Fix url guessing attacks.

2018-05-30 20:00:27 +02:00 · 2018-05-30 20:00:27 +02:00 · 349400c06a
commit 349400c06a
parent 196d36a7d5
4 changed files with 74 additions and 4 deletions
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@ -20,10 +20,16 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do

  def object(conn, %{"uuid" => uuid}) do
    with ap_id <- o_status_url(conn, :object, uuid),
-         %Object{} = object <- Object.get_cached_by_ap_id(ap_id) do
+         %Object{} = object <- Object.get_cached_by_ap_id(ap_id),
+         {_, true} <- {:public?, ActivityPub.is_public?(object)} do
      conn
      |> put_resp_header("content-type", "application/activity+json")
      |> json(ObjectView.render("object.json", %{object: object}))
+    else
+      {:public?, false} ->
+        conn
+        |> put_status(404)
+        |> json("Not found")
    end
  end

--- a/lib/pleroma/web/ostatus/ostatus_controller.ex
+++ b/lib/pleroma/web/ostatus/ostatus_controller.ex
@ -68,37 +68,47 @@ defmodule Pleroma.Web.OStatus.OStatusController do
    |> send_resp(200, "")
  end

-  # TODO: Data leak
  def object(conn, %{"uuid" => uuid} = params) do
    if get_format(conn) == "activity+json" do
      ActivityPubController.object(conn, params)
    else
      with id <- o_status_url(conn, :object, uuid),
           %Activity{} = activity <- Activity.get_create_activity_by_object_ap_id(id),
+           {_, true} <- {:public?, ActivityPub.is_public?(activity)},
           %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do
        case get_format(conn) do
          "html" -> redirect(conn, to: "/notice/#{activity.id}")
          _ -> represent_activity(conn, activity, user)
        end
+      else
+        {:public?, false} ->
+          conn
+          |> put_status(404)
+          |> json("Not found")
      end
    end
  end

-  # TODO: Data leak
  def activity(conn, %{"uuid" => uuid}) do
    with id <- o_status_url(conn, :activity, uuid),
         %Activity{} = activity <- Activity.get_by_ap_id(id),
+         {_, true} <- {:public?, ActivityPub.is_public?(activity)},
         %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do
      case get_format(conn) do
        "html" -> redirect(conn, to: "/notice/#{activity.id}")
        _ -> represent_activity(conn, activity, user)
      end
+    else
+      {:public?, false} ->
+        conn
+        |> put_status(404)
+        |> json("Not found")
    end
  end

-  # TODO: Data leak
  def notice(conn, %{"id" => id}) do
    with %Activity{} = activity <- Repo.get(Activity, id),
+         {_, true} <- {:public?, ActivityPub.is_public?(activity)},
         %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do
      case get_format(conn) do
        "html" ->
@ -109,6 +119,11 @@ defmodule Pleroma.Web.OStatus.OStatusController do
        _ ->
          represent_activity(conn, activity, user)
      end
+    else
+      {:public?, false} ->
+        conn
+        |> put_status(404)
+        |> json("Not found")
    end
  end