Merge pull request from GHSA-c7p6-c688-fhgp

* FixSec: スタンプを経由してカスタム絵文字のデータを改竄できる問題 * Fix: 相乗り絵文字が受け取れない問題とテスト * Change: 相乗りスタンプは常にオリジナルの情報を参照 * Fix: uriまで偽装した場合に対応
2023-10-26 08:22:24 +09:00 · 2023-10-26 08:22:24 +09:00 · e6ad0ec41a
commit e6ad0ec41a
parent c485044a1e
3 changed files with 127 additions and 10 deletions
--- a/app/lib/activitypub/activity/like.rb
+++ b/app/lib/activitypub/activity/like.rb
@ -3,6 +3,7 @@
 class ActivityPub::Activity::Like < ActivityPub::Activity
  include Redisable
  include Lockable
+  include JsonLdHelper

  def perform
    @original_status = status_from_uri(object_uri)
@ -93,7 +94,7 @@ class ActivityPub::Activity::Like < ActivityPub::Activity

    return if custom_emoji_parser.shortcode.blank? || custom_emoji_parser.image_remote_url.blank?

-    domain = tag['domain'] || URI.split(custom_emoji_parser.uri)[2] || @account.domain
+    domain = URI.split(custom_emoji_parser.uri)[2] || @account.domain

    if domain == Rails.configuration.x.local_domain || domain == Rails.configuration.x.web_domain
      # Block overwriting remote-but-local data
@ -109,6 +110,9 @@ class ActivityPub::Activity::Like < ActivityPub::Activity
                        (custom_emoji_parser.updated_at && custom_emoji_parser.updated_at >= emoji.updated_at) ||
                        custom_emoji_parser.license != emoji.license

+    custom_emoji_parser = original_emoji_parser(custom_emoji_parser) if @account.domain != domain
+    return if custom_emoji_parser.nil?
+
    begin
      emoji ||= CustomEmoji.new(
        domain: domain,
@ -126,6 +130,17 @@ class ActivityPub::Activity::Like < ActivityPub::Activity
    emoji
  end

+  def original_emoji_parser(custom_emoji_parser)
+    uri = custom_emoji_parser.uri
+    emoji = fetch_resource_without_id_validation(uri)
+    return nil unless emoji
+
+    parser = ActivityPub::Parser::CustomEmojiParser.new(emoji)
+    return nil unless parser.uri == uri && custom_emoji_parser.shortcode == parser.shortcode
+
+    parser
+  end
+
  def skip_download?(domain)
    DomainBlock.reject_media?(domain)
  end
--- a/app/serializers/activitypub/emoji_serializer.rb
+++ b/app/serializers/activitypub/emoji_serializer.rb
@ -5,7 +5,7 @@ class ActivityPub::EmojiSerializer < ActivityPub::Serializer

  context_extensions :emoji

-  attributes :id, :type, :domain, :name, :is_sensitive, :updated
+  attributes :id, :type, :name, :is_sensitive, :updated

  attribute :license, if: -> { object.license.present? }

@ -19,10 +19,6 @@ class ActivityPub::EmojiSerializer < ActivityPub::Serializer
    'Emoji'
  end

-  def domain
-    object.domain.presence || Rails.configuration.x.local_domain
-  end
-
  def icon
    object.image
  end