Mastodon API: Fix lists leaking private posts

Our previous list visibility resolver grabbed posts if either follower collection of the user in a list who is followed is in `to` or if follower collection of the user in a list was in `cc`. This not only missed unlisted posts but also lead to leaking private posts when `fix_explicit_addressing` mistakingly started putting follower collections to `cc` (also fixed in this MR). Reported by @kurisu@iscute.moe via a DM
author: rinpatch <rinpatch@sdf.org> 2019-05-31 15:25:17 +0300
committer: lain <lain@soykaf.club> 2019-05-31 17:37:22 +0200
commit: f5851ff645c6a9d2b8f4828134459ddce1ec573a (patch)
tree: 24ae17a223fa36a6514c8194fc53650a46e3eae9
parent: d760df475a7ce541737f32f5f89856936c086ea6 (diff)
download: pleroma-f5851ff645c6a9d2b8f4828134459ddce1ec573a.tar.gz
3 files changed, 61 insertions, 16 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7509ca325..b273b83c0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,25 @@
 # Changelog
+=======
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+## [0.9.99999] - 2019-05-31
+### Security
+- Mastodon API: Fix lists leaking private posts
+
+## [0.9.9999] - 2019-04-05
+### Security
+- Mastodon API: Fix content warnings skipping HTML sanitization
+
+## [0.9.999] - 2019-03-13
+Frontend changes only.
+### Added
+- Added floating action button for posting status on mobile
+### Changed
+- Changed user-settings icon to a pencil
+### Fixed
+- Keyboard shortcuts activating when typing a message
+- Gaps when scrolling down on a timeline after showing new
 
 ## [0.9.99] - 2019-03-08
 ### Changed
diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex
index bd4ac6197..7eea5b447 100644
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@@ -466,20 +466,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
 
   defp restrict_tag(query, _), do: query
 
-  defp restrict_to_cc(query, recipients_to, recipients_cc) do
-    from(
-      activity in query,
-      where:
-        fragment(
-          "(?->'to' \\?| ?) or (?->'cc' \\?| ?)",
-          activity.data,
-          ^recipients_to,
-          activity.data,
-          ^recipients_cc
-        )
-    )
-  end
-
   defp restrict_recipients(query, [], _user), do: query
 
   defp restrict_recipients(query, recipients, nil) do
@@ -629,9 +615,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
     |> Enum.reverse()
   end
 
-  def fetch_activities_bounded(recipients_to, recipients_cc, opts \\ %{}) do
+  def fetch_activities_bounded_query(query, recipients, recipients_with_public) do
+    from(activity in query,
+      where:
+        fragment("? && ?", activity.recipients, ^recipients) or
+          (fragment("? && ?", activity.recipients, ^recipients_with_public) and
+             "https://www.w3.org/ns/activitystreams#Public" in activity.recipients)
+    )
+  end
+
+  def fetch_activities_bounded(recipients, recipients_with_public, opts \\ %{}) do
     fetch_activities_query([], opts)
-    |> restrict_to_cc(recipients_to, recipients_cc)
+    |> fetch_activities_bounded_query(recipients, recipients_with_public)
     |> Repo.all()
     |> Enum.reverse()
   end
diff --git a/test/web/activity_pub/activity_pub_test.exs b/test/web/activity_pub/activity_pub_test.exs
index a55961ac4..5b4e91376 100644
--- a/test/web/activity_pub/activity_pub_test.exs
+++ b/test/web/activity_pub/activity_pub_test.exs
@@ -809,4 +809,33 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
   def data_uri do
     File.read!("test/fixtures/avatar_data_uri")
   end
+
+  describe "fetch_activities_bounded" do
+    test "fetches private posts for followed users" do
+      user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "thought I looked cute might delete later :3",
+          "visibility" => "private"
+        })
+
+      [result] = ActivityPub.fetch_activities_bounded([user.follower_address], [])
+      assert result.id == activity.id
+    end
+
+    test "fetches only public posts for other users" do
+      user = insert(:user)
+      {:ok, activity} = CommonAPI.post(user, %{"status" => "#cofe", "visibility" => "public"})
+
+      {:ok, _private_activity} =
+        CommonAPI.post(user, %{
+          "status" => "why is tenshi eating a corndog so cute?",
+          "visibility" => "private"
+        })
+
+      [result] = ActivityPub.fetch_activities_bounded([], [user.follower_address])
+      assert result.id == activity.id
+    end
+  end
 end
author	rinpatch <rinpatch@sdf.org>	2019-05-31 15:25:17 +0300
committer	lain <lain@soykaf.club>	2019-05-31 17:37:22 +0200
commit	f5851ff645c6a9d2b8f4828134459ddce1ec573a (patch)
tree	24ae17a223fa36a6514c8194fc53650a46e3eae9
parent	d760df475a7ce541737f32f5f89856936c086ea6 (diff)
download	pleroma-f5851ff645c6a9d2b8f4828134459ddce1ec573a.tar.gz