Merge branch 'main' of github.com:readthedocs/readthedocs.org into diataxis/main

Author: benjaoming

.circleci/config.yml

@@ -18,7 +18,7 @@ jobs:
       - checkout
       - run: git submodule sync
       - run: git submodule update --init
-      - run: pip install --user tox
+      - run: pip install --user 'tox<5'
       - run: tox -e py310
       - codecov/upload
 
@@ -29,7 +29,7 @@ jobs:
       - checkout
       - run: git submodule sync
       - run: git submodule update --init
-      - run: pip install --user tox
+      - run: pip install --user 'tox<4'
       - run: tox -c tox.embedapi.ini
 
   checks:
@@ -41,18 +41,20 @@ jobs:
       - checkout
       - run: git submodule sync
       - run: git submodule update --init
-      - run: pip install --user tox
+      - run: git fetch origin main  # needed for comparisson in pre-commit
+      - run: git branch -f --track main origin/main  # needed for comparisson in pre-commit
+      - run: pip install --user 'tox<5'
+      - run: tox -e pre-commit
+      - run: tox -e migrations
+      - run: tox -e lint
+      - run: tox -e docs
+      - run: tox -e docs-dev
       - run: scripts/circle/install_node.sh
       - run:
           name: Add node to the path
           command: |
             echo 'export PATH=~/.nvm/versions/node/v${NODE_VERSION}/bin:$PATH' >> $BASH_ENV
             source $BASH_ENV
-      - run: tox -e migrations
-      - run: tox -e pre-commit
-      - run: tox -e lint
-      - run: tox -e docs
-      - run: tox -e docs-dev
       - run: tox -e eslint
 
 workflows:

CHANGELOG.rst

@@ -1,3 +1,20 @@
+Version 9.1.0
+-------------
+
+**This release contains an important security fix**. See more information `on the GitHub advisory <https://github.com/readthedocs/readthedocs.org/security/advisories/GHSA-368m-86q9-m99w>`_.
+
+:Date: December 08, 2022
+
+* `@benjaoming <https://github.com/benjaoming>`__: Docs: Move "Choosing between our two platforms" to Explanation (Diátaxis) (`#9784 <https://github.com/readthedocs/readthedocs.org/pull/9784>`__)
+* `@benjaoming <https://github.com/benjaoming>`__: Abandoned Projects policy: Relax reachability requirement (`#9783 <https://github.com/readthedocs/readthedocs.org/pull/9783>`__)
+* `@benjaoming <https://github.com/benjaoming>`__: Docs: Change "downloadable" to "offline" (`#9782 <https://github.com/readthedocs/readthedocs.org/pull/9782>`__)
+* `@humitos <https://github.com/humitos>`__: Docs: fix raw directive (`#9778 <https://github.com/readthedocs/readthedocs.org/pull/9778>`__)
+* `@github-actions[bot] <https://github.com/github-actions[bot]>`__: Dependencies: all packages updated via pip-tools (`#9775 <https://github.com/readthedocs/readthedocs.org/pull/9775>`__)
+* `@humitos <https://github.com/humitos>`__: Settings: define default MailerLite setting (`#9769 <https://github.com/readthedocs/readthedocs.org/pull/9769>`__)
+* `@ericholscher <https://github.com/ericholscher>`__: Refactor downloadable docs (`#9768 <https://github.com/readthedocs/readthedocs.org/pull/9768>`__)
+* `@humitos <https://github.com/humitos>`__: Docs: fix minor issues (`#9765 <https://github.com/readthedocs/readthedocs.org/pull/9765>`__)
+* `@humitos <https://github.com/humitos>`__: Docs: validate Mastodon link (`#9764 <https://github.com/readthedocs/readthedocs.org/pull/9764>`__)
+
 Version 9.0.0
 -------------
 

docs/conf.py

@@ -70,7 +70,7 @@
 
 master_doc = "index"
 copyright = "Read the Docs, Inc & contributors"
-version = "9.0.0"
+version = "9.1.0"
 release = version
 exclude_patterns = ["_build", "shared"]
 default_role = "obj"

docs/user/abandoned-projects.rst

@@ -41,8 +41,8 @@ Reachability
 
 The user of Read the Docs is solely responsible for being reachable by the core team
 for matters concerning projects that the user owns. In every case where
-contacting the user is necessary, the core team will try to do so at least
-three times, using the following means of contact:
+contacting the user is necessary, the core team will try to do so,
+using the following means of contact:
 
