Merge commit from fork

Fix: LD Signaturesで署名された投稿の検索許可（検索範囲）が改竄できる問題
2024-09-10 12:01:59 +09:00 · 2024-09-10 12:01:59 +09:00 · 330bf5a369
commit 330bf5a369
parent ccf9101007 9b9458f436
7 changed files with 37 additions and 10 deletions
--- a/app/lib/activitypub/parser/status_parser.rb
+++ b/app/lib/activitypub/parser/status_parser.rb
@ -203,9 +203,9 @@ class ActivityPub::Parser::StatusParser
  end

  def searchability_from_audience
-    if audience_searchable_by.nil?
-      nil
-    elsif audience_searchable_by.any? { |uri| ActivityPub::TagManager.instance.public_collection?(uri) }
+    return nil if audience_searchable_by.blank?
+
+    if audience_searchable_by.any? { |uri| ActivityPub::TagManager.instance.public_collection?(uri) }
      :public
    elsif audience_searchable_by.include?('kmyblue:Limited') || audience_searchable_by.include?('as:Limited')
      :limited
@ -213,7 +213,7 @@ class ActivityPub::Parser::StatusParser
      :public_unlisted
    elsif audience_searchable_by.include?(@account.followers_url)
      :private
-    else
+    elsif audience_searchable_by.include?(@account.uri) || audience_searchable_by.include?(@account.url)
      :direct
    end
  end
--- a/app/lib/activitypub/tag_manager.rb
+++ b/app/lib/activitypub/tag_manager.rb
@ -252,7 +252,7 @@ class ActivityPub::TagManager
      when 'limited'
        ['as:Limited', 'kmyblue:Limited']
      else
-        []
+        [account_url(status.account)]
      end

    searchable_by.concat(mentions_uris(status)).compact
@ -273,7 +273,7 @@ class ActivityPub::TagManager
    when 'limited'
      ['as:Limited', 'kmyblue:Limited']
    else
-      []
+      [account_url(account)]
    end
  end

--- a/app/services/activitypub/process_account_service.rb
+++ b/app/services/activitypub/process_account_service.rb
@ -282,7 +282,7 @@ class ActivityPub::ProcessAccountService < BaseService
  end

  def searchability_from_audience
-    if audience_searchable_by.nil?
+    if audience_searchable_by.blank?
      bio = searchability_from_bio
      return bio unless bio.nil?

--- a/spec/lib/activitypub/activity/create_spec.rb
+++ b/spec/lib/activitypub/activity/create_spec.rb
@ -632,7 +632,7 @@ RSpec.describe ActivityPub::Activity::Create do
        end

        context 'with direct' do
-          let(:searchable_by) { '' }
+          let(:searchable_by) { 'https://example.com/actor' }

          it 'create status' do
            status = sender.statuses.first
@ -642,6 +642,17 @@ RSpec.describe ActivityPub::Activity::Create do
          end
        end

+        context 'with empty array' do
+          let(:searchable_by) { '' }
+
+          it 'create status' do
+            status = sender.statuses.first
+
+            expect(status).to_not be_nil
+            expect(status.searchability).to be_nil
+          end
+        end
+
        context 'with direct when not specify' do
          let(:searchable_by) { nil }

--- a/spec/lib/activitypub/tag_manager_spec.rb
+++ b/spec/lib/activitypub/tag_manager_spec.rb
@ -210,7 +210,7 @@ RSpec.describe ActivityPub::TagManager do

    it 'returns empty array for direct status' do
      status    = Fabricate(:status, searchability: :direct)
-      expect(subject.searchable_by(status)).to eq []
+      expect(subject.searchable_by(status)).to eq ["https://cb6e6126.ngrok.io/users/#{status.account.username}"]
    end

    it 'returns as:Limited array for limited status' do
--- a/spec/serializers/activitypub/note_serializer_spec.rb
+++ b/spec/serializers/activitypub/note_serializer_spec.rb
@ -81,6 +81,14 @@ describe ActivityPub::NoteSerializer do
    end
  end

+  context 'when direct searchability' do
+    let(:searchability) { :direct }
+
+    it 'send as direct searchability' do
+      expect(subject['searchableBy']).to include "https://cb6e6126.ngrok.io/users/#{account.username}"
+    end
+  end
+
  context 'when has a reference' do
    let(:referred) { Fabricate(:status) }

--- a/spec/services/activitypub/process_account_service_spec.rb
+++ b/spec/services/activitypub/process_account_service_spec.rb
@ -150,7 +150,7 @@ RSpec.describe ActivityPub::ProcessAccountService do
    end

    context 'when direct' do
-      let(:searchable_by) { '' }
+      let(:searchable_by) { 'https://foo.test' }

      it 'searchability is direct' do
        expect(subject.searchability).to eq 'direct'
@ -173,6 +173,14 @@ RSpec.describe ActivityPub::ProcessAccountService do
      end
    end

+    context 'when empty array' do
+      let(:searchable_by) { '' }
+
+      it 'searchability is direct' do
+        expect(subject.searchability).to eq 'direct'
+      end
+    end
+
    context 'when default value' do
      let(:searchable_by) { nil }