about summary refs log tree commit diff
diff options
context:
space:
mode:
authorunarist <m.unarist@gmail.com>2017-09-03 00:42:47 +0900
committerEugen Rochko <eugen@zeonfederated.com>2017-09-02 17:42:47 +0200
commit6a4e2db661f47a318bbf93a07ba9f16f7bac3ee0 (patch)
treef806d4d6f236059d624f691254b7bdffb5541497
parentbfa7f9ebf22581a387606716fe3f86e85e1c9db5 (diff)
Raise an error for remote url in StatusFinder (#4776)
* Raise an error for remote url in StatusFinder

Previous implementation had allowed remote url with status id which also exists on local.

Then that bug leads /api/web/embed to return wrong embed url.

* Fix oembed_controller_spec
-rw-r--r--app/lib/status_finder.rb2
-rw-r--r--spec/controllers/api/oembed_controller_spec.rb1
-rw-r--r--spec/lib/status_finder_spec.rb10
3 files changed, 13 insertions, 0 deletions
diff --git a/app/lib/status_finder.rb b/app/lib/status_finder.rb
index bd910f12b..4d1aed297 100644
--- a/app/lib/status_finder.rb
+++ b/app/lib/status_finder.rb
@@ -10,6 +10,8 @@ class StatusFinder
   def status
     verify_action!
 
+    raise ActiveRecord::RecordNotFound unless TagManager.instance.local_url?(url)
+
     case recognized_params[:controller]
     when 'stream_entries'
       StreamEntry.find(recognized_params[:id]).status
diff --git a/spec/controllers/api/oembed_controller_spec.rb b/spec/controllers/api/oembed_controller_spec.rb
index 43631a7e5..7af4a6a5b 100644
--- a/spec/controllers/api/oembed_controller_spec.rb
+++ b/spec/controllers/api/oembed_controller_spec.rb
@@ -8,6 +8,7 @@ RSpec.describe Api::OEmbedController, type: :controller do
 
   describe 'GET #show' do
     before do
+      request.host = Rails.configuration.x.local_domain
       get :show, params: { url: account_stream_entry_url(alice, status.stream_entry) }, format: :json
     end
 
diff --git a/spec/lib/status_finder_spec.rb b/spec/lib/status_finder_spec.rb
index 5c2f2dbe8..3ef086736 100644
--- a/spec/lib/status_finder_spec.rb
+++ b/spec/lib/status_finder_spec.rb
@@ -34,6 +34,16 @@ describe StatusFinder do
       end
     end
 
+    context 'with a remote url even if id exists on local' do
+      let(:status) { Fabricate(:status) }
+      let(:url) { "https://example.com/users/test/statuses/#{status.id}" }
+      subject { described_class.new(url) }
+
+      it 'raises an error' do
+        expect { subject.status }.to raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+
     context 'with a plausible url' do
       let(:url) { 'https://example.com/users/test/updates/123/embed' }
       subject { described_class.new(url) }