Fix leak of arbitrary statuses through unfavourite action in REST API (#13161)

2020-02-27 12:32:54 +01:00 · 2020-02-27 12:32:54 +01:00 · 0c28a505dd
parent 7face973fa
commit 0c28a505dd
8 changed files with 203 additions and 124 deletions
--- a/app/controllers/api/v1/statuses/bookmarks_controller.rb
+++ b/app/controllers/api/v1/statuses/bookmarks_controller.rb
@ -5,35 +5,28 @@ class Api::V1::Statuses::BookmarksController < Api::BaseController
  before_action -> { doorkeeper_authorize! :write, :'write:bookmarks' }
  before_action :require_user!
  before_action :set_status
  respond_to :json
  def create
-    @status = bookmarked_status
+    current_account.bookmarks.find_or_create_by!(account: current_account, status: @status)
    render json: @status, serializer: REST::StatusSerializer
  end
  def destroy
-    @status = requested_status
+    bookmark = current_account.bookmarks.find_by(status: @status)
-    @bookmarks_map = { @status.id => false }
+    bookmark&.destroy!
-    bookmark = Bookmark.find_by!(account: current_user.account, status: @status)
+    render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, bookmarks_map: { @status.id => false })
    bookmark.destroy!
    render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, bookmarks_map: @bookmarks_map)
  end
  private
-  def bookmarked_status
+  def set_status
-    authorize_with current_user.account, requested_status, :show?
+    @status = Status.find(params[:status_id])
-
+    authorize @status, :show?
-    bookmark = Bookmark.find_or_create_by!(account: current_user.account, status: requested_status)
+  rescue Mastodon::NotPermittedError
-
+    not_found
    bookmark.status.reload
  end
  def requested_status
    Status.find(params[:status_id])
  end
 end
--- a/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
+++ b/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
@ -69,8 +69,7 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController
    @status = Status.find(params[:status_id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    # Reraise in order to get a 404 instead of a 403 error code
+    not_found
    raise ActiveRecord::RecordNotFound
  end
  def pagination_params(core_params)
--- a/app/controllers/api/v1/statuses/favourites_controller.rb
+++ b/app/controllers/api/v1/statuses/favourites_controller.rb
@ -5,34 +5,26 @@ class Api::V1::Statuses::FavouritesController < Api::BaseController
  before_action -> { doorkeeper_authorize! :write, :'write:favourites' }
  before_action :require_user!
  before_action :set_status
  respond_to :json
  def create
-    @status = favourited_status
+    FavouriteService.new.call(current_account, @status)
    render json: @status, serializer: REST::StatusSerializer
  end
  def destroy
-    @status = requested_status
+    UnfavouriteWorker.perform_async(current_account.id, @status.id)
-    @favourites_map = { @status.id => false }
+    render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, favourites_map: { @status.id => false })
    UnfavouriteWorker.perform_async(current_user.account_id, @status.id)
    render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, favourites_map: @favourites_map)
  end
  private
-  def favourited_status
+  def set_status
-    service_result.status.reload
+    @status = Status.find(params[:status_id])
-  end
+    authorize @status, :show?
-
+  rescue Mastodon::NotPermittedError
-  def service_result
+    not_found
    FavouriteService.new.call(current_user.account, requested_status)
  end
  def requested_status
    Status.find(params[:status_id])
  end
 end
--- a/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
+++ b/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
@ -66,8 +66,7 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController
    @status = Status.find(params[:status_id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    # Reraise in order to get a 404 instead of a 403 error code
+    not_found
    raise ActiveRecord::RecordNotFound
  end
  def pagination_params(core_params)
--- a/app/controllers/api/v1/statuses/reblogs_controller.rb
+++ b/app/controllers/api/v1/statuses/reblogs_controller.rb
@ -5,33 +5,34 @@ class Api::V1::Statuses::ReblogsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }
  before_action :require_user!
  before_action :set_reblog
  respond_to :json
  def create
-    @status = ReblogService.new.call(current_user.account, status_for_reblog, reblog_params)
+    @status = ReblogService.new.call(current_account, @reblog, reblog_params)
    render json: @status, serializer: REST::StatusSerializer
  end
  def destroy
-    @status = status_for_destroy.reblog
+    @status = current_account.statuses.find_by(reblog_of_id: @reblog.id)
    @reblogs_map = { @status.id => false }
-    authorize status_for_destroy, :unreblog?
+    if @status
-    status_for_destroy.discard
+      authorize @status, :unreblog?
