Fix some user-independent endpoints potentially reading session cookies (#24650)

main
Claire 2023-04-25 22:14:44 +02:00 committed by GitHub
parent 276c39361b
commit 1419f90ef2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 32 additions and 0 deletions

View File

@ -2,11 +2,17 @@
class Api::V1::Instances::ExtendedDescriptionsController < Api::BaseController class Api::V1::Instances::ExtendedDescriptionsController < Api::BaseController
skip_before_action :require_authenticated_user!, unless: :whitelist_mode? skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
skip_around_action :set_locale
before_action :set_extended_description before_action :set_extended_description
vary_by '' vary_by ''
# Override `current_user` to avoid reading session cookies unless in whitelist mode
def current_user
super if whitelist_mode?
end
def show def show
cache_even_if_authenticated! cache_even_if_authenticated!
render json: @extended_description, serializer: REST::ExtendedDescriptionSerializer render json: @extended_description, serializer: REST::ExtendedDescriptionSerializer

View File

@ -4,9 +4,15 @@ class Api::V1::Instances::PeersController < Api::BaseController
before_action :require_enabled_api! before_action :require_enabled_api!
skip_before_action :require_authenticated_user!, unless: :whitelist_mode? skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
skip_around_action :set_locale
vary_by '' vary_by ''
# Override `current_user` to avoid reading session cookies unless in whitelist mode
def current_user
super if whitelist_mode?
end
def index def index
cache_even_if_authenticated! cache_even_if_authenticated!
render_with_cache(expires_in: 1.day) { Instance.where.not(domain: DomainBlock.select(:domain)).pluck(:domain) } render_with_cache(expires_in: 1.day) { Instance.where.not(domain: DomainBlock.select(:domain)).pluck(:domain) }

View File

@ -2,11 +2,17 @@
class Api::V1::Instances::RulesController < Api::BaseController class Api::V1::Instances::RulesController < Api::BaseController
skip_before_action :require_authenticated_user!, unless: :whitelist_mode? skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
skip_around_action :set_locale
before_action :set_rules before_action :set_rules
vary_by '' vary_by ''
# Override `current_user` to avoid reading session cookies unless in whitelist mode
def current_user
super if whitelist_mode?
end
def index def index
cache_even_if_authenticated! cache_even_if_authenticated!
render json: @rules, each_serializer: REST::RuleSerializer render json: @rules, each_serializer: REST::RuleSerializer

View File

@ -2,9 +2,15 @@
class Api::V1::InstancesController < Api::BaseController class Api::V1::InstancesController < Api::BaseController
skip_before_action :require_authenticated_user!, unless: :whitelist_mode? skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
skip_around_action :set_locale
vary_by '' vary_by ''
# Override `current_user` to avoid reading session cookies unless in whitelist mode
def current_user
super if whitelist_mode?
end
def show def show
cache_even_if_authenticated! cache_even_if_authenticated!
render_with_cache json: InstancePresenter.new, serializer: REST::V1::InstanceSerializer, root: 'instance' render_with_cache json: InstancePresenter.new, serializer: REST::V1::InstanceSerializer, root: 'instance'

View File

@ -1,6 +1,10 @@
# frozen_string_literal: true # frozen_string_literal: true
class ManifestsController < ActionController::Base # rubocop:disable Rails/ApplicationController class ManifestsController < ActionController::Base # rubocop:disable Rails/ApplicationController
# Prevent `active_model_serializer`'s `ActionController::Serialization` from calling `current_user`
# and thus re-issuing session cookies
serialization_scope nil
def show def show
expires_in 3.minutes, public: true expires_in 3.minutes, public: true
render json: InstancePresenter.new, serializer: ManifestSerializer, root: 'instance' render json: InstancePresenter.new, serializer: ManifestSerializer, root: 'instance'

View File

@ -4,6 +4,10 @@ module WellKnown
class NodeInfoController < ActionController::Base # rubocop:disable Rails/ApplicationController class NodeInfoController < ActionController::Base # rubocop:disable Rails/ApplicationController
include CacheConcern include CacheConcern
# Prevent `active_model_serializer`'s `ActionController::Serialization` from calling `current_user`
# and thus re-issuing session cookies
serialization_scope nil
def index def index
expires_in 3.days, public: true expires_in 3.days, public: true
render_with_cache json: {}, serializer: NodeInfo::DiscoverySerializer, adapter: NodeInfo::Adapter, expires_in: 3.days, root: 'nodeinfo' render_with_cache json: {}, serializer: NodeInfo::DiscoverySerializer, adapter: NodeInfo::Adapter, expires_in: 3.days, root: 'nodeinfo'