Fix: LD Signaturesで署名された投稿の検索許可（検索範囲）が改竄できる問題

2024-09-10 06:51:26 +09:00 · 2024-09-10 06:51:26 +09:00 · 91a2dc81c4
commit 91a2dc81c4
parent 39e73b4df8
7 changed files with 36 additions and 9 deletions
--- a/app/lib/activitypub/parser/status_parser.rb
+++ b/app/lib/activitypub/parser/status_parser.rb
@ -203,9 +203,9 @@ class ActivityPub::Parser::StatusParser
  end

  def searchability_from_audience
-    if audience_searchable_by.nil?
-      nil
-    elsif audience_searchable_by.any? { |uri| ActivityPub::TagManager.instance.public_collection?(uri) }
+    return nil if audience_searchable_by.blank?
+
+    if audience_searchable_by.any? { |uri| ActivityPub::TagManager.instance.public_collection?(uri) }
      :public
    elsif audience_searchable_by.include?('kmyblue:Limited') || audience_searchable_by.include?('as:Limited')
      :limited
@ -213,7 +213,7 @@ class ActivityPub::Parser::StatusParser
      :public_unlisted
    elsif audience_searchable_by.include?(@account.followers_url)
      :private
-    else
+    elsif audience_searchable_by.include?(@account.uri) || audience_searchable_by.include?(@account.url)
      :direct
    end
  end
--- a/app/lib/activitypub/tag_manager.rb
+++ b/app/lib/activitypub/tag_manager.rb
@ -252,7 +252,7 @@ class ActivityPub::TagManager
      when 'limited'
        ['as:Limited', 'kmyblue:Limited']
      else
-        []
+        [account_url(status.account)]
      end

    searchable_by.concat(mentions_uris(status)).compact
--- a/app/services/activitypub/process_account_service.rb
+++ b/app/services/activitypub/process_account_service.rb
@ -282,7 +282,7 @@ class ActivityPub::ProcessAccountService < BaseService
  end

  def searchability_from_audience
-    if audience_searchable_by.nil?
+    if audience_searchable_by.blank?
      bio = searchability_from_bio
      return bio unless bio.nil?