 * E-mail address on file in the user's profile
 * E-mail addresses found in the given project's documentation

docs/user/guides/developers.rst

@@ -14,7 +14,6 @@ or customize the documentation appearance.
    reproducible-builds
    embedding-content
    conda
-   poetry
    remove-edit-buttons
    build-using-too-many-resources
    edit-source-links-sphinx

docs/user/guides/poetry.rst

@@ -1,6 +1,6 @@
 {
   "name": "readthedocs",
-  "version": "9.0.0",
+  "version": "9.1.0",
   "description": "Read the Docs build dependencies",
   "author": "Read the Docs, Inc <[email protected]>",
   "scripts": {

package.json

@@ -1,4 +1,4 @@
 """Read the Docs."""
 
 
-__version__ = "9.0.0"
+__version__ = "9.1.0"

readthedocs/__init__.py

@@ -1,11 +1,13 @@
-import structlog
 from pathlib import Path
 
+import structlog
 from django.conf import settings
 from django.core.exceptions import SuspiciousFileOperation
 from django.core.files.storage import FileSystemStorage
 from storages.utils import get_available_overwrite_name, safe_join
 
+from readthedocs.core.utils.filesystem import safe_open
+
 log = structlog.get_logger(__name__)
 
 
@@ -84,11 +86,20 @@ def copy_directory(self, source, destination):
         source = Path(source)
         for filepath in source.iterdir():
             sub_destination = self.join(destination, filepath.name)
+
+            # Don't follow symlinks when uploading to storage.
+            if filepath.is_symlink():
+                log.info(
+                    "Skipping symlink upload.",
+                    path_resolved=str(filepath.resolve()),
+                )
+                continue
+
             if filepath.is_dir():
                 # Recursively copy the subdirectory
                 self.copy_directory(filepath, sub_destination)
             elif filepath.is_file():
-                with filepath.open('rb') as fd:
+                with safe_open(filepath, "rb") as fd:
                     self.save(sub_destination, fd)
 
     def sync_directory(self, source, destination):
@@ -114,12 +125,20 @@ def sync_directory(self, source, destination):
         copied_dirs = set()
         for filepath in source.iterdir():
             sub_destination = self.join(destination, filepath.name)
+            # Don't follow symlinks when uploading to storage.
+            if filepath.is_symlink():
+                log.info(
+                    "Skipping symlink upload.",
+                    path_resolved=str(filepath.resolve()),
+                )
+                continue
+
             if filepath.is_dir():
                 # Recursively sync the subdirectory
                 self.sync_directory(filepath, sub_destination)
                 copied_dirs.add(filepath.name)
             elif filepath.is_file():
-                with filepath.open('rb') as fd:
+                with safe_open(filepath, "rb") as fd:
                     self.save(sub_destination, fd)
                 copied_files.add(filepath.name)
 

readthedocs/builds/storage.py

@@ -11,6 +11,7 @@
 from django.conf import settings
 
 from readthedocs.config.utils import list_to_dict, to_dict
+from readthedocs.core.utils.filesystem import safe_open
 from readthedocs.projects.constants import GENERIC
 
 from .find import find_one
@@ -1380,7 +1381,11 @@ def load(path, env_config):
 
     if not filename:
         raise ConfigFileNotFound(path)
-    with open(filename, 'r') as configuration_file:
+
+    # Allow symlinks, but only the ones that resolve inside the base directory.
+    with safe_open(
+        filename, "r", allow_symlinks=True, base_path=path
+    ) as configuration_file:
         try:
             config = parse(configuration_file.read())
         except ParseError as error:

