From 8fe29bf5d2f6899f646c2b76744e1bfeeb84c5eb Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Mon, 17 Jul 2023 17:53:03 +0100 Subject: [PATCH 1/5] Exclude deactivated users from emoji reaction lists --- .../controllers/emoji_reaction_controller.ex | 13 ++++++++++++- .../controllers/status_controller_test.exs | 5 +++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/pleroma/web/pleroma_api/controllers/emoji_reaction_controller.ex b/lib/pleroma/web/pleroma_api/controllers/emoji_reaction_controller.ex index 0933363a6..e762fcad8 100644 --- a/lib/pleroma/web/pleroma_api/controllers/emoji_reaction_controller.ex +++ b/lib/pleroma/web/pleroma_api/controllers/emoji_reaction_controller.ex @@ -41,6 +41,17 @@ defmodule Pleroma.Web.PleromaAPI.EmojiReactionController do end end + defp filter_allowed_user_by_ap_id(ap_ids, excluded_ap_ids) do + Enum.reject(ap_ids, fn ap_id -> + with false <- ap_id in excluded_ap_ids, + %{is_active: true} <- User.get_cached_by_ap_id(ap_id) do + false + else + _ -> true + end + end) + end + def filter_allowed_users(reactions, user, with_muted) do exclude_ap_ids = if is_nil(user) do @@ -51,7 +62,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiReactionController do end filter_emoji = fn emoji, users, url -> - case Enum.reject(users, &(&1 in exclude_ap_ids)) do + case filter_allowed_user_by_ap_id(users, exclude_ap_ids) do [] -> nil users -> {emoji, users, url} end diff --git a/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs index 6f04975b8..30be34007 100644 --- a/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs +++ b/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs @@ -1960,6 +1960,10 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do {:ok, _} = CommonAPI.react_with_emoji(activity.id, other_user, "🎅") User.mute(user, other_user) + deactivated_user = insert(:user) + {:ok, _} = CommonAPI.react_with_emoji(activity.id, deactivated_user, "🎅") + User.set_activation(deactivated_user, false) + result = conn |> get("/api/v1/statuses/?ids[]=#{activity.id}") @@ -1967,6 +1971,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do assert [ %{ + "emoji_reactions" => [], "pleroma" => %{ "emoji_reactions" => [] } From c8904f15a2604e5fa808b668c050ac16ae727523 Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Mon, 17 Jul 2023 18:17:04 +0100 Subject: [PATCH 2/5] Correct behaviour of mediaproxy blocklist --- lib/pleroma/web/media_proxy.ex | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/pleroma/web/media_proxy.ex b/lib/pleroma/web/media_proxy.ex index 9a5f47716..44f927dba 100644 --- a/lib/pleroma/web/media_proxy.ex +++ b/lib/pleroma/web/media_proxy.ex @@ -84,8 +84,13 @@ defmodule Pleroma.Web.MediaProxy do end def blocked?(url) do - %{host: domain} = URI.parse(url) - domain in Config.get([:media_proxy, :whitelist]) + %{scheme: scheme, host: domain} = URI.parse(url) + # Block either the bare domain or the scheme-domain combo + scheme_domain = "#{scheme}://#{domain}" + blocklist = Config.get([:media_proxy, :blocklist]) + + Enum.member?(blocklist, domain) || + Enum.member?(blocklist, scheme_domain) end defp maybe_get_domain_from_url("http" <> _ = url) do From 16d2bfef80f6242953f50ae724915cffd155bd96 Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Mon, 17 Jul 2023 18:24:53 +0100 Subject: [PATCH 3/5] Ensure embeds will not be served if unauthenticated users could not see it --- CHANGELOG.md | 6 ++++++ lib/pleroma/web/embed_controller.ex | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee1e1765a..1d1135acf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,10 +6,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased +## Added + - Added a new configuration option to the MediaProxy feature that allows the blocking of specific domains from using the media proxy or being explicitly allowed by the Content-Security-Policy. - Please make sure instances you wanted to block media from are not in the MediaProxy `whitelist`, and instead use `blocklist`. - `OnlyMedia` Upload Filter to simplify restricting uploads to audio, image, and video types +## Fixed + +- Deactivated users can no longer show up in the emoji reaction list + ## 2023.05 ## Added diff --git a/lib/pleroma/web/embed_controller.ex b/lib/pleroma/web/embed_controller.ex index c7912bb1f..91bd79766 100644 --- a/lib/pleroma/web/embed_controller.ex +++ b/lib/pleroma/web/embed_controller.ex @@ -16,7 +16,7 @@ defmodule Pleroma.Web.EmbedController do def show(conn, %{"id" => id}) do with %Activity{local: true} = activity <- Activity.get_by_id_with_object(id), - true <- Visibility.is_public?