Fix leak of arbitrary statuses through unfavourite action in REST API (#13161)
This commit is contained in:
		
							parent
							
								
									c004399975
								
							
						
					
					
						commit
						e0db9f37f5
					
				
					 8 changed files with 203 additions and 124 deletions
				
			
		|  | @ -5,35 +5,28 @@ class Api::V1::Statuses::BookmarksController < Api::BaseController | ||||||
| 
 | 
 | ||||||
|   before_action -> { doorkeeper_authorize! :write, :'write:bookmarks' } |   before_action -> { doorkeeper_authorize! :write, :'write:bookmarks' } | ||||||
|   before_action :require_user! |   before_action :require_user! | ||||||
|  |   before_action :set_status | ||||||
| 
 | 
 | ||||||
|   respond_to :json |   respond_to :json | ||||||
| 
 | 
 | ||||||
|   def create |   def create | ||||||
|     @status = bookmarked_status |     current_account.bookmarks.find_or_create_by!(account: current_account, status: @status) | ||||||
|     render json: @status, serializer: REST::StatusSerializer |     render json: @status, serializer: REST::StatusSerializer | ||||||
|   end |   end | ||||||
| 
 | 
 | ||||||
|   def destroy |   def destroy | ||||||
|     @status = requested_status |     bookmark = current_account.bookmarks.find_by(status: @status) | ||||||
|     @bookmarks_map = { @status.id => false } |     bookmark&.destroy! | ||||||
| 
 | 
 | ||||||
|     bookmark = Bookmark.find_by!(account: current_user.account, status: @status) |     render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, bookmarks_map: { @status.id => false }) | ||||||
|     bookmark.destroy! |  | ||||||
| 
 |  | ||||||
|     render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, bookmarks_map: @bookmarks_map) |  | ||||||
|   end |   end | ||||||
| 
 | 
 | ||||||
|   private |   private | ||||||
| 
 | 
 | ||||||
|   def bookmarked_status |   def set_status | ||||||
|     authorize_with current_user.account, requested_status, :show? |     @status = Status.find(params[:status_id]) | ||||||
| 
 |     authorize @status, :show? | ||||||
|     bookmark = Bookmark.find_or_create_by!(account: current_user.account, status: requested_status) |   rescue Mastodon::NotPermittedError | ||||||
| 
 |     not_found | ||||||
|     bookmark.status.reload |  | ||||||
|   end |  | ||||||
| 
 |  | ||||||
|   def requested_status |  | ||||||
|     Status.find(params[:status_id]) |  | ||||||
|   end |   end | ||||||
| end | end | ||||||
|  |  | ||||||
|  | @ -69,8 +69,7 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController | ||||||
|     @status = Status.find(params[:status_id]) |     @status = Status.find(params[:status_id]) | ||||||
|     authorize @status, :show? |     authorize @status, :show? | ||||||
|   rescue Mastodon::NotPermittedError |   rescue Mastodon::NotPermittedError | ||||||
|     # Reraise in order to get a 404 instead of a 403 error code |     not_found | ||||||
|     raise ActiveRecord::RecordNotFound |  | ||||||
|   end |   end | ||||||
| 
 | 
 | ||||||
|   def pagination_params(core_params) |   def pagination_params(core_params) | ||||||
|  |  | ||||||
|  | @ -5,34 +5,26 @@ class Api::V1::Statuses::FavouritesController < Api::BaseController | ||||||
| 
 | 
 | ||||||
|   before_action -> { doorkeeper_authorize! :write, :'write:favourites' } |   before_action -> { doorkeeper_authorize! :write, :'write:favourites' } | ||||||
|   before_action :require_user! |   before_action :require_user! | ||||||
|  |   before_action :set_status | ||||||
| 
 | 
 | ||||||
|   respond_to :json |   respond_to :json | ||||||
| 
 | 
 | ||||||
|   def create |   def create | ||||||
|     @status = favourited_status |     FavouriteService.new.call(current_account, @status) | ||||||
|     render json: @status, serializer: REST::StatusSerializer |     render json: @status, serializer: REST::StatusSerializer | ||||||
|   end |   end | ||||||
| 
 | 
 | ||||||
|   def destroy |   def destroy | ||||||
|     @status = requested_status |     UnfavouriteWorker.perform_async(current_account.id, @status.id) | ||||||
|     @favourites_map = { @status.id => false } |     render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, favourites_map: { @status.id => false }) | ||||||
| 
 |  | ||||||
