gitea/nas
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 17

Merge commit from fork

Browse source 
Fix: LD Signaturesで署名された投稿の検索許可(検索範囲)が改竄できる問題
This commit is contained in:
KMY(雪あすか) 2024-09-10 12:01:59 +09:00 committed by GitHub
commit 3277819b62
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 37 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

8
app/lib/activitypub/parser/status_parser.rb
View file

@ -203,9 +203,9 @@ class ActivityPub::Parser::StatusParser
end end
def searchability_from_audience def searchability_from_audience
if audience_searchable_by.nil? return nil if audience_searchable_by.blank?
nil
elsif audience_searchable_by.any? { |uri| ActivityPub::TagManager.instance.public_collection?(uri) } if audience_searchable_by.any? { |uri| ActivityPub::TagManager.instance.public_collection?(uri) }
:public :public
elsif audience_searchable_by.include?('kmyblue:Limited') || audience_searchable_by.include?('as:Limited') elsif audience_searchable_by.include?('kmyblue:Limited') || audience_searchable_by.include?('as:Limited')
:limited :limited
@ -213,7 +213,7 @@ class ActivityPub::Parser::StatusParser
:public_unlisted :public_unlisted
elsif audience_searchable_by.include?(@account.followers_url) elsif audience_searchable_by.include?(@account.followers_url)
:private :private
else elsif audience_searchable_by.include?(@account.uri) || audience_searchable_by.include?(@account.url)
:direct :direct
end end
end end

4
app/lib/activitypub/tag_manager.rb
View file

@ -252,7 +252,7 @@ class ActivityPub::TagManager
when 'limited' when 'limited'
['as:Limited', 'kmyblue:Limited'] ['as:Limited', 'kmyblue:Limited']
else else
[] [account_url(status.account)]
end end
searchable_by.concat(mentions_uris(status)).compact searchable_by.concat(mentions_uris(status)).compact
@ -273,7 +273,7 @@ class ActivityPub::TagManager
when 'limited' when 'limited'
['as:Limited', 'kmyblue:Limited'] ['as:Limited', 'kmyblue:Limited']
else else
[] [account_url(account)]
end end
end end

2
app/services/activitypub/process_account_service.rb
View file

@ -282,7 +282,7 @@ class ActivityPub::ProcessAccountService < BaseService
end end
def searchability_from_audience def searchability_from_audience
if audience_searchable_by.nil? if audience_searchable_by.blank?
bio = searchability_from_bio bio = searchability_from_bio
return bio unless bio.nil? return bio unless bio.nil?

13
spec/lib/activitypub/activity/create_spec.rb
View file

@ -632,7 +632,7 @@ RSpec.describe ActivityPub::Activity::Create do
end end
context 'with direct' do context 'with direct' do
let(:searchable_by) { '' } let(:searchable_by) { 'https://example.com/actor' }
it 'create status' do it 'create status' do
status = sender.statuses.first status = sender.statuses.first
@ -642,6 +642,17 @@ RSpec.describe ActivityPub::Activity::Create do
end end
end end
context 'with empty array' do
let(:searchable_by) { '' }
it 'create status' do
status = sender.statuses.first
expect(status).to_not be_nil
expect(status.searchability).to be_nil
end
end
context 'with direct when not specify' do context 'with direct when not specify' do
let(:searchable_by) { nil } let(:searchable_by) { nil }

2
spec/lib/activitypub/tag_manager_spec.rb
View file

@ -210,7 +210,7 @@ RSpec.describe ActivityPub::TagManager do
it 'returns empty array for direct status' do it 'returns empty array for direct status' do
status = Fabricate(:status, searchability: :direct) status = Fabricate(:status, searchability: :direct)
expect(subject.searchable_by(status)).to eq [] expect(subject.searchable_by(status)).to eq ["https://cb6e6126.ngrok.io/users/#{status.account.username}"]
end end
it 'returns as:Limited array for limited status' do it 'returns as:Limited array for limited status' do

8
spec/serializers/activitypub/note_serializer_spec.rb
View file

@ -81,6 +81,14 @@ RSpec.describe ActivityPub::NoteSerializer do
end end
end end
context 'when direct searchability' do
let(:searchability) { :direct }
it 'send as direct searchability' do
expect(subject['searchableBy']).to include "https://cb6e6126.ngrok.io/users/#{account.username}"
end
end
context 'when has a reference' do context 'when has a reference' do
let(:referred) { Fabricate(:status) } let(:referred) { Fabricate(:status) }

10
spec/services/activitypub/process_account_service_spec.rb
View file

@ -150,7 +150,7 @@ RSpec.describe ActivityPub::ProcessAccountService do
end end
context 'when direct' do context 'when direct' do
let(:searchable_by) { '' } let(:searchable_by) { 'https://foo.test' }
it 'searchability is direct' do it 'searchability is direct' do
expect(subject.searchability).to eq 'direct' expect(subject.searchability).to eq 'direct'
@ -173,6 +173,14 @@ RSpec.describe ActivityPub::ProcessAccountService do
end end
end end
context 'when empty array' do
let(:searchable_by) { '' }
it 'searchability is direct' do
expect(subject.searchability).to eq 'direct'
end
end
context 'when default value' do context 'when default value' do
let(:searchable_by) { nil } let(:searchable_by) { nil }