Merge pull request from GHSA-58x8-3qxw-6hm7
* Fix insufficient permission checking for public timeline endpoints Note that this changes unauthenticated access failure code from 401 to 422 * Add more tests for public timelines * Require user token in `/api/v1/statuses/:id/translate` and `/api/v1/scheduled_statuses`main-rebase-security-fix
parent
395f17ca17
commit
502cf75b16
|
@ -6,6 +6,7 @@ class Api::V1::ScheduledStatusesController < Api::BaseController
|
||||||
before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, except: [:update, :destroy]
|
before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, except: [:update, :destroy]
|
||||||
before_action -> { doorkeeper_authorize! :write, :'write:statuses' }, only: [:update, :destroy]
|
before_action -> { doorkeeper_authorize! :write, :'write:statuses' }, only: [:update, :destroy]
|
||||||
|
|
||||||
|
before_action :require_user!
|
||||||
before_action :set_statuses, only: :index
|
before_action :set_statuses, only: :index
|
||||||
before_action :set_status, except: :index
|
before_action :set_status, except: :index
|
||||||
|
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
class Api::V1::Statuses::TranslationsController < Api::V1::Statuses::BaseController
|
class Api::V1::Statuses::TranslationsController < Api::V1::Statuses::BaseController
|
||||||
before_action -> { doorkeeper_authorize! :read, :'read:statuses' }
|
before_action -> { doorkeeper_authorize! :read, :'read:statuses' }
|
||||||
|
before_action :require_user!
|
||||||
before_action :set_translation
|
before_action :set_translation
|
||||||
|
|
||||||
rescue_from TranslationService::NotConfiguredError, with: :not_found
|
rescue_from TranslationService::NotConfiguredError, with: :not_found
|
||||||
|
|
|
@ -3,8 +3,14 @@
|
||||||
class Api::V1::Timelines::BaseController < Api::BaseController
|
class Api::V1::Timelines::BaseController < Api::BaseController
|
||||||
after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
|
after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
|
||||||
|
|
||||||
|
before_action :require_user!, if: :require_auth?
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
|
def require_auth?
|
||||||
|
!Setting.timeline_preview
|
||||||
|
end
|
||||||
|
|
||||||
def pagination_collection
|
def pagination_collection
|
||||||
@statuses
|
@statuses
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class Api::V1::Timelines::LinkController < Api::V1::Timelines::BaseController
|
class Api::V1::Timelines::LinkController < Api::V1::Timelines::BaseController
|
||||||
before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: :show, if: :require_auth?
|
before_action -> { authorize_if_got_token! :read, :'read:statuses' }
|
||||||
before_action :set_preview_card
|
before_action :set_preview_card
|
||||||
before_action :set_statuses
|
before_action :set_statuses
|
||||||
|
|
||||||
|
@ -17,10 +17,6 @@ class Api::V1::Timelines::LinkController < Api::V1::Timelines::BaseController
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def require_auth?
|
|
||||||
!Setting.timeline_preview
|
|
||||||
end
|
|
||||||
|
|
||||||
def set_preview_card
|
def set_preview_card
|
||||||
@preview_card = PreviewCard.joins(:trend).merge(PreviewCardTrend.allowed).find_by!(url: params[:url])
|
@preview_card = PreviewCard.joins(:trend).merge(PreviewCardTrend.allowed).find_by!(url: params[:url])
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class Api::V1::Timelines::PublicController < Api::V1::Timelines::BaseController
|
class Api::V1::Timelines::PublicController < Api::V1::Timelines::BaseController
|
||||||
before_action :require_user!, only: [:show], if: :require_auth?
|
before_action -> { authorize_if_got_token! :read, :'read:statuses' }
|
||||||
|
|
||||||
PERMITTED_PARAMS = %i(local remote limit only_media).freeze
|
PERMITTED_PARAMS = %i(local remote limit only_media).freeze
|
||||||
|
|
||||||
|
@ -13,10 +13,6 @@ class Api::V1::Timelines::PublicController < Api::V1::Timelines::BaseController
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def require_auth?