|     UnfavouriteWorker.perform_async(current_user.account_id, @status.id) |  | ||||||
| 
 |  | ||||||
|     render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, favourites_map: @favourites_map) |  | ||||||
|   end |   end | ||||||
| 
 | 
 | ||||||
|   private |   private | ||||||
| 
 | 
 | ||||||
|   def favourited_status |   def set_status | ||||||
|     service_result.status.reload |     @status = Status.find(params[:status_id]) | ||||||
|   end |     authorize @status, :show? | ||||||
| 
 |   rescue Mastodon::NotPermittedError | ||||||
|   def service_result |     not_found | ||||||
|     FavouriteService.new.call(current_user.account, requested_status) |  | ||||||
|   end |  | ||||||
| 
 |  | ||||||
|   def requested_status |  | ||||||
|     Status.find(params[:status_id]) |  | ||||||
|   end |   end | ||||||
| end | end | ||||||
|  |  | ||||||
|  | @ -66,8 +66,7 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController | ||||||
|     @status = Status.find(params[:status_id]) |     @status = Status.find(params[:status_id]) | ||||||
|     authorize @status, :show? |     authorize @status, :show? | ||||||
|   rescue Mastodon::NotPermittedError |   rescue Mastodon::NotPermittedError | ||||||
|     # Reraise in order to get a 404 instead of a 403 error code |     not_found | ||||||
|     raise ActiveRecord::RecordNotFound |  | ||||||
|   end |   end | ||||||
| 
 | 
 | ||||||
|   def pagination_params(core_params) |   def pagination_params(core_params) | ||||||
|  |  | ||||||
|  | @ -5,33 +5,34 @@ class Api::V1::Statuses::ReblogsController < Api::BaseController | ||||||
| 
 | 
 | ||||||
|   before_action -> { doorkeeper_authorize! :write, :'write:statuses' } |   before_action -> { doorkeeper_authorize! :write, :'write:statuses' } | ||||||
|   before_action :require_user! |   before_action :require_user! | ||||||
|  |   before_action :set_reblog | ||||||
| 
 | 
 | ||||||
|   respond_to :json |   respond_to :json | ||||||
| 
 | 
 | ||||||
|   def create |   def create | ||||||
|     @status = ReblogService.new.call(current_user.account, status_for_reblog, reblog_params) |     @status = ReblogService.new.call(current_account, @reblog, reblog_params) | ||||||
|     render json: @status, serializer: REST::StatusSerializer |     render json: @status, serializer: REST::StatusSerializer | ||||||
|   end |   end | ||||||
| 
 | 
 | ||||||
|   def destroy |   def destroy | ||||||
|     @status = status_for_destroy.reblog |     @status = current_account.statuses.find_by(reblog_of_id: @reblog.id) | ||||||
|     @reblogs_map = { @status.id => false } |  | ||||||
| 
 | 
 | ||||||
|     authorize status_for_destroy, :unreblog? |     if @status | ||||||
|     status_for_destroy.discard |       authorize @status, :unreblog? | ||||||
|     RemovalWorker.perform_async(status_for_destroy.id) |       @status.discard | ||||||
|  |       RemovalWorker.perform_async(@status.id) | ||||||
|  |     end | ||||||
| 
 | 
 | ||||||
|     render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, reblogs_map: @reblogs_map) |     render json: @reblog, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, reblogs_map: { @reblog.id => false }) | ||||||
|   end |   end | ||||||
| 
 | 
 | ||||||
|   private |   private | ||||||
| 
 | 
 | ||||||
|   def status_for_reblog |   def set_reblog | ||||||
|     Status.find params[:status_id] |     @reblog = Status.find(params[:status_id]) | ||||||
|   end |     authorize @reblog, :show? | ||||||
| 
 |   rescue Mastodon::NotPermittedError | ||||||
|   def status_for_destroy |     not_found | ||||||
|     @status_for_destroy ||= current_user.account.statuses.where(reblog_of_id: params[:status_id]).first! |  | ||||||
|   end |   end | ||||||
| 
 | 
 | ||||||
|   def reblog_params |   def reblog_params | ||||||
|  |  | ||||||
|  | @ -21,36 +21,67 @@ describe Api::V1::Statuses::BookmarksController do | ||||||
|         post :create, params: { status_id: status.id } |         post :create, params: { status_id: status.id } | ||||||
|       end |       end | ||||||
| 
 | 
 | ||||||
|       it 'returns http success' do |       context 'with public status' do | ||||||
|         expect(response).to have_http_status(:success) |         it 'returns http success' do | ||||||
