1
0
Fork 1
mirror of https://github.com/pixelfed/pixelfed.git synced 2024-12-27 02:06:52 +00:00

Update ApiV1Controller, enforce blocked instance domain logic

This commit is contained in:
Daniel Supernault 2024-02-07 04:41:12 -07:00
parent 01b33fb37e
commit 5b284cacea
No known key found for this signature in database
GPG key ID: 23740873EE6F76A1

View file

@ -219,6 +219,10 @@ class ApiV1Controller extends Controller
if(!$res) { if(!$res) {
return response()->json(['error' => 'Record not found'], 404); return response()->json(['error' => 'Record not found'], 404);
} }
if($res && strpos($res['acct'], '@') != -1) {
$domain = parse_url($res['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
return $this->json($res); return $this->json($res);
} }
@ -483,6 +487,11 @@ class ApiV1Controller extends Controller
$limit = $request->input('limit', 10); $limit = $request->input('limit', 10);
$napi = $request->has(self::PF_API_ENTITY_KEY); $napi = $request->has(self::PF_API_ENTITY_KEY);
if($account && strpos($account['acct'], '@') != -1) {
$domain = parse_url($account['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
if(intval($pid) !== intval($account['id'])) { if(intval($pid) !== intval($account['id'])) {
if($account['locked']) { if($account['locked']) {
if(!FollowerService::follows($pid, $account['id'])) { if(!FollowerService::follows($pid, $account['id'])) {
@ -575,6 +584,11 @@ class ApiV1Controller extends Controller
$limit = $request->input('limit', 10); $limit = $request->input('limit', 10);
$napi = $request->has(self::PF_API_ENTITY_KEY); $napi = $request->has(self::PF_API_ENTITY_KEY);
if($account && strpos($account['acct'], '@') != -1) {
$domain = parse_url($account['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
if(intval($pid) !== intval($account['id'])) { if(intval($pid) !== intval($account['id'])) {
if($account['locked']) { if($account['locked']) {
if(!FollowerService::follows($pid, $account['id'])) { if(!FollowerService::follows($pid, $account['id'])) {
@ -676,6 +690,11 @@ class ApiV1Controller extends Controller
return $this->json(['error' => 'Account not found'], 404); return $this->json(['error' => 'Account not found'], 404);
} }
if($profile && strpos($profile['acct'], '@') != -1) {
$domain = parse_url($profile['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
$limit = $request->limit ?? 20; $limit = $request->limit ?? 20;
$max_id = $request->max_id; $max_id = $request->max_id;
$min_id = $request->min_id; $min_id = $request->min_id;
@ -766,6 +785,11 @@ class ApiV1Controller extends Controller
->whereNull('status') ->whereNull('status')
->findOrFail($id); ->findOrFail($id);
if($target && $target->domain) {
$domain = $target->domain;
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
$private = (bool) $target->is_private; $private = (bool) $target->is_private;
$remote = (bool) $target->domain; $remote = (bool) $target->domain;
$blocked = UserFilter::whereUserId($target->id) $blocked = UserFilter::whereUserId($target->id)
@ -1252,14 +1276,19 @@ class ApiV1Controller extends Controller
$user = $request->user(); $user = $request->user();
abort_if($user->has_roles && !UserRoleService::can('can-like', $user->id), 403, 'Invalid permissions for this action'); abort_if($user->has_roles && !UserRoleService::can('can-like', $user->id), 403, 'Invalid permissions for this action');
AccountService::setLastActive($user->id);
$status = StatusService::getMastodon($id, false); $status = StatusService::getMastodon($id, false);
abort_unless($status, 400); abort_unless($status, 404);
if($status && isset($status['account'], $status['account']['acct']) && strpos($status['account']['acct'], '@') != -1) {
$domain = parse_url($status['account']['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
$spid = $status['account']['id']; $spid = $status['account']['id'];
AccountService::setLastActive($user->id);
if(intval($spid) !== intval($user->profile_id)) { if(intval($spid) !== intval($user->profile_id)) {
if($status['visibility'] == 'private') { if($status['visibility'] == 'private') {