-    RemovalWorker.perform_async(status_for_destroy.id)
+      @status.discard
      RemovalWorker.perform_async(@status.id)
    end
-    render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, reblogs_map: @reblogs_map)
+    render json: @reblog, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, reblogs_map: { @reblog.id => false })
  end
  private
-  def status_for_reblog
+  def set_reblog
-    Status.find params[:status_id]
+    @reblog = Status.find(params[:status_id])
-  end
+    authorize @reblog, :show?
-
+  rescue Mastodon::NotPermittedError
-  def status_for_destroy
+    not_found
    @status_for_destroy ||= current_user.account.statuses.where(reblog_of_id: params[:status_id]).first!
  end
  def reblog_params
--- a/spec/controllers/api/v1/statuses/bookmarks_controller_spec.rb
+++ b/spec/controllers/api/v1/statuses/bookmarks_controller_spec.rb
@ -21,36 +21,67 @@ describe Api::V1::Statuses::BookmarksController do
        post :create, params: { status_id: status.id }
      end
-      it 'returns http success' do
+      context 'with public status' do
-        expect(response).to have_http_status(:success)
+        it 'returns http success' do
          expect(response).to have_http_status(:success)
        end
        it 'updates the bookmarked attribute' do
          expect(user.account.bookmarked?(status)).to be true
        end
        it 'returns json with updated attributes' do
          hash_body = body_as_json
          expect(hash_body[:id]).to eq status.id.to_s
          expect(hash_body[:bookmarked]).to be true
        end
      end
-      it 'updates the bookmarked attribute' do
+      context 'with private status of not-followed account' do
-        expect(user.account.bookmarked?(status)).to be true
+        let(:status) { Fabricate(:status, visibility: :private) }
      end
-      it 'return json with updated attributes' do
+        it 'returns http not found' do
-        hash_body = body_as_json
+          expect(response).to have_http_status(404)
-
+        end
        expect(hash_body[:id]).to eq status.id.to_s
        expect(hash_body[:bookmarked]).to be true
      end
    end
    describe 'POST #destroy' do
-      let(:status) { Fabricate(:status, account: user.account) }
+      context 'with public status' do
        let(:status) { Fabricate(:status, account: user.account) }
-      before do
+        before do
-        Bookmark.find_or_create_by!(account: user.account, status: status)
+          Bookmark.find_or_create_by!(account: user.account, status: status)
-        post :destroy, params: { status_id: status.id }
+          post :destroy, params: { status_id: status.id }
        end
        it 'returns http success' do
          expect(response).to have_http_status(:success)
        end
        it 'updates the bookmarked attribute' do
          expect(user.account.bookmarked?(status)).to be false
        end
        it 'returns json with updated attributes' do
          hash_body = body_as_json
          expect(hash_body[:id]).to eq status.id.to_s
          expect(hash_body[:bookmarked]).to be false
        end
      end
-      it 'returns http success' do
+      context 'with private status that was not bookmarked' do
-        expect(response).to have_http_status(:success)
+        let(:status) { Fabricate(:status, visibility: :private) }
      end
-      it 'updates the bookmarked attribute' do
+        before do
-        expect(user.account.bookmarked?(status)).to be false
+          post :destroy, params: { status_id: status.id }
        end
        it 'returns http not found' do
          expect(response).to have_http_status(404)
        end
      end
    end
  end
--- a/spec/controllers/api/v1/statuses/favourites_controller_spec.rb
+++ b/spec/controllers/api/v1/statuses/favourites_controller_spec.rb
@ -21,45 +21,77 @@ describe Api::V1::Statuses::FavouritesController do
        post :create, params: { status_id: status.id }
      end
-      it 'returns http success' do
+      context 'with public status' do
-        expect(response).to have_http_status(200)
+        it 'returns http success' do
          expect(response).to have_http_status(200)
        end
        it 'updates the favourites count' do
          expect(status.favourites.count).to eq 1
        end
        it 'updates the favourited attribute' do
          expect(user.account.favourited?(status)).to be true
        end
        it 'returns json with updated attributes' do
          hash_body = body_as_json
          expect(hash_body[:id]).to eq status.id.to_s
          expect(hash_body[:favourites_count]).to eq 1
          expect(hash_body[:favourited]).to be true
        end
      end
-      it 'updates the favourites count' do
+      context 'with private status of not-followed account' do
-        expect(status.favourites.count).to eq 1
+        let(:status) { Fabricate(:status, visibility: :private) }
      end
-      it 'updates the favourited attribute' do
+        it 'returns http not found' do
-        expect(user.account.favourited?(status)).to be true
+          expect(response).to have_http_status(404)
-      end
+        end
      it 'return json with updated attributes' do
        hash_body = body_as_json
        expect(hash_body[:id]).to eq status.id.to_s
        expect(hash_body[:favourites_count]).to eq 1
