Skip to content

Commit

Permalink
Fix: LD Signaturesで署名された投稿の検索許可(検索範囲)が改竄できる問題
Browse files Browse the repository at this point in the history
  • Loading branch information
kmycode committed Sep 9, 2024
1 parent ec9644b commit b6278e0
Show file tree
Hide file tree
Showing 6 changed files with 39 additions and 13 deletions.
8 changes: 4 additions & 4 deletions app/lib/activitypub/activity/create.rb
Original file line number Diff line number Diff line change
Expand Up @@ -507,15 +507,15 @@ def join_group!
end

def searchability_from_audience
if audience_searchable_by.nil?
nil
elsif audience_searchable_by.any? { |uri| ActivityPub::TagManager.instance.public_collection?(uri) }
return nil if audience_searchable_by.blank?

if audience_searchable_by.any? { |uri| ActivityPub::TagManager.instance.public_collection?(uri) }
:public
elsif audience_searchable_by.include?('kmyblue:Limited') || audience_searchable_by.include?('as:Limited')
:limited
elsif audience_searchable_by.include?(@account.followers_url)
:private
else
elsif audience_searchable_by.include?(@account.uri) || audience_searchable_by.include?(@account.url)
:direct
end
end
Expand Down
6 changes: 2 additions & 4 deletions app/lib/activitypub/tag_manager.rb
Original file line number Diff line number Diff line change
Expand Up @@ -237,12 +237,10 @@ def searchable_by(status)
[COLLECTIONS[:public]]
when 'private'
[account_followers_url(status.account)]
when 'direct'
status.conversation_id.present? ? [uri_for(status.conversation)] : []
when 'limited'
['as:Limited', 'kmyblue:Limited']
else
[]
status.conversation_id.present? ? [uri_for(status.conversation), account_url(status.account)] : [account_url(status.account)]
end

searchable_by.concat(mentions_uris(status)).compact
Expand All @@ -257,7 +255,7 @@ def account_searchable_by(account)
when 'limited'
['as:Limited', 'kmyblue:Limited']
else
[]
[account_url(account)]
end
end

Expand Down
2 changes: 1 addition & 1 deletion app/services/activitypub/process_account_service.rb
Original file line number Diff line number Diff line change
Expand Up @@ -267,7 +267,7 @@ def audience_searchable_by
end

def searchability_from_audience
if audience_searchable_by.nil?
if audience_searchable_by.blank?
bio = searchability_from_bio
return bio unless bio.nil?

Expand Down
13 changes: 12 additions & 1 deletion spec/lib/activitypub/activity/create_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -564,7 +564,7 @@ def activity_for_object(json)
end

context 'with direct' do
let(:searchable_by) { '' }
let(:searchable_by) { 'https://example.com/actor' }

it 'create status' do
status = sender.statuses.first
Expand All @@ -574,6 +574,17 @@ def activity_for_object(json)
end
end

context 'with empty array' do
let(:searchable_by) { '' }

it 'create status' do
status = sender.statuses.first

expect(status).to_not be_nil
expect(status.searchability).to be_nil
end
end

context 'with direct when not specify' do
let(:searchable_by) { nil }

Expand Down
13 changes: 11 additions & 2 deletions spec/serializers/activitypub/note_serializer_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@
describe ActivityPub::NoteSerializer do
subject { JSON.parse(@serialization.to_json) }

let!(:account) { Fabricate(:account) }
let!(:account) { Fabricate(:account, searchability: :public) }
let!(:other) { Fabricate(:account) }
let!(:parent) { Fabricate(:status, account: account, visibility: :public, language: 'zh-TW') }
let!(:parent) { Fabricate(:status, account: account, visibility: :public, searchability: searchability, language: 'zh-TW') }
let!(:reply_by_account_first) { Fabricate(:status, account: account, thread: parent, visibility: :public) }
let!(:reply_by_account_next) { Fabricate(:status, account: account, thread: parent, visibility: :public) }
let!(:reply_by_other_first) { Fabricate(:status, account: other, thread: parent, visibility: :public) }
Expand All @@ -16,6 +16,7 @@
let!(:referred) { nil }
let!(:referred2) { nil }
let(:convert_to_quote) { false }
let(:searchability) { :public }

before(:each) do
parent.references << referred if referred.present?
Expand Down Expand Up @@ -55,6 +56,14 @@
expect(subject['replies']['first']['items']).to_not include(reply_by_account_visibility_direct.uri)
end

context 'when direct searchability' do
let(:searchability) { :direct }

it 'send as direct searchability' do
expect(subject['searchableBy']).to include "https://cb6e6126.ngrok.io/users/#{account.username}"
end
end

context 'when has quote but no_convert setting' do
let(:referred) { Fabricate(:status) }

Expand Down
10 changes: 9 additions & 1 deletion spec/services/activitypub/process_account_service_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
end

context 'when direct' do
let(:searchable_by) { '' }
let(:searchable_by) { 'https://foo.test' }

it 'searchability is direct' do
expect(subject.searchability).to eq 'direct'
Expand All @@ -72,6 +72,14 @@
end
end

context 'when empty array' do
let(:searchable_by) { '' }

it 'searchability is direct' do
expect(subject.searchability).to eq 'direct'
end
end

context 'when default value' do
let(:searchable_by) { nil }

Expand Down

0 comments on commit b6278e0

Please sign in to comment.