closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17162 Commits
4 Branches
567 MiB
Tree: 7452a95998
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7452a95998'
${ noResults }
mastodon/app/models/account/field.rb

87 lines
2.2 KiB
Raw Normal View History

Fix being able to spoof link verification (#20217) - Change verification to happen in `default` queue - Change verification worker to only be queued if there's something to do - Add `link` tags from metadata fields to page header of profiles
1 year ago
Change verification to only work for https links (#20304) Fix #20242
1 year ago
Fix being able to spoof link verification (#20217) - Change verification to happen in `default` queue - Change verification worker to only be queued if there's something to do - Add `link` tags from metadata fields to page header of profiles
1 year ago
Autofix Rubocop Style/RedundantBegin (#23703)
1 year ago
Fix being able to spoof link verification (#20217) - Change verification to happen in `default` queue - Change verification worker to only be queued if there's something to do - Add `link` tags from metadata fields to page header of profiles
1 year ago
Change link verification to ignore IDN domains (#20295) Fix #3833
1 year ago
Don't allow URLs that contain non-normalized paths to be verified (#20999) * Don't allow URLs that contain non-normalized paths to be verified This stops things like https://example.com/otheruser/../realuser where "/otheruser" appears to be the verified URL, but the actual URL being verified is "/realuser" due to the "/../". Also fix a test to use 'https', so it is testing the right thing, now that since #20304 https is required. * missing do
1 year ago
Change link verification to ignore IDN domains (#20295) Fix #3833
1 year ago
Fix being able to spoof link verification (#20217) - Change verification to happen in `default` queue - Change verification worker to only be queued if there's something to do - Add `link` tags from metadata fields to page header of profiles
1 year ago
Guard against error extracting `body` from URL (#20428) If `Nokogiri::HTML(value).at_xpath('//body')` fails to find the `body` element, it will return `nil`. We can guard against that with an early return. Avoids calling `children` on `Nilclass` in those cases.
1 year ago
Fix being able to spoof link verification (#20217) - Change verification to happen in `default` queue - Change verification worker to only be queued if there's something to do - Add `link` tags from metadata fields to page header of profiles
1 year ago
 
  1. # frozen_string_literal: true
  2. 

  3. class Account::Field < ActiveModelSerializers::Model
  4.   MAX_CHARACTERS_LOCAL  = 255

  5.   MAX_CHARACTERS_COMPAT = 2_047

  6.   ACCEPTED_SCHEMES      = %w(https).freeze
  7. 

  8.   attributes :name, :value, :verified_at, :account
  9. 

  10.   def initialize(account, attributes)
  11.     # Keeping this as reference allows us to update the field on the account
  12.     # from methods in this class, so that changes can be saved.
  13.     @original_field = attributes
  14.     @account        = account
  15. 

  16.     super(
  17.       name:        sanitize(attributes['name']),
  18.       value:       sanitize(attributes['value']),
  19.       verified_at: attributes['verified_at']&.to_datetime,
  20.     )
  21.   end
  22. 

  23.   def verified?
  24.     verified_at.present?
  25.   end
  26. 

  27.   def value_for_verification
  28.     @value_for_verification ||= if account.local?
  29.                                   value
  30.                                 else
  31.                                   extract_url_from_html
  32.                                 end
  33.   end
  34. 

  35.   def verifiable?
  36.     return false if value_for_verification.blank?
  37. 

  38.     # This is slower than checking through a regular expression, but we
  39.     # need to confirm that it's not an IDN domain.
  40. 

  41.     parsed_url = Addressable::URI.parse(value_for_verification)
  42. 

  43.     ACCEPTED_SCHEMES.include?(parsed_url.scheme) &&
  44.       parsed_url.user.nil? &&
  45.       parsed_url.password.nil? &&
  46.       parsed_url.host.present? &&
  47.       parsed_url.normalized_host == parsed_url.host &&
  48.       (parsed_url.path.empty? || parsed_url.path == parsed_url.normalized_path)
  49.   rescue Addressable::URI::InvalidURIError, IDN::Idna::IdnaError
  50.     false
  51.   end
  52. 

  53.   def requires_verification?
  54.     !verified? && verifiable?
  55.   end
  56. 

  57.   def mark_verified!
  58.     @original_field['verified_at'] = self.verified_at = Time.now.utc
  59.   end
  60. 

  61.   def to_h
  62.     { name: name, value: value, verified_at: verified_at }
  63.   end
  64. 

  65.   private
  66. 

  67.   def sanitize(str)
  68.     str.strip[0, character_limit]
  69.   end
  70. 

  71.   def character_limit
  72.     account.local? ? MAX_CHARACTERS_LOCAL : MAX_CHARACTERS_COMPAT
  73.   end
  74. 

  75.   def extract_url_from_html
  76.     doc = Nokogiri::HTML(value).at_xpath('//body')
  77. 

  78.     return if doc.nil?
  79.     return if doc.children.size > 1

  80. 

  81.     element = doc.children.first
  82. 

  83.     return if element.name != 'a' || element['href'] != element.text
  84. 

  85.     element['href']
  86.   end
  87. end