Merge pull request from GHSA-58x8-3qxw-6hm7

* Fix insufficient permission checking for public timeline endpoints Note that this changes unauthenticated access failure code from 401 to 422 * Add more tests for public timelines * Require user token in `/api/v1/statuses/:id/translate` and `/api/v1/scheduled_statuses`
2024-07-04 16:26:49 +02:00 · 2024-07-04 16:26:49 +02:00 · 34aeef3453
commit 34aeef3453
parent 122740047a
9 changed files with 242 additions and 7 deletions
--- a/app/controllers/api/v1/scheduled_statuses_controller.rb
+++ b/app/controllers/api/v1/scheduled_statuses_controller.rb
@ -6,6 +6,7 @@ class Api::V1::ScheduledStatusesController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, except: [:update, :destroy]
  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }, only: [:update, :destroy]

+  before_action :require_user!
  before_action :set_statuses, only: :index
  before_action :set_status, except: :index

--- a/app/controllers/api/v1/statuses/translations_controller.rb
+++ b/app/controllers/api/v1/statuses/translations_controller.rb
@ -4,6 +4,7 @@ class Api::V1::Statuses::TranslationsController < Api::BaseController
  include Authorization

  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }
+  before_action :require_user!
  before_action :set_status
  before_action :set_translation

--- a/app/controllers/api/v1/timelines/public_controller.rb
+++ b/app/controllers/api/v1/timelines/public_controller.rb
@ -1,6 +1,7 @@
 # frozen_string_literal: true

 class Api::V1::Timelines::PublicController < Api::BaseController
+  before_action -> { authorize_if_got_token! :read, :'read:statuses' }
  before_action :require_user!, only: [:show], if: :require_auth?
  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }

--- a/app/controllers/api/v1/timelines/tag_controller.rb
+++ b/app/controllers/api/v1/timelines/tag_controller.rb
@ -1,7 +1,8 @@
 # frozen_string_literal: true

 class Api::V1::Timelines::TagController < Api::BaseController
-  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: :show, if: :require_auth?
+  before_action -> { authorize_if_got_token! :read, :'read:statuses' }
+  before_action :require_user!, if: :require_auth?
  before_action :load_tag
  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }

--- a/spec/controllers/api/v1/scheduled_statuses_controller_spec.rb
+++ b/spec/controllers/api/v1/scheduled_statuses_controller_spec.rb
@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe Api::V1::ScheduledStatusesController do
+  render_views
+
+  let(:user)    { Fabricate(:user) }
+  let(:token)   { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:statuses') }
+  let(:account) { Fabricate(:account) }
+
+  before do
+    allow(controller).to receive(:doorkeeper_token) { token }
+  end
+
+  context 'with an application token' do
+    let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: 'read:statuses') }
+
+    it 'returns http unprocessable entity' do
+      get :index
+
+      expect(response)
+        .to have_http_status(422)
+    end
+  end
+
+  describe 'GET #index' do
+    it 'returns http success' do
+      get :index
+
+      expect(response).to have_http_status(200)
+    end
+  end
+end
--- a/spec/controllers/api/v1/statuses/translations_controller_spec.rb
+++ b/spec/controllers/api/v1/statuses/translations_controller_spec.rb
@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe Api::V1::Statuses::TranslationsController do
+  render_views
+
+  let(:user)  { Fabricate(:user) }
+  let(:app)   { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') }
+  let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:statuses', application: app) }
+
+  context 'with an application token' do
+    let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: 'read:statuses', application: app) }
+
+    before do
+      allow(controller).to receive(:doorkeeper_token) { token }
+    end
+
+    describe 'POST /api/v1/statuses/:status_id/translate' do
+      let(:status) { Fabricate(:status, account: user.account, text: 'Hola', language: 'es') }
+
+      before do
+        post :create, params: { status_id: status.id }
+      end
+
+      it 'returns http unprocessable entity' do
+        expect(response).to have_http_status(422)
+      end
+    end
+  end
+
+  context 'with an oauth token' do
+    before do
+      allow(controller).to receive(:doorkeeper_token) { token }
+    end
+
+    describe 'POST #create' do
+      let(:status) { Fabricate(:status, account: user.account, text: 'Hola', language: 'es') }
+
+      before do
+        translation = TranslationService::Translation.new(text: 'Hello')
+        service = instance_double(TranslationService::DeepL, translate: translation)
+        allow(TranslationService).to receive_messages(configured?: true, configured: service)
+        Rails.cache.write('translation_service/languages', { 'es' => ['en'] })
+        post :create, params: { status_id: status.id }
+      end
+
+      it 'returns http success' do
+        expect(response).to have_http_status(200)
+      end
+    end
+  end
+end
--- a/spec/controllers/api/v1/timelines/public_controller_spec.rb
+++ b/spec/controllers/api/v1/timelines/public_controller_spec.rb
@ -12,7 +12,7 @@ describe Api::V1::Timelines::PublicController do
  end

  context 'with a user context' do
-    let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id) }
+    let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:statuses') }

    describe 'GET #show' do
      before do
@ -42,7 +42,7 @@ describe Api::V1::Timelines::PublicController do
  end

  context 'without a user context' do
-    let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil) }
+    let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: 'read:statuses') }

    describe 'GET #show' do
      it 'returns http success' do
--- a/spec/controllers/api/v1/timelines/tag_controller_spec.rb
+++ b/spec/controllers/api/v1/timelines/tag_controller_spec.rb
@ -6,7 +6,8 @@ describe Api::V1::Timelines::TagController do
  render_views

  let(:user)   { Fabricate(:user) }
-  let(:token)  { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:statuses') }
+  let(:scopes) { 'read:statuses' }
+  let(:token)  { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }

  before do
    allow(controller).to receive(:doorkeeper_token) { token }
@ -48,13 +49,23 @@ describe Api::V1::Timelines::TagController do
        Form::AdminSettings.new(timeline_preview: false).save
      end

