techhub/mastodon
2
0
Fork 0
Code Activity

Merge commit from fork

Browse Source 
* Refuse granting quote authorization for reblogs

* Add validation to reject quotes of reblogs

* Do not process quotes of reblogs as potentially valid quotes

* Refuse to serve quoted reblogs over REST API
This commit is contained in:
Claire
2025-10-21 15:00:28 +02:00
committed by GitHub
parent 2b9e4294fe
commit 405a49df44
8 changed files with 146 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
spec/lib/activitypub/activity/create_spec.rb
View File

@@ -1046,6 +1046,60 @@ RSpec.describe ActivityPub::Activity::Create do
end
end
context 'with a quote of a known reblog that is otherwise valid' do
let(:quoted_account) { Fabricate(:account, domain: 'quoted.example.com') }
let(:quoted_status) { Fabricate(:status, account: quoted_account, reblog: Fabricate(:status)) }
let(:approval_uri) { 'https://quoted.example.com/quote-approval' }
let(:object_json) do
build_object(
type: 'Note',
content: 'woah what she said is amazing',
quote: ActivityPub::TagManager.instance.uri_for(quoted_status),
quoteAuthorization: approval_uri
)
end
before do
stub_request(:get, approval_uri).to_return(headers: { 'Content-Type': 'application/activity+json' }, body: Oj.dump({
'@context': [
'https://www.w3.org/ns/activitystreams',
{
QuoteAuthorization: 'https://w3id.org/fep/044f#QuoteAuthorization',
gts: 'https://gotosocial.org/ns#',
interactionPolicy: {
'@id': 'gts:interactionPolicy',
'@type': '@id',
},
interactingObject: {
'@id': 'gts:interactingObject',
'@type': '@id',
},
interactionTarget: {
'@id': 'gts:interactionTarget',
'@type': '@id',
},
},
],
type: 'QuoteAuthorization',
id: approval_uri,
attributedTo: ActivityPub::TagManager.instance.uri_for(quoted_status.account),
interactingObject: object_json[:id],
interactionTarget: ActivityPub::TagManager.instance.uri_for(quoted_status),
}))
end
it 'creates a status without the verified quote' do
expect { subject.perform }.to change(sender.statuses, :count).by(1)
status = sender.statuses.first
expect(status).to_not be_nil
expect(status.quote).to_not be_nil
expect(status.quote.state).to_not eq 'accepted'
expect(status.quote.quoted_status).to be_nil
end
end
context 'when a vote to a local poll' do
let(:poll) { Fabricate(:poll, options: %w(Yellow Blue)) }
let!(:local_status) { Fabricate(:status, poll: poll) }

16
spec/models/concerns/status/interaction_policy_concern_spec.rb
View File

@@ -15,6 +15,22 @@ RSpec.describe Status::InteractionPolicyConcern do
describe '#quote_policy_for_account' do
let(:account) { Fabricate(:account) }
context 'when the account is the author' do
let(:status) { Fabricate(:status, account: account, quote_approval_policy: 0) }
it 'returns :automatic' do
expect(status.quote_policy_for_account(account)).to eq :automatic
end
context 'when it is a reblog' do
let(:status) { Fabricate(:status, account: account, quote_approval_policy: 0, reblog: Fabricate(:status)) }
it 'returns :automatic' do
expect(status.quote_policy_for_account(account)).to eq :denied
end
end
end
context 'when the account is not following the user' do
it 'returns :manual because of the public entry in the manual policy' do
expect(status.quote_policy_for_account(account)).to eq :manual

66
spec/services/activitypub/process_status_update_service_spec.rb
View File

@@ -810,6 +810,72 @@ RSpec.describe ActivityPub::ProcessStatusUpdateService do
end
end
context 'when the status adds a verifiable quote of a reblog through an explicit update' do
let(:quoted_account) { Fabricate(:account, domain: 'quoted.example.com') }
let(:quoted_status) { Fabricate(:status, account: quoted_account, reblog: Fabricate(:status)) }
let(:approval_uri) { 'https://quoted.example.com/approvals/1' }
let(:payload) do
{
'@context': [
'https://www.w3.org/ns/activitystreams',
{
'@id': 'https://w3id.org/fep/044f#quote',
'@type': '@id',
},
{
'@id': 'https://w3id.org/fep/044f#quoteAuthorization',
'@type': '@id',
},
],
id: 'foo',
type: 'Note',
summary: 'Show more',
content: 'Hello universe',
updated: '2021-09-08T22:39:25Z',
quote: ActivityPub::TagManager.instance.uri_for(quoted_status),
quoteAuthorization: approval_uri,
}
end
before do
stub_request(:get, approval_uri).to_return(headers: { 'Content-Type': 'application/activity+json' }, body: Oj.dump({
'@context': [
'https://www.w3.org/ns/activitystreams',
{
QuoteAuthorization: 'https://w3id.org/fep/044f#QuoteAuthorization',
gts: 'https://gotosocial.org/ns#',
interactionPolicy: {
'@id': 'gts:interactionPolicy',
'@type': '@id',
},
interactingObject: {
'@id': 'gts:interactingObject',
'@type': '@id',
},
interactionTarget: {
'@id': 'gts:interactionTarget',
'@type': '@id',
},
},
],
type: 'QuoteAuthorization',
id: approval_uri,
attributedTo: ActivityPub::TagManager.instance.uri_for(quoted_status.account),
interactingObject: ActivityPub::TagManager.instance.uri_for(status),
interactionTarget: ActivityPub::TagManager.instance.uri_for(quoted_status),
}))
end
it 'updates the approval URI but does not verify the quote' do
expect { subject.call(status, json, json) }
.to change(status, :quote).from(nil)
expect(status.quote.approval_uri).to eq approval_uri
expect(status.quote.state).to_not eq 'accepted'
expect(status.quote.quoted_status).to be_nil
end
end
context 'when the status adds a unverifiable quote through an implicit update' do
let(:quoted_account) { Fabricate(:account, domain: 'quoted.example.com') }
let(:quoted_status) { Fabricate(:status, account: quoted_account) }