Merge pull request from GHSA-qg32-3vrh-w6mw

app/controllers/concerns/cache_concern.rb

@@ -180,6 +180,16 @@ module CacheConcern
   def render_with_cache(**options)
     raise ArgumentError, 'Only JSON render calls are supported' unless options.key?(:json) || block_given?
 
+    if options.delete(:cancel_cache)
+      if block_given?
+        options[:json] = yield
+      elsif options[:json].is_a?(Symbol)
+        options[:json] = send(options[:json])
+      end
+
+      return render(options)
+    end
+
     key        = options.delete(:key) || [[params[:controller], params[:action]].join('/'), options[:json].respond_to?(:cache_key) ? options[:json].cache_key : nil, options[:fields].nil? ? nil : options[:fields].join(',')].compact.join(':')
     expires_in = options.delete(:expires_in) || 3.minutes
     body       = Rails.cache.read(key, raw: true)

app/controllers/statuses_controller.rb

@@ -30,15 +30,15 @@ class StatusesController < ApplicationController
       end
 
       format.json do
-        expires_in 3.minutes, public: true if @status.distributable? && public_fetch_mode?
-        render_with_cache json: @status, content_type: 'application/activity+json', serializer: ActivityPub::NoteSerializer, adapter: ActivityPub::Adapter
+        expires_in 3.minutes, public: true if @status.distributable? && public_fetch_mode? && !misskey_software?
+        render_with_cache json: @status, content_type: 'application/activity+json', serializer: status_activity_serializer, adapter: ActivityPub::Adapter, cancel_cache: misskey_software?
       end
     end
   end
 
   def activity
-    expires_in 3.minutes, public: @status.distributable? && public_fetch_mode?
-    render_with_cache json: ActivityPub::ActivityPresenter.from_status(@status), content_type: 'application/activity+json', serializer: ActivityPub::ActivitySerializer, adapter: ActivityPub::Adapter
+    expires_in 3.minutes, public: @status.distributable? && public_fetch_mode? && !misskey_software?
+    render_with_cache json: ActivityPub::ActivityPresenter.from_status(@status, for_misskey: misskey_software?), content_type: 'application/activity+json', serializer: ActivityPub::ActivitySerializer, adapter: ActivityPub::Adapter, cancel_cache: misskey_software?
   end
 
   def embed
@@ -76,6 +76,29 @@ class StatusesController < ApplicationController
     @instance_presenter = InstancePresenter.new
   end
 
+  def misskey_software?
+    return @misskey_software if defined?(@misskey_software)
+
+    @misskey_software = false
+
+    return false if !@status.local? || signed_request_account&.domain.blank?
+
+    info = InstanceInfo.find_by(domain: signed_request_account.domain)
+    return false if info.nil?
+
+    @misskey_software = %w(misskey calckey cherrypick sharkey).include?(info.software) &&
+                        ((@status.public_unlisted_visibility? && @status.account.user&.setting_reject_public_unlisted_subscription) ||
+                         (@status.unlisted_visibility? && @status.account.user&.setting_reject_unlisted_subscription))
+  end
+
+  def status_activity_serializer
+    if misskey_software?
+      ActivityPub::NoteForMisskeySerializer
+    else
+      ActivityPub::NoteSerializer
+    end
+  end
+
   def redirect_to_original
     redirect_to(ActivityPub::TagManager.instance.url_for(@status.reblog), allow_other_host: true) if @status.reblog?
   end