[bug] Custom emoji IDs are on the wrong origin #694

New Issue

Open

opened 2024-02-17 19:13:25 +00:00 by puckipedia · 4 comments

puckipedia commented 2024-02-17 19:13:25 +00:00

Copy Link

Your setup

OTP

Extra details

No response

Version

(this is an issue at least on the last commit)

PostgreSQL version

No response

What were you trying to do?

Render a custom emoji received from an Akkoma instance

What did you expect to happen?

It renders.

What actually happened?

It doesn't render, because the ID of the Emoji tag is equivalent to the url, which may not be on the same origin as the object.

For security reasons, Kroeg, a piece of ActivityPub software, rejects any object that has an ID from a different origin, instead opting to fetch it afresh from that instance. Custom Emoji that are hotlinked from another origin, thus, fall under this category, and are discarded.

See transmogrifier.ex's build_emoji_tag.

Logs

No response

Have you searched for this issue?

• I have double-checked and have not found this issue mentioned anywhere.

### Your setup OTP ### Extra details _No response_ ### Version (this is an issue at least on the last commit) ### PostgreSQL version _No response_ ### What were you trying to do? Render a custom emoji received from an Akkoma instance ### What did you expect to happen? It renders. ### What actually happened? It doesn't render, because the ID of the `Emoji` tag is equivalent to the `url`, which may not be on the same origin as the object. For security reasons, Kroeg, a piece of ActivityPub software, rejects any object that has an ID from a different origin, instead opting to fetch it afresh from that instance. Custom Emoji that are hotlinked from another origin, thus, fall under this category, and are discarded. See `transmogrifier.ex`'s `build_emoji_tag`. ### Logs _No response_ ### Have you searched for this issue? - [x] I have double-checked and have not found this issue mentioned anywhere.

puckipedia added the

bug

label 2024-02-17 19:13:25 +00:00

floatingghost commented 2024-02-17 19:29:54 +00:00

Owner

Copy Link

this behaviour is correct and not a bug

the only concievable way to react with remote emoji, as we allow, is to rely on the ID of the emoji object

to "correct" that would be to remove the functionality, or would amount to proxying images through the instance

this behaviour is correct and not a bug the only concievable way to react with remote emoji, as we allow, is to rely on the ID of the emoji object to "correct" that would be to remove the functionality, or would amount to proxying images through the instance

floatingghost commented 2024-02-17 19:33:49 +00:00

Owner

Copy Link

additionally please ensure you set the correct severity when you raise an issue - it helps us prioritise

this is not a cannot-use-the-software level issue

additionally please ensure you set the correct severity when you raise an issue - it helps us prioritise this is not a cannot-use-the-software level issue

puckipedia commented 2024-02-17 19:39:02 +00:00

Author

Copy Link

additionally please ensure you set the correct severity when you raise an issue - it helps us prioritise

oh, i did not actually enter anything into that field (i overlooked it), it might not be the best to default that to the highest priority?

the only concievable way to react with remote emoji, as we allow, is to rely on the ID of the emoji object

The issue is that the ID used is that of the image of the emoji, even if it were on a remote server, rather than the ID of the Emoji JSON-LD object.

As an example. Mastodon renders the id of the emoji to be "https://<domain>/emojis/<emoji id>", rather than https://<cdn path>/custom_emojis/images/<numbers>.png; I'd be okay if you used the remote server's Emoji object ID, rather than its image URL, as the ID for the Emoji object, as that can (in many cases) be resolved.

> additionally please ensure you set the correct severity when you raise an issue - it helps us prioritise oh, i did not actually enter anything into that field (i overlooked it), it might not be the best to default that to the highest priority? > the only concievable way to react with remote emoji, as we allow, is to rely on the ID of the emoji object The issue is that the ID used is that of the image of the emoji, even if it were on a remote server, rather than the ID of the Emoji JSON-LD object. As an example. Mastodon renders the `id` of the emoji to be `"https://<domain>/emojis/<emoji id>"`, rather than `https://<cdn path>/custom_emojis/images/<numbers>.png`; I'd be okay if you used the remote server's `Emoji` object ID, rather than its image URL, as the ID for the Emoji object, as that can (in many cases) be resolved.

erincandescent commented 2024-02-20 10:05:07 +00:00

Contributor

Copy Link

Does anything actually depend upon the id for federation?

Could we just send it anonymously?

Does anything actually depend upon the id for federation? Could we just send it anonymously?

Oneric referenced this issue 2024-04-09 02:31:59 +00:00

[bug] Valid EmojiReacts with custom emoji are discarded if tag is an object instead of an aray #720

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

develop

stable

translations

backoff-http

bad-uploader-config-warning

docker

user-expiry-backfill

config-db-keys

ensure-scrubbers-loaded

otp26

code-shaking-does-not-go-brr

elixir1.15

circleci

backup-fixes

mod-task

policy

mrf-coolness

frontend-switcher-9000

contentMap

language-on-posts

rabbit

credo-on-pr

unify-http

normalise-markup-by-default

buildx

v3.13.1

v3.13.0

snac-3.12.1.2

v3.12.2

snac-3.12.1.1

v3.12.1

v3.12.0

v3.11.0

v2.6.2

v2.6.1

v2.6.0

v2.5.5

v3.10.4

v3.10.3

v3.10.2

v3.10.1

v3.10.0

v2.5.4

v2.5.3

v3.9.3

v3.9.2

v3.9.1

V3.9.0

2023.05

v3.8.0

v3.7.1

v3.7.0

v3.6.0

v3.5.0

v2.4.5

v3.4.0

v3.3.1

v2.4.4

v3.3.0

v3.2.3

v3.2.2

v3.2.1

stable-202209

v3.2.0

v3.1.0

stable-2022.07

v3.0.0

v0.0.1

v2.5.2-6

v2.5.2-5

v2.5.2-4

v2.5.2-3

v2.5.2-2

v2.5.2-1

v2.5.2

v2.5.1

v2.5.0-8

v2.5.0-7

v2.5.0-6

v2.5.0-5

v2.5.0-4

v2.5.0-3

v2.5.0-2

v2.5.0-1

v2.5.0

v2.4.3

pre-rebase

v2.4.2

v2.4.1

v2.4.0

soapbox-v1.1.1

soapbox-v1.1.0

soapbox-v1.0.0

v2.3.0

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.1.9

v1.1.8

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.91

v1.0.90

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v0.9.0

Labels

Clear labels   

approved, awaiting change

  

bug

Something is not working

  

configuration

This requires config changes

  

documentation

This is about human-readable docs

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

extremely low priority

  

feature request

Something new?

  

Fix it yourself

Support has been attempted

  

help wanted

Need some help

  

invalid

Something is wrong

  

mastodon_api

  

needs docs

  

needs tests

  

not a bug

  

planned

  

pleroma_api

  

privacy

  

question

More information is needed

  

static_fe

  

triage

  

wontfix

This won't be fixed

No Label

approved, awaiting change

bug

configuration

documentation

duplicate

enhancement

extremely low priority

feature request

Fix it yourself

help wanted

invalid

mastodon_api

needs docs

needs tests

not a bug

planned

pleroma_api

privacy

question

static_fe

triage

wontfix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

3 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#694

No description provided.