        expect(hash_body[:favourited]).to be true
      end
    end
    describe 'POST #destroy' do
-      let(:status) { Fabricate(:status, account: user.account) }
+      context 'with public status' do
        let(:status) { Fabricate(:status, account: user.account) }
-      before do
+        before do
-        FavouriteService.new.call(user.account, status)
+          FavouriteService.new.call(user.account, status)
-        post :destroy, params: { status_id: status.id }
+          post :destroy, params: { status_id: status.id }
        end
        it 'returns http success' do
          expect(response).to have_http_status(200)
        end
        it 'updates the favourites count' do
          expect(status.favourites.count).to eq 0
        end
        it 'updates the favourited attribute' do
          expect(user.account.favourited?(status)).to be false
        end
        it 'returns json with updated attributes' do
          hash_body = body_as_json
          expect(hash_body[:id]).to eq status.id.to_s
          expect(hash_body[:favourites_count]).to eq 0
          expect(hash_body[:favourited]).to be false
        end
      end
-      it 'returns http success' do
+      context 'with private status that was not favourited' do
-        expect(response).to have_http_status(200)
+        let(:status) { Fabricate(:status, visibility: :private) }
      end
-      it 'updates the favourites count' do
+        before do
-        expect(status.favourites.count).to eq 0
+          post :destroy, params: { status_id: status.id }
-      end
+        end
-      it 'updates the favourited attribute' do
+        it 'returns http not found' do
-        expect(user.account.favourited?(status)).to be false
+          expect(response).to have_http_status(404)
        end
      end
    end
  end
--- a/spec/controllers/api/v1/statuses/reblogs_controller_spec.rb
+++ b/spec/controllers/api/v1/statuses/reblogs_controller_spec.rb
@ -21,45 +21,77 @@ describe Api::V1::Statuses::ReblogsController do
        post :create, params: { status_id: status.id }
      end
-      it 'returns http success' do
+      context 'with public status' do
-        expect(response).to have_http_status(200)
+        it 'returns http success' do
          expect(response).to have_http_status(200)
        end
        it 'updates the reblogs count' do
          expect(status.reblogs.count).to eq 1
        end
        it 'updates the reblogged attribute' do
          expect(user.account.reblogged?(status)).to be true
        end
        it 'returns json with updated attributes' do
          hash_body = body_as_json
          expect(hash_body[:reblog][:id]).to eq status.id.to_s
          expect(hash_body[:reblog][:reblogs_count]).to eq 1
          expect(hash_body[:reblog][:reblogged]).to be true
        end
      end
-      it 'updates the reblogs count' do
+      context 'with private status of not-followed account' do
-        expect(status.reblogs.count).to eq 1
+        let(:status) { Fabricate(:status, visibility: :private) }
      end
-      it 'updates the reblogged attribute' do
+        it 'returns http not found' do
-        expect(user.account.reblogged?(status)).to be true
+          expect(response).to have_http_status(404)
-      end
+        end
      it 'return json with updated attributes' do
        hash_body = body_as_json
        expect(hash_body[:reblog][:id]).to eq status.id.to_s
        expect(hash_body[:reblog][:reblogs_count]).to eq 1
        expect(hash_body[:reblog][:reblogged]).to be true
      end
    end
    describe 'POST #destroy' do
-      let(:status) { Fabricate(:status, account: user.account) }
+      context 'with public status' do
        let(:status) { Fabricate(:status, account: user.account) }
-      before do
+        before do
-        ReblogService.new.call(user.account, status)
+          ReblogService.new.call(user.account, status)
-        post :destroy, params: { status_id: status.id }
+          post :destroy, params: { status_id: status.id }
        end
        it 'returns http success' do
          expect(response).to have_http_status(200)
        end
        it 'updates the reblogs count' do
          expect(status.reblogs.count).to eq 0
        end
        it 'updates the reblogged attribute' do
          expect(user.account.reblogged?(status)).to be false
        end
        it 'returns json with updated attributes' do
          hash_body = body_as_json
          expect(hash_body[:id]).to eq status.id.to_s
          expect(hash_body[:reblogs_count]).to eq 0
          expect(hash_body[:reblogged]).to be false
        end
      end
-      it 'returns http success' do
+      context 'with private status that was not reblogged' do
-        expect(response).to have_http_status(200)
+        let(:status) { Fabricate(:status, visibility: :private) }
      end
-      it 'updates the reblogs count' do
+        before do
-        expect(status.reblogs.count).to eq 0
+          post :destroy, params: { status_id: status.id }
-      end
+        end
-      it 'updates the reblogged attribute' do
+        it 'returns http not found' do
-        expect(user.account.reblogged?(status)).to be false
+          expect(response).to have_http_status(404)
        end
      end
    end
  end