(activity.object) do + true <- Visibility.visible_for_user?(activity.object, nil) do {:ok, author} = User.get_or_fetch(activity.object.data["actor"]) conn From c63ae73bc0aaafd80dc3825765a6578177030985 Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Mon, 17 Jul 2023 19:18:21 +0100 Subject: [PATCH 4/5] Add embed controller tests --- lib/pleroma/web/embed_controller.ex | 19 +++++++--- lib/pleroma/web/views/embed_view.ex | 7 +++- test/pleroma/web/embed_controller_test.exs | 44 ++++++++++++++++++++++ 3 files changed, 63 insertions(+), 7 deletions(-) create mode 100644 test/pleroma/web/embed_controller_test.exs diff --git a/lib/pleroma/web/embed_controller.ex b/lib/pleroma/web/embed_controller.ex index 91bd79766..cffd6e29f 100644 --- a/lib/pleroma/web/embed_controller.ex +++ b/lib/pleroma/web/embed_controller.ex @@ -11,22 +11,31 @@ defmodule Pleroma.Web.EmbedController do alias Pleroma.Web.ActivityPub.Visibility - plug(:put_layout, :embed) - def show(conn, %{"id" => id}) do - with %Activity{local: true} = activity <- - Activity.get_by_id_with_object(id), - true <- Visibility.visible_for_user?(activity.object, nil) do + with {:activity, %Activity{} = activity} <- + {:activity, Activity.get_by_id_with_object(id)}, + {:local, true} <- {:local, activity.local}, + {:visible, true} <- {:visible, Visibility.visible_for_user?(activity, nil)} do {:ok, author} = User.get_or_fetch(activity.object.data["actor"]) conn |> delete_resp_header("x-frame-options") |> delete_resp_header("content-security-policy") + |> put_view(Pleroma.Web.EmbedView) |> render("show.html", activity: activity, author: User.sanitize_html(author), counts: get_counts(activity) ) + else + {:activity, _} -> + render_error(conn, :not_found, "Post not found") + + {:local, false} -> + render_error(conn, :unauthorized, "Federated posts cannot be embedded") + + {:visible, false} -> + render_error(conn, :unauthorized, "Not authorized to view this post") end end diff --git a/lib/pleroma/web/views/embed_view.ex b/lib/pleroma/web/views/embed_view.ex index 81e196730..913d717be 100644 --- a/lib/pleroma/web/views/embed_view.ex +++ b/lib/pleroma/web/views/embed_view.ex @@ -15,7 +15,7 @@ defmodule Pleroma.Web.EmbedView do alias Pleroma.Web.Metadata.Utils alias Pleroma.Web.Router.Helpers - use Phoenix.HTML + import Phoenix.HTML defdelegate full_nickname(user), to: User @@ -55,10 +55,13 @@ defmodule Pleroma.Web.EmbedView do data["url"] || data["external_url"] || data["id"] end - defp attachments(%Activity{object: %Object{data: %{"attachment" => attachments}}}) do + defp attachments(%Activity{object: %Object{data: %{"attachment" => attachments}}}) + when is_list(attachments) do attachments end + defp attachments(_), do: [] + defp sensitive?(%Activity{object: %Object{data: %{"sensitive" => sensitive}}}) do sensitive end diff --git a/test/pleroma/web/embed_controller_test.exs b/test/pleroma/web/embed_controller_test.exs new file mode 100644 index 000000000..caf328cc5 --- /dev/null +++ b/test/pleroma/web/embed_controller_test.exs @@ -0,0 +1,44 @@ +# Pleroma: A lightweight social networking server +# Copyright © 2017-2021 Pleroma Authors +# SPDX-License-Identifier: AGPL-3.0-only + +defmodule Pleroma.Web.EmbedControllerTest do + use Pleroma.Web.ConnCase, async: true + import Pleroma.Factory + + test "/embed", %{conn: conn} do + activity = insert(:note_activity) + + resp = + conn + |> get("/embed/#{activity.id}") + |> response(200) + + object = Pleroma.Object.get_by_ap_id(activity.data["object"]) + + assert String.contains?(resp, object.data["content"]) + end + + test "/embed with a restricted post", %{conn: conn} do + activity = insert(:note_activity) + clear_config([:restrict_unauthenticated, :activities, :local], true) + + conn + |> get("/embed/#{activity.id}") + |> response(401) + end + + test "/embed with a private post", %{conn: conn} do + user = insert(:user) + + {:ok, activity} = + Pleroma.Web.CommonAPI.post(user, %{ + status: "Mega ultra chicken status: #fried", + visibility: "private" + }) + + conn + |> get("/embed/#{activity.id}") + |> response(401) + end +end From f1611b62926f0f7dd7477fdb2edb6eae9c5177d5 Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Mon, 17 Jul 2023 19:19:03 +0100 Subject: [PATCH 5/5] Update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d1135acf..7a81aad09 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Fixed - Deactivated users can no longer show up in the emoji reaction list +- Embedded posts can no longer bypass `:restrict\_unauthenticated` ## 2023.05