From 5e76adb07e225a1f5934b44ad474158dfcd52233 Mon Sep 17 00:00:00 2001 From: lain Date: Wed, 30 May 2018 20:00:27 +0200 Subject: Fix url guessing attacks. --- .../web/activity_pub/activity_pub_controller.ex | 8 +++++++- lib/pleroma/web/ostatus/ostatus_controller.ex | 21 ++++++++++++++++++--- 2 files changed, 25 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex index c7d50893f..a6a9b99ef 100644 --- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex +++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex @@ -20,10 +20,16 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do def object(conn, %{"uuid" => uuid}) do with ap_id <- o_status_url(conn, :object, uuid), - %Object{} = object <- Object.get_cached_by_ap_id(ap_id) do + %Object{} = object <- Object.get_cached_by_ap_id(ap_id), + {_, true} <- {:public?, ActivityPub.is_public?(object)} do conn |> put_resp_header("content-type", "application/activity+json") |> json(ObjectView.render("object.json", %{object: object})) + else + {:public?, false} -> + conn + |> put_status(404) + |> json("Not found") end end diff --git a/lib/pleroma/web/ostatus/ostatus_controller.ex b/lib/pleroma/web/ostatus/ostatus_controller.ex index f39ebaf2b..53278431e 100644 --- a/lib/pleroma/web/ostatus/ostatus_controller.ex +++ b/lib/pleroma/web/ostatus/ostatus_controller.ex @@ -68,37 +68,47 @@ defmodule Pleroma.Web.OStatus.OStatusController do |> send_resp(200, "") end - # TODO: Data leak def object(conn, %{"uuid" => uuid} = params) do if get_format(conn) == "activity+json" do ActivityPubController.object(conn, params) else with id <- o_status_url(conn, :object, uuid), %Activity{} = activity <- Activity.get_create_activity_by_object_ap_id(id), + {_, true} <- {:public?, ActivityPub.is_public?(activity)}, %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do case get_format(conn) do "html" -> redirect(conn, to: "/notice/#{activity.id}") _ -> represent_activity(conn, activity, user) end + else + {:public?, false} -> + conn + |> put_status(404) + |> json("Not found") end end end - # TODO: Data leak def activity(conn, %{"uuid" => uuid}) do with id <- o_status_url(conn, :activity, uuid), %Activity{} = activity <- Activity.get_by_ap_id(id), + {_, true} <- {:public?, ActivityPub.is_public?(activity)}, %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do case get_format(conn) do "html" -> redirect(conn, to: "/notice/#{activity.id}") _ -> represent_activity(conn, activity, user) end + else + {:public?, false} -> + conn + |> put_status(404) + |> json("Not found") end end - # TODO: Data leak def notice(conn, %{"id" => id}) do with %Activity{} = activity <- Repo.get(Activity, id), + {_, true} <- {:public?, ActivityPub.is_public?(activity)}, %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do case get_format(conn) do "html" -> @@ -109,6 +119,11 @@ defmodule Pleroma.Web.OStatus.OStatusController do _ -> represent_activity(conn, activity, user) end + else + {:public?, false} -> + conn + |> put_status(404) + |> json("Not found") end end -- cgit v1.2.3