readthedocs/config/config.py

@@ -6,6 +6,7 @@
 
 import pytest
 from django.conf import settings
+from django.test import override_settings
 from pytest import raises
 
 from readthedocs.config import (
@@ -80,7 +81,8 @@ def test_load_no_config_file(tmpdir, files):
     apply_fs(tmpdir, files)
     base = str(tmpdir)
     with raises(ConfigFileNotFound) as e:
-        load(base, {})
+        with override_settings(DOCROOT=tmpdir):
+            load(base, {})
     assert e.value.code == CONFIG_FILE_REQUIRED
 
 
@@ -92,13 +94,15 @@ def test_load_empty_config_file(tmpdir):
     )
     base = str(tmpdir)
     with raises(ConfigError):
-        load(base, {})
+        with override_settings(DOCROOT=tmpdir):
+            load(base, {})
 
 
 def test_minimal_config(tmpdir):
     apply_fs(tmpdir, yaml_config_dir)
     base = str(tmpdir)
-    build = load(base, {})
+    with override_settings(DOCROOT=tmpdir):
+        build = load(base, {})
     assert isinstance(build, BuildConfigV1)
 
 
@@ -111,7 +115,8 @@ def test_load_version1(tmpdir):
         },
     )
     base = str(tmpdir)
-    build = load(base, {})
+    with override_settings(DOCROOT=tmpdir):
+        build = load(base, {})
     assert isinstance(build, BuildConfigV1)
 
 
@@ -124,7 +129,8 @@ def test_load_version2(tmpdir):
         },
     )
     base = str(tmpdir)
-    build = load(base, {})
+    with override_settings(DOCROOT=tmpdir):
+        build = load(base, {})
     assert isinstance(build, BuildConfigV2)
 
 
@@ -138,7 +144,8 @@ def test_load_unknow_version(tmpdir):
     )
     base = str(tmpdir)
     with raises(ConfigError) as excinfo:
-        load(base, {})
+        with override_settings(DOCROOT=tmpdir):
+            load(base, {})
     assert excinfo.value.code == VERSION_INVALID
 
 
@@ -159,7 +166,8 @@ def test_load_raise_exception_invalid_syntax(tmpdir):
     )
     base = str(tmpdir)
     with raises(ConfigError) as excinfo:
-        load(base, {})
+        with override_settings(DOCROOT=tmpdir):
+            load(base, {})
     assert excinfo.value.code == CONFIG_SYNTAX_INVALID
 
 
@@ -176,13 +184,15 @@ def test_yaml_extension(tmpdir):
         },
     )
     base = str(tmpdir)
-    config = load(base, {})
+    with override_settings(DOCROOT=tmpdir):
+        config = load(base, {})
     assert isinstance(config, BuildConfigV1)
 
 
 def test_build_config_has_source_file(tmpdir):
     base = str(apply_fs(tmpdir, yaml_config_dir))
-    build = load(base, {})
+    with override_settings(DOCROOT=tmpdir):
+        build = load(base, {})
     assert build.source_file == os.path.join(base, 'readthedocs.yml')
 
 
@@ -196,7 +206,8 @@ def test_build_config_has_list_with_single_empty_value(tmpdir):
             ),
         },
     ))
-    build = load(base, {})
+    with override_settings(DOCROOT=tmpdir):
+        build = load(base, {})
     assert isinstance(build, BuildConfigV1)
     assert build.formats == []
 
@@ -682,7 +693,8 @@ def test_load_calls_validate(tmpdir):
     apply_fs(tmpdir, yaml_config_dir)
     base = str(tmpdir)
     with patch.object(BuildConfigV1, 'validate') as build_validate:
-        load(base, {})
+        with override_settings(DOCROOT=tmpdir):
+            load(base, {})
         assert build_validate.call_count == 1