|
|
||||||
!Setting.timeline_preview
|
|
||||||
end
|
|
||||||
|
|
||||||
def load_statuses
|
def load_statuses
|
||||||
preloaded_public_statuses_page
|
preloaded_public_statuses_page
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class Api::V1::Timelines::TagController < Api::V1::Timelines::BaseController
|
class Api::V1::Timelines::TagController < Api::V1::Timelines::BaseController
|
||||||
before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: :show, if: :require_auth?
|
before_action -> { authorize_if_got_token! :read, :'read:statuses' }
|
||||||
before_action :load_tag
|
before_action :load_tag
|
||||||
|
|
||||||
PERMITTED_PARAMS = %i(local limit only_media).freeze
|
PERMITTED_PARAMS = %i(local limit only_media).freeze
|
||||||
|
|
|
@ -25,6 +25,17 @@ describe 'Scheduled Statuses' do
|
||||||
it_behaves_like 'forbidden for wrong scope', 'write write:statuses'
|
it_behaves_like 'forbidden for wrong scope', 'write write:statuses'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with an application token' do
|
||||||
|
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: 'read:statuses') }
|
||||||
|
|
||||||
|
it 'returns http unprocessable entity' do
|
||||||
|
get api_v1_scheduled_statuses_path, headers: headers
|
||||||
|
|
||||||
|
expect(response)
|
||||||
|
.to have_http_status(422)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context 'with correct scope' do
|
context 'with correct scope' do
|
||||||
let(:scopes) { 'read:statuses' }
|
let(:scopes) { 'read:statuses' }
|
||||||
|
|
||||||
|
|
|
@ -8,6 +8,22 @@ describe 'API V1 Statuses Translations' do
|
||||||
let(:scopes) { 'read:statuses' }
|
let(:scopes) { 'read:statuses' }
|
||||||
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
|
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
|
||||||
|
|
||||||
|
context 'with an application token' do
|
||||||
|
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: scopes) }
|
||||||
|
|
||||||
|
describe 'POST /api/v1/statuses/:status_id/translate' do
|
||||||
|
let(:status) { Fabricate(:status, account: user.account, text: 'Hola', language: 'es') }
|
||||||
|
|
||||||
|
before do
|
||||||
|
post "/api/v1/statuses/#{status.id}/translate", headers: headers
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns http unprocessable entity' do
|
||||||
|
expect(response).to have_http_status(422)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context 'with an oauth token' do
|
context 'with an oauth token' do
|
||||||
describe 'POST /api/v1/statuses/:status_id/translate' do
|
describe 'POST /api/v1/statuses/:status_id/translate' do
|
||||||
let(:status) { Fabricate(:status, account: user.account, text: 'Hola', language: 'es') }
|
let(:status) { Fabricate(:status, account: user.account, text: 'Hola', language: 'es') }
|
||||||
|
|
|
@ -41,6 +41,8 @@ describe 'Link' do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it_behaves_like 'forbidden for wrong scope', 'profile'
|
||||||
|
|
||||||
context 'when there is no preview card' do
|
context 'when there is no preview card' do
|
||||||
let(:preview_card) { nil }
|
let(:preview_card) { nil }
|
||||||
|
|
||||||
|
@ -80,13 +82,25 @@ describe 'Link' do
|
||||||
Form::AdminSettings.new(timeline_preview: false).save
|
Form::AdminSettings.new(timeline_preview: false).save
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when the user is not authenticated' do
|
it_behaves_like 'forbidden for wrong scope', 'profile'
|
||||||
|
|
||||||
|
context 'without an authentication token' do
|
||||||
let(:headers) { {} }
|
let(:headers) { {} }
|
||||||
|
|
||||||
it 'returns http unauthorized' do
|
it 'returns http unprocessable entity' do
|
||||||
subject
|
subject
|
||||||
|
|
||||||
expect(response).to have_http_status(401)