|  |           expect(response).to have_http_status(:success) | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'updates the bookmarked attribute' do | ||||||
|  |           expect(user.account.bookmarked?(status)).to be true | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'returns json with updated attributes' do | ||||||
|  |           hash_body = body_as_json | ||||||
|  | 
 | ||||||
|  |           expect(hash_body[:id]).to eq status.id.to_s | ||||||
|  |           expect(hash_body[:bookmarked]).to be true | ||||||
|  |         end | ||||||
|       end |       end | ||||||
| 
 | 
 | ||||||
|       it 'updates the bookmarked attribute' do |       context 'with private status of not-followed account' do | ||||||
|         expect(user.account.bookmarked?(status)).to be true |         let(:status) { Fabricate(:status, visibility: :private) } | ||||||
|       end |  | ||||||
| 
 | 
 | ||||||
|       it 'return json with updated attributes' do |         it 'returns http not found' do | ||||||
|         hash_body = body_as_json |           expect(response).to have_http_status(404) | ||||||
| 
 |         end | ||||||
|         expect(hash_body[:id]).to eq status.id.to_s |  | ||||||
|         expect(hash_body[:bookmarked]).to be true |  | ||||||
|       end |       end | ||||||
|     end |     end | ||||||
| 
 | 
 | ||||||
|     describe 'POST #destroy' do |     describe 'POST #destroy' do | ||||||
|       let(:status) { Fabricate(:status, account: user.account) } |       context 'with public status' do | ||||||
|  |         let(:status) { Fabricate(:status, account: user.account) } | ||||||
| 
 | 
 | ||||||
|       before do |         before do | ||||||
|         Bookmark.find_or_create_by!(account: user.account, status: status) |           Bookmark.find_or_create_by!(account: user.account, status: status) | ||||||
|         post :destroy, params: { status_id: status.id } |           post :destroy, params: { status_id: status.id } | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'returns http success' do | ||||||
|  |           expect(response).to have_http_status(:success) | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'updates the bookmarked attribute' do | ||||||
|  |           expect(user.account.bookmarked?(status)).to be false | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'returns json with updated attributes' do | ||||||
|  |           hash_body = body_as_json | ||||||
|  | 
 | ||||||
|  |           expect(hash_body[:id]).to eq status.id.to_s | ||||||
|  |           expect(hash_body[:bookmarked]).to be false | ||||||
|  |         end | ||||||
|       end |       end | ||||||
| 
 | 
 | ||||||
|       it 'returns http success' do |       context 'with private status that was not bookmarked' do | ||||||
|         expect(response).to have_http_status(:success) |         let(:status) { Fabricate(:status, visibility: :private) } | ||||||
|       end |  | ||||||
| 
 | 
 | ||||||
|       it 'updates the bookmarked attribute' do |         before do | ||||||
|         expect(user.account.bookmarked?(status)).to be false |           post :destroy, params: { status_id: status.id } | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'returns http not found' do | ||||||
|  |           expect(response).to have_http_status(404) | ||||||
|  |         end | ||||||
|       end |       end | ||||||
|     end |     end | ||||||
|   end |   end | ||||||
|  |  | ||||||
|  | @ -21,45 +21,77 @@ describe Api::V1::Statuses::FavouritesController do | ||||||
|         post :create, params: { status_id: status.id } |         post :create, params: { status_id: status.id } | ||||||
|       end |       end | ||||||
| 
 | 
 | ||||||
|       it 'returns http success' do |       context 'with public status' do | ||||||
|         expect(response).to have_http_status(200) |         it 'returns http success' do | ||||||
|  |           expect(response).to have_http_status(200) | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'updates the favourites count' do | ||||||
|  |           expect(status.favourites.count).to eq 1 | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'updates the favourited attribute' do | ||||||
