Raise an error for remote url in StatusFinder (#4776)

* Raise an error for remote url in StatusFinder

Previous implementation had allowed remote url with status id which also exists on local.

Then that bug leads /api/web/embed to return wrong embed url.

* Fix oembed_controller_spec
signup-info-prompt
unarist 2017-09-03 00:42:47 +09:00 committed by Eugen Rochko
parent bfa7f9ebf2
commit 6a4e2db661
3 changed files with 13 additions and 0 deletions

View File

@ -10,6 +10,8 @@ class StatusFinder
def status def status
verify_action! verify_action!
raise ActiveRecord::RecordNotFound unless TagManager.instance.local_url?(url)
case recognized_params[:controller] case recognized_params[:controller]
when 'stream_entries' when 'stream_entries'
StreamEntry.find(recognized_params[:id]).status StreamEntry.find(recognized_params[:id]).status

View File

@ -8,6 +8,7 @@ RSpec.describe Api::OEmbedController, type: :controller do
describe 'GET #show' do describe 'GET #show' do
before do before do
request.host = Rails.configuration.x.local_domain
get :show, params: { url: account_stream_entry_url(alice, status.stream_entry) }, format: :json get :show, params: { url: account_stream_entry_url(alice, status.stream_entry) }, format: :json
end end

View File

@ -34,6 +34,16 @@ describe StatusFinder do
end end
end end
context 'with a remote url even if id exists on local' do
let(:status) { Fabricate(:status) }
let(:url) { "https://example.com/users/test/statuses/#{status.id}" }
subject { described_class.new(url) }
it 'raises an error' do
expect { subject.status }.to raise_error(ActiveRecord::RecordNotFound)
end
end
context 'with a plausible url' do context 'with a plausible url' do
let(:url) { 'https://example.com/users/test/updates/123/embed' } let(:url) { 'https://example.com/users/test/updates/123/embed' }
subject { described_class.new(url) } subject { described_class.new(url) }