it was submitted on Github is available at: https://arcanican.is/excerpts/cve-2024-23832/
My recount of events (as well as unsolicited commentary and criticisms on the vulnerability, ecosystem, etc; when I get around to finishing it): https://arcanican.is/excerpts/cve-2024-23832/discovery.htm
@Moon @Terry @colonelj @sjw @feld @colonelj @lanodan @mint @p If you want to be compliant with jsonld, even if you don't use it, you must support field prefixes, so you must also parse jsonld specs themselves to know which ones you may ignore. If you want to be a dick, you are technically allowed by the spec to federate something like
{ "@context": { "fuckyou": "https://www.w3.org/ns/activitystreams", "@vocab": "https://fuck.you" }, "fuckyou:type": "Note", "fuckyou:to": ["https://www.w3.org/ns/activitystreams#Public"], "fuckyou:content": "Fuck your efficient json parsers." }GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.