|
expect(response).to have_http_status(422)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with an application access token, not bound to a user' do
|
||||||
|
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: scopes) }
|
||||||
|
|
||||||
|
it 'returns http unprocessable entity' do
|
||||||
|
subject
|
||||||
|
|
||||||
|
expect(response).to have_http_status(422)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -34,6 +34,8 @@ describe 'Public' do
|
||||||
context 'when the instance allows public preview' do
|
context 'when the instance allows public preview' do
|
||||||
let(:expected_statuses) { [local_status, remote_status, media_status] }
|
let(:expected_statuses) { [local_status, remote_status, media_status] }
|
||||||
|
|
||||||
|
it_behaves_like 'forbidden for wrong scope', 'profile'
|
||||||
|
|
||||||
context 'with an authorized user' do
|
context 'with an authorized user' do
|
||||||
it_behaves_like 'a successful request to the public timeline'
|
it_behaves_like 'a successful request to the public timeline'
|
||||||
end
|
end
|
||||||
|
@ -99,13 +101,9 @@ describe 'Public' do
|
||||||
Form::AdminSettings.new(timeline_preview: false).save
|
Form::AdminSettings.new(timeline_preview: false).save
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with an authenticated user' do
|
it_behaves_like 'forbidden for wrong scope', 'profile'
|
||||||
let(:expected_statuses) { [local_status, remote_status, media_status] }
|
|
||||||
|
|
||||||
it_behaves_like 'a successful request to the public timeline'
|
context 'without an authentication token' do
|
||||||
end
|
|
||||||
|
|
||||||
context 'with an unauthenticated user' do
|
|
||||||
let(:headers) { {} }
|
let(:headers) { {} }
|
||||||
|
|
||||||
it 'returns http unprocessable entity' do
|
it 'returns http unprocessable entity' do
|
||||||
|
@ -114,6 +112,22 @@ describe 'Public' do
|
||||||
expect(response).to have_http_status(422)
|
expect(response).to have_http_status(422)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with an application access token, not bound to a user' do
|
||||||
|
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: scopes) }
|
||||||
|
|
||||||
|
it 'returns http unprocessable entity' do
|
||||||
|
subject
|
||||||
|
|
||||||
|
expect(response).to have_http_status(422)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with an authenticated user' do
|
||||||
|
let(:expected_statuses) { [local_status, remote_status, media_status] }
|
||||||
|
|
||||||
|
it_behaves_like 'a successful request to the public timeline'
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -30,6 +30,8 @@ RSpec.describe 'Tag' do
|
||||||
let(:params) { {} }
|
let(:params) { {} }
|
||||||
let(:hashtag) { 'life' }
|
let(:hashtag) { 'life' }
|
||||||
|
|
||||||
|
it_behaves_like 'forbidden for wrong scope', 'profile'
|
||||||
|
|
||||||
context 'when given only one hashtag' do
|
context 'when given only one hashtag' do
|
||||||
let(:expected_statuses) { [life_status] }
|
let(:expected_statuses) { [life_status] }
|
||||||
|
|
||||||
|
@ -93,13 +95,15 @@ RSpec.describe 'Tag' do
|
||||||
Form::AdminSettings.new(timeline_preview: false).save
|
Form::AdminSettings.new(timeline_preview: false).save
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when the user is not authenticated' do
|
it_behaves_like 'forbidden for wrong scope', 'profile'
|
||||||
|
|
||||||
|
context 'without an authentication token' do
|
||||||
let(:headers) { {} }
|
let(:headers) { {} }
|
||||||
|
|
||||||
it 'returns http unauthorized' do
|
it 'returns http unprocessable entity' do
|
||||||
subject
|
subject
|
||||||
|
|
||||||
expect(response).to have_http_status(401)
|
expect(response).to have_http_status(422)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue