AkkomaGang/akkoma
AkkomaGang/akkoma
15
65
Fork 92
Code Issues 176 Pull requests 24 Projects 2 Releases 14 Packages Wiki Activity

[bug] Custom emoji IDs are on the wrong origin #694

New issue
Closed
opened 2024-02-17 19:13:25 +00:00 by puckipedia · 4 comments
puckipedia commented 2024-02-17 19:13:25 +00:00
Copy link

Your setup

OTP

Extra details

No response

Version

(this is an issue at least on the last commit)

PostgreSQL version

No response

What were you trying to do?

Render a custom emoji received from an Akkoma instance

What did you expect to happen?

It renders.

What actually happened?

It doesn't render, because the ID of the Emoji tag is equivalent to the url, which may not be on the same origin as the object.

For security reasons, Kroeg, a piece of ActivityPub software, rejects any object that has an ID from a different origin, instead opting to fetch it afresh from that instance. Custom Emoji that are hotlinked from another origin, thus, fall under this category, and are discarded.

See transmogrifier.ex's build_emoji_tag.

Logs

No response

Have you searched for this issue?

  • I have double-checked and have not found this issue mentioned anywhere.
### Your setup OTP ### Extra details _No response_ ### Version (this is an issue at least on the last commit) ### PostgreSQL version _No response_ ### What were you trying to do? Render a custom emoji received from an Akkoma instance ### What did you expect to happen? It renders. ### What actually happened? It doesn't render, because the ID of the `Emoji` tag is equivalent to the `url`, which may not be on the same origin as the object. For security reasons, Kroeg, a piece of ActivityPub software, rejects any object that has an ID from a different origin, instead opting to fetch it afresh from that instance. Custom Emoji that are hotlinked from another origin, thus, fall under this category, and are discarded. See `transmogrifier.ex`'s `build_emoji_tag`. ### Logs _No response_ ### Have you searched for this issue? - [x] I have double-checked and have not found this issue mentioned anywhere.
puckipedia added the
bug
 label 2024-02-17 19:13:25 +00:00
floatingghost commented 2024-02-17 19:29:54 +00:00
Owner
Copy link

this behaviour is correct and not a bug

the only concievable way to react with remote emoji, as we allow, is to rely on the ID of the emoji object

to "correct" that would be to remove the functionality, or would amount to proxying images through the instance

this behaviour is correct and not a bug the only concievable way to react with remote emoji, as we allow, is to rely on the ID of the emoji object to "correct" that would be to remove the functionality, or would amount to proxying images through the instance
floatingghost commented 2024-02-17 19:33:49 +00:00
Owner
Copy link

additionally please ensure you set the correct severity when you raise an issue - it helps us prioritise

this is not a cannot-use-the-software level issue

additionally please ensure you set the correct severity when you raise an issue - it helps us prioritise this is not a cannot-use-the-software level issue
puckipedia commented 2024-02-17 19:39:02 +00:00
Author
Copy link

additionally please ensure you set the correct severity when you raise an issue - it helps us prioritise

oh, i did not actually enter anything into that field (i overlooked it), it might not be the best to default that to the highest priority?

the only concievable way to react with remote emoji, as we allow, is to rely on the ID of the emoji object

The issue is that the ID used is that of the image of the emoji, even if it were on a remote server, rather than the ID of the Emoji JSON-LD object.

As an example. Mastodon renders the id of the emoji to be "https://<domain>/emojis/<emoji id>", rather than https://<cdn path>/custom_emojis/images/<numbers>.png; I'd be okay if you used the remote server's Emoji object ID, rather than its image URL, as the ID for the Emoji object, as that can (in many cases) be resolved.

> additionally please ensure you set the correct severity when you raise an issue - it helps us prioritise oh, i did not actually enter anything into that field (i overlooked it), it might not be the best to default that to the highest priority? > the only concievable way to react with remote emoji, as we allow, is to rely on the ID of the emoji object The issue is that the ID used is that of the image of the emoji, even if it were on a remote server, rather than the ID of the Emoji JSON-LD object. As an example. Mastodon renders the `id` of the emoji to be `"https://<domain>/emojis/<emoji id>"`, rather than `https://<cdn path>/custom_emojis/images/<numbers>.png`; I'd be okay if you used the remote server's `Emoji` object ID, rather than its image URL, as the ID for the Emoji object, as that can (in many cases) be resolved.
erincandescent commented 2024-02-20 10:05:07 +00:00
Contributor
Copy link

Does anything actually depend upon the id for federation?

Could we just send it anonymously?

Does anything actually depend upon the id for federation? Could we just send it anonymously?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
translations
customizable-docker-db
stable
static-adminfe
bad-uploader-config-warning
docker
user-expiry-backfill
config-db-keys
ensure-scrubbers-loaded
otp26
code-shaking-does-not-go-brr
elixir1.15
circleci
backup-fixes
mod-task
policy
mrf-coolness
frontend-switcher-9000
contentMap
language-on-posts
rabbit
credo-on-pr
unify-http
normalise-markup-by-default
buildx
v3.13.2
v2.6.3
v3.13.1
v3.13.0
snac-3.12.1.2
v3.12.2
snac-3.12.1.1
v3.12.1
v3.12.0
v3.11.0
v2.6.2
v2.6.1
2.6.1
v2.6.0
v2.5.5
v3.10.4
v3.10.3
v3.10.2
v3.10.1
v3.10.0
v2.5.4
v2.5.3
v3.9.3
v3.9.2
v3.9.1
V3.9.0
2023.05
v3.8.0
v3.7.1
v3.7.0
v3.6.0
v3.5.0
v2.4.5
v3.4.0
v3.3.1
v2.4.4
v3.3.0
v3.2.3
v3.2.2
v3.2.1
stable-202209
v3.2.0
v3.1.0
stable-2022.07
v3.0.0
v0.0.1
v2.5.2-6
v2.5.2-5
v2.5.2-4
v2.5.2-3
v2.5.2-2
v2.5.2-1
v2.5.2
v2.5.1
v2.5.0-8
v2.5.0-7
v2.5.0-6
v2.5.0-5
v2.5.0-4
v2.5.0-3
v2.5.0-2
v2.5.0-1
v2.5.0
v2.4.3
pre-rebase
v2.4.2
v2.4.1
v2.4.0
soapbox-v1.1.1
soapbox-v1.1.0
soapbox-v1.0.0
v2.3.0
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.1.9
v1.1.8
v1.1.7
v1.1.6
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.91
v1.0.90
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v0.9.0
Labels
Clear labels   
approved, awaiting change

   
bug

Something is not working

  
configuration

This requires config changes

  
documentation

This is about human-readable docs

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
extremely low priority

   
feature request

Something new?

  
Fix it yourself

Support has been attempted

  
help wanted

Need some help

  
invalid

Something is wrong

  
mastodon_api

   
needs docs

   
needs tests

   
not a bug

   
planned

   
pleroma_api

   
privacy

   
question

More information is needed

  
static_fe

   
triage

   
wontfix

This won't be fixed

No labels
approved, awaiting change
bug
configuration
documentation
duplicate
enhancement
extremely low priority
feature request
Fix it yourself
help wanted
invalid
mastodon_api
needs docs
needs tests
not a bug
planned
pleroma_api
privacy
question
static_fe
triage
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#694
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?