|  |           expect(user.account.favourited?(status)).to be true | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'returns json with updated attributes' do | ||||||
|  |           hash_body = body_as_json | ||||||
|  | 
 | ||||||
|  |           expect(hash_body[:id]).to eq status.id.to_s | ||||||
|  |           expect(hash_body[:favourites_count]).to eq 1 | ||||||
|  |           expect(hash_body[:favourited]).to be true | ||||||
|  |         end | ||||||
|       end |       end | ||||||
| 
 | 
 | ||||||
|       it 'updates the favourites count' do |       context 'with private status of not-followed account' do | ||||||
|         expect(status.favourites.count).to eq 1 |         let(:status) { Fabricate(:status, visibility: :private) } | ||||||
|       end |  | ||||||
| 
 | 
 | ||||||
|       it 'updates the favourited attribute' do |         it 'returns http not found' do | ||||||
|         expect(user.account.favourited?(status)).to be true |           expect(response).to have_http_status(404) | ||||||
|       end |         end | ||||||
| 
 |  | ||||||
|       it 'return json with updated attributes' do |  | ||||||
|         hash_body = body_as_json |  | ||||||
| 
 |  | ||||||
|         expect(hash_body[:id]).to eq status.id.to_s |  | ||||||
|         expect(hash_body[:favourites_count]).to eq 1 |  | ||||||
|         expect(hash_body[:favourited]).to be true |  | ||||||
|       end |       end | ||||||
|     end |     end | ||||||
| 
 | 
 | ||||||
|     describe 'POST #destroy' do |     describe 'POST #destroy' do | ||||||
|       let(:status) { Fabricate(:status, account: user.account) } |       context 'with public status' do | ||||||
|  |         let(:status) { Fabricate(:status, account: user.account) } | ||||||
| 
 | 
 | ||||||
|       before do |         before do | ||||||
|         FavouriteService.new.call(user.account, status) |           FavouriteService.new.call(user.account, status) | ||||||
|         post :destroy, params: { status_id: status.id } |           post :destroy, params: { status_id: status.id } | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'returns http success' do | ||||||
|  |           expect(response).to have_http_status(200) | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'updates the favourites count' do | ||||||
|  |           expect(status.favourites.count).to eq 0 | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'updates the favourited attribute' do | ||||||
|  |           expect(user.account.favourited?(status)).to be false | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'returns json with updated attributes' do | ||||||
|  |           hash_body = body_as_json | ||||||
|  | 
 | ||||||
|  |           expect(hash_body[:id]).to eq status.id.to_s | ||||||
|  |           expect(hash_body[:favourites_count]).to eq 0 | ||||||
|  |           expect(hash_body[:favourited]).to be false | ||||||
|  |         end | ||||||
|       end |       end | ||||||
| 
 | 
 | ||||||
|       it 'returns http success' do |       context 'with private status that was not favourited' do | ||||||
|         expect(response).to have_http_status(200) |         let(:status) { Fabricate(:status, visibility: :private) } | ||||||
|       end |  | ||||||
| 
 | 
 | ||||||
|       it 'updates the favourites count' do |         before do | ||||||
|         expect(status.favourites.count).to eq 0 |           post :destroy, params: { status_id: status.id } | ||||||
|       end |         end | ||||||
| 
 | 
 | ||||||
|       it 'updates the favourited attribute' do |         it 'returns http not found' do | ||||||
|         expect(user.account.favourited?(status)).to be false |           expect(response).to have_http_status(404) | ||||||
|  |         end | ||||||
|       end |       end | ||||||
|     end |     end | ||||||
|   end |   end | ||||||
|  |  | ||||||
|  | @ -21,45 +21,77 @@ describe Api::V1::Statuses::ReblogsController do | ||||||
|         post :create, params: { status_id: status.id } |         post :create, params: { status_id: status.id } | ||||||
|       end |       end | ||||||
| 
 | 
 | ||||||
|       it 'returns http success' do |       context 'with public status' do | ||||||
|         expect(response).to have_http_status(200) |         it 'returns http success' do | ||||||