-      context 'when the user is not authenticated' do
+      context 'without an access token' do
        let(:token) { nil }

-        it 'returns http unauthorized' do
+        it 'returns http unprocessable entity' do
          subject

-          expect(response).to have_http_status(401)
+          expect(response).to have_http_status(422)
+        end
+      end
+
+      context 'with an application access token, not bound to a user' do
+        let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: scopes) }
+
+        it 'returns http unprocessable entity' do
+          subject
+
+          expect(response).to have_http_status(422)
        end
      end

--- a/spec/requests/api/v1/timelines/public_spec.rb
+++ b/spec/requests/api/v1/timelines/public_spec.rb
@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe 'Public' do
+  let(:user)    { Fabricate(:user) }
+  let(:scopes)  { 'read:statuses' }
+  let(:token)   { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
+  let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
+
+  shared_examples 'forbidden for wrong scope' do |wrong_scope|
+    let(:scopes) { wrong_scope }
+
+    it 'returns http forbidden' do
+      subject
+
+      expect(response).to have_http_status(403)
+    end
+  end
+
+  shared_examples 'a successful request to the public timeline' do
+    it 'returns the expected statuses successfully', :aggregate_failures do
+      subject
+
+      expect(response).to have_http_status(200)
+      expect(body_as_json.pluck(:id)).to match_array(expected_statuses.map { |status| status.id.to_s })
+    end
+  end
+
+  describe 'GET /api/v1/timelines/public' do
+    subject do
+      get '/api/v1/timelines/public', headers: headers, params: params
+    end
+
+    let!(:private_status) { Fabricate(:status, visibility: :private) } # rubocop:disable RSpec/LetSetup
+    let!(:local_status)   { Fabricate(:status, account: Fabricate.build(:account, domain: nil)) }
+    let!(:remote_status)  { Fabricate(:status, account: Fabricate.build(:account, domain: 'example.com')) }
+    let!(:media_status)   { Fabricate(:status, media_attachments: [Fabricate.build(:media_attachment)]) }
+
+    let(:params) { {} }
+
+    context 'when the instance allows public preview' do
+      let(:expected_statuses) { [local_status, remote_status, media_status] }
+
+      it_behaves_like 'forbidden for wrong scope', 'profile'
+
+      context 'with an authorized user' do
+        it_behaves_like 'a successful request to the public timeline'
+      end
+
+      context 'with an anonymous user' do
+        let(:headers) { {} }
+
+        it_behaves_like 'a successful request to the public timeline'
+      end
+
+      context 'with local param' do
+        let(:params) { { local: true } }
+        let(:expected_statuses) { [local_status, media_status] }
+
+        it_behaves_like 'a successful request to the public timeline'
+      end
+
+      context 'with remote param' do
+        let(:params) { { remote: true } }
+        let(:expected_statuses) { [remote_status] }
+
+        it_behaves_like 'a successful request to the public timeline'
+      end
+
+      context 'with only_media param' do
+        let(:params) { { only_media: true } }
+        let(:expected_statuses) { [media_status] }
+
+        it_behaves_like 'a successful request to the public timeline'
+      end
+
+      context 'with limit param' do
+        let(:params) { { limit: 1 } }
+
+        it 'returns only the requested number of statuses', :aggregate_failures do
+          subject
+
+          expect(response).to have_http_status(200)
+          expect(body_as_json.size).to eq(params[:limit])
+        end
+
+        it 'sets the correct pagination headers', :aggregate_failures do
+          subject
+
+          headers = response.headers['Link']
+
+          expect(headers.find_link(%w(rel prev)).href).to eq(api_v1_timelines_public_url(limit: 1, min_id: media_status.id.to_s))
+          expect(headers.find_link(%w(rel next)).href).to eq(api_v1_timelines_public_url(limit: 1, max_id: media_status.id.to_s))
+        end
+      end
+    end
+
+    context 'when the instance does not allow public preview' do
+      before do
+        Form::AdminSettings.new(timeline_preview: false).save
+      end
+
+      it_behaves_like 'forbidden for wrong scope', 'profile'
+
+      context 'without an authentication token' do
+        let(:headers) { {} }
+
+        it 'returns http unprocessable entity' do
+          subject
+
+          expect(response).to have_http_status(422)
+        end
+      end
+
+      context 'with an application access token, not bound to a user' do
+        let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: scopes) }
+
+        it 'returns http unprocessable entity' do
+          subject
+
+          expect(response).to have_http_status(422)
+        end
+      end
+
+      context 'with an authenticated user' do
+        let(:expected_statuses) { [local_status, remote_status, media_status] }
+
+        it_behaves_like 'a successful request to the public timeline'
+      end
+    end
+  end
+end