[bugfix] Prevent URL + URI for same account being used as alias target (#2545)

* [bugfix] Ensure URL and URI for same account can't both be provided as alias

* test whoopsie from previous PR
This commit is contained in:
tobi 2024-01-20 12:45:43 +01:00 committed by GitHub
parent 33dbd3ab7a
commit b2cacd6b01
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 32 additions and 15 deletions

View file

@ -96,26 +96,21 @@ type uri struct {
newAKAs[i].str = newAKAURI.String()
}
// Dedupe the URI/string pairs.
newAKAs = util.DeduplicateFunc(
newAKAs,
func(v uri) string {
return v.str
},
)
// For each deduped entry, get and
// check the target account, and set.
for _, newAKA := range newAKAs {
// Don't let account do anything
// daft by aliasing to itself.
if newAKA.str == account.URI {
if newAKA.str == account.URI ||
newAKA.str == account.URL {
continue
}
// Ensure we have a valid, up-to-date
// representation of the target account.
targetAccount, _, err := p.federator.GetAccountByURI(ctx, account.Username, newAKA.uri)
// Ensure we have account dereferenced.
targetAccount, _, err := p.federator.GetAccountByURI(ctx,
account.Username,
newAKA.uri,
)
if err != nil {
err := fmt.Errorf(
"error dereferencing also_known_as_uri (%s) account: %w",
@ -124,7 +119,7 @@ func(v uri) string {
return nil, gtserror.NewErrorUnprocessableEntity(err, err.Error())
}
// Alias target must not be suspended.
// Target must not be suspended.
if !targetAccount.SuspendedAt.IsZero() {
err := fmt.Errorf(
"target account %s is suspended from this instance; "+
@ -135,10 +130,21 @@ func(v uri) string {
}
// Alrighty-roo, looks good, add this one.
account.AlsoKnownAsURIs = append(account.AlsoKnownAsURIs, newAKA.str)
account.AlsoKnownAsURIs = append(account.AlsoKnownAsURIs, targetAccount.URI)
account.AlsoKnownAs = append(account.AlsoKnownAs, targetAccount)
}
// Dedupe URIs + accounts, in case someone
// provided both an account URL and an
// account URI above, for the same account.
account.AlsoKnownAsURIs = util.Deduplicate(account.AlsoKnownAsURIs)
account.AlsoKnownAs = util.DeduplicateFunc(
account.AlsoKnownAs,
func(a *gtsmodel.Account) string {
return a.URI
},
)
err := p.state.DB.UpdateAccount(ctx, account, "also_known_as_uris")
if err != nil {
err := gtserror.Newf("db error updating also_known_as_uri: %w", err)

View file

@ -132,6 +132,17 @@ func (suite *AliasTestSuite) TestAliasAccount() {
"http://localhost:8080/users/admin",
},
},
// Alias zork to turtle using both URI and URL
// for turtle. Only URI should end up being used.
{
newAliases: []string{
"http://localhost:8080/users/1happyturtle",
"http://localhost:8080/@1happyturtle",
},
expectedAliases: []string{
"http://localhost:8080/users/1happyturtle",
},
},
} {
var (
ctx = context.Background()

View file

@ -631,7 +631,7 @@ func (suite *ASToInternalTestSuite) TestParseHonkAccount() {
// Clear caches.
suite.state.Caches.GTS = cache.GTSCaches{}
suite.state.Caches.GTS.Init()
suite.state.Caches.Init()
dbAcct, err = suite.db.GetAccountByID(ctx, acct.ID)
if err != nil {