|  |           expect(response).to have_http_status(200) | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'updates the reblogs count' do | ||||||
|  |           expect(status.reblogs.count).to eq 1 | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'updates the reblogged attribute' do | ||||||
|  |           expect(user.account.reblogged?(status)).to be true | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'returns json with updated attributes' do | ||||||
|  |           hash_body = body_as_json | ||||||
|  | 
 | ||||||
|  |           expect(hash_body[:reblog][:id]).to eq status.id.to_s | ||||||
|  |           expect(hash_body[:reblog][:reblogs_count]).to eq 1 | ||||||
|  |           expect(hash_body[:reblog][:reblogged]).to be true | ||||||
|  |         end | ||||||
|       end |       end | ||||||
| 
 | 
 | ||||||
|       it 'updates the reblogs count' do |       context 'with private status of not-followed account' do | ||||||
|         expect(status.reblogs.count).to eq 1 |         let(:status) { Fabricate(:status, visibility: :private) } | ||||||
|       end |  | ||||||
| 
 | 
 | ||||||
|       it 'updates the reblogged attribute' do |         it 'returns http not found' do | ||||||
|         expect(user.account.reblogged?(status)).to be true |           expect(response).to have_http_status(404) | ||||||
|       end |         end | ||||||
| 
 |  | ||||||
|       it 'return json with updated attributes' do |  | ||||||
|         hash_body = body_as_json |  | ||||||
| 
 |  | ||||||
|         expect(hash_body[:reblog][:id]).to eq status.id.to_s |  | ||||||
|         expect(hash_body[:reblog][:reblogs_count]).to eq 1 |  | ||||||
|         expect(hash_body[:reblog][:reblogged]).to be true |  | ||||||
|       end |       end | ||||||
|     end |     end | ||||||
| 
 | 
 | ||||||
|     describe 'POST #destroy' do |     describe 'POST #destroy' do | ||||||
|       let(:status) { Fabricate(:status, account: user.account) } |       context 'with public status' do | ||||||
|  |         let(:status) { Fabricate(:status, account: user.account) } | ||||||
| 
 | 
 | ||||||
|       before do |         before do | ||||||
|         ReblogService.new.call(user.account, status) |           ReblogService.new.call(user.account, status) | ||||||
|         post :destroy, params: { status_id: status.id } |           post :destroy, params: { status_id: status.id } | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'returns http success' do | ||||||
|  |           expect(response).to have_http_status(200) | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'updates the reblogs count' do | ||||||
|  |           expect(status.reblogs.count).to eq 0 | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'updates the reblogged attribute' do | ||||||
|  |           expect(user.account.reblogged?(status)).to be false | ||||||
|  |         end | ||||||
|  | 
 | ||||||
|  |         it 'returns json with updated attributes' do | ||||||
|  |           hash_body = body_as_json | ||||||
|  | 
 | ||||||
|  |           expect(hash_body[:id]).to eq status.id.to_s | ||||||
|  |           expect(hash_body[:reblogs_count]).to eq 0 | ||||||
|  |           expect(hash_body[:reblogged]).to be false | ||||||
|  |         end | ||||||
|       end |       end | ||||||
| 
 | 
 | ||||||
|       it 'returns http success' do |       context 'with private status that was not reblogged' do | ||||||
|         expect(response).to have_http_status(200) |         let(:status) { Fabricate(:status, visibility: :private) } | ||||||
|       end |  | ||||||
| 
 | 
 | ||||||
|       it 'updates the reblogs count' do |         before do | ||||||
|         expect(status.reblogs.count).to eq 0 |           post :destroy, params: { status_id: status.id } | ||||||
|       end |         end | ||||||
| 
 | 
 | ||||||
|       it 'updates the reblogged attribute' do |         it 'returns http not found' do | ||||||
|         expect(user.account.reblogged?(status)).to be false |           expect(response).to have_http_status(404) | ||||||
|  |         end | ||||||
|       end |       end | ||||||
|     end |     end | ||||||
|   end |   end | ||||||
|  |  | ||||||
		Loading…
	
		Reference in a new issue