fix: Return HTTP 422 when scheduled status time is less than 5 minutes (#30584)

main-rebase-security-fix
Daniel M Brasil 2024-06-10 10:33:48 -03:00 committed by GitHub
parent 0cf91213c9
commit 77c2216e47
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 37 additions and 1 deletions

View File

@ -171,7 +171,7 @@ class PostStatusService < BaseService
end
def scheduled_in_the_past?
@scheduled_at.present? && @scheduled_at <= Time.now.utc + MIN_SCHEDULE_OFFSET
@scheduled_at.present? && @scheduled_at <= Time.now.utc
end
def bump_potential_friendship!

View File

@ -193,6 +193,32 @@ describe '/api/v1/statuses' do
expect(response).to have_http_status(404)
end
end
context 'when scheduling a status' do
let(:params) { { status: 'Hello world', scheduled_at: 10.minutes.from_now } }
let(:account) { user.account }
it 'returns HTTP 200' do
subject
expect(response).to have_http_status(200)
end
it 'creates a scheduled status' do
expect { subject }.to change { account.scheduled_statuses.count }.from(0).to(1)
end
context 'when the scheduling time is less than 5 minutes' do
let(:params) { { status: 'Hello world', scheduled_at: 4.minutes.from_now } }
it 'does not create a scheduled status', :aggregate_failures do
subject
expect(response).to have_http_status(422)
expect(account.scheduled_statuses).to be_empty
end
end
end
end
describe 'DELETE /api/v1/statuses/:id' do

View File

@ -61,6 +61,16 @@ RSpec.describe PostStatusService do
status2 = subject.call(account, text: 'test', idempotency: 'meepmeep', scheduled_at: future)
expect(status2.id).to eq status1.id
end
context 'when scheduled_at is less than min offset' do
let(:invalid_scheduled_time) { 4.minutes.from_now }
it 'raises invalid record error' do
expect do
subject.call(account, text: 'Hi future!', scheduled_at: invalid_scheduled_time)
end.to raise_error(ActiveRecord::RecordInvalid)
end
end
end
it 'creates response to the original status of boost' do