abort_if(!FollowerService::follows($user->profile_id, $spid), 403); abort_if(!FollowerService::follows($user->profile_id, $spid), 403);
@ -1404,6 +1433,11 @@ class ApiV1Controller extends Controller
return response()->json(['error' => 'Record not found'], 404); return response()->json(['error' => 'Record not found'], 404);
} }
if($target && strpos($target['acct'], '@') != -1) {
$domain = parse_url($target['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
$followRequest = FollowRequest::whereFollowingId($pid)->whereFollowerId($id)->first(); $followRequest = FollowRequest::whereFollowingId($pid)->whereFollowerId($id)->first();
if(!$followRequest) { if(!$followRequest) {
@ -2011,6 +2045,11 @@ class ApiV1Controller extends Controller
$account = Profile::findOrFail($id); $account = Profile::findOrFail($id);
if($account && $account->domain) {
$domain = $account->domain;
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
$count = UserFilterService::muteCount($pid); $count = UserFilterService::muteCount($pid);
$maxLimit = intval(config('instance.user_filters.max_user_mutes')); $maxLimit = intval(config('instance.user_filters.max_user_mutes'));
if($count == 0) { if($count == 0) {
@ -2653,6 +2692,11 @@ class ApiV1Controller extends Controller
abort(404); abort(404);
} }
if($res && isset($res['account'], $res['account']['acct'], $res['account']['url']) && strpos($res['account']['acct'], '@') != -1) {
$domain = parse_url($res['account']['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
$scope = $res['visibility']; $scope = $res['visibility'];
if(!in_array($scope, ['public', 'unlisted'])) { if(!in_array($scope, ['public', 'unlisted'])) {
if($scope === 'private') { if($scope === 'private') {
@ -2697,6 +2741,11 @@ class ApiV1Controller extends Controller
return response('', 404); return response('', 404);
} }
if($status && isset($status['account'], $status['account']['acct']) && strpos($status['account']['acct'], '@') != -1) {
$domain = parse_url($status['account']['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
if(intval($status['account']['id']) !== intval($user->profile_id)) { if(intval($status['account']['id']) !== intval($user->profile_id)) {
if($status['visibility'] == 'private') { if($status['visibility'] == 'private') {
if(!FollowerService::follows($user->profile_id, $status['account']['id'])) { if(!FollowerService::follows($user->profile_id, $status['account']['id'])) {
@ -2780,6 +2829,10 @@ class ApiV1Controller extends Controller
$status = Status::findOrFail($id); $status = Status::findOrFail($id);
$account = AccountService::get($status->profile_id, true); $account = AccountService::get($status->profile_id, true);
abort_if(!$account, 404); abort_if(!$account, 404);
if($account && strpos($account['acct'], '@') != -1) {
$domain = parse_url($account['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
$author = intval($status->profile_id) === intval($pid) || $user->is_admin; $author = intval($status->profile_id) === intval($pid) || $user->is_admin;
$napi = $request->has(self::PF_API_ENTITY_KEY); $napi = $request->has(self::PF_API_ENTITY_KEY);
@ -2871,6 +2924,10 @@ class ApiV1Controller extends Controller
$pid = $user->profile_id; $pid = $user->profile_id;
$status = Status::findOrFail($id); $status = Status::findOrFail($id);
$account = AccountService::get($status->profile_id, true); $account = AccountService::get($status->profile_id, true);
if($account && strpos($account['acct'], '@') != -1) {
$domain = parse_url($account['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
abort_if(!$account, 404); abort_if(!$account, 404);
$author = intval($status->profile_id) === intval($pid) || $user->is_admin; $author = intval($status->profile_id) === intval($pid) || $user->is_admin;
$napi = $request->has(self::PF_API_ENTITY_KEY); $napi = $request->has(self::PF_API_ENTITY_KEY);
@ -3200,7 +3257,11 @@ class ApiV1Controller extends Controller
abort_if($user->has_roles && !UserRoleService::can('can-share', $user->id), 403, 'Invalid permissions for this action'); abort_if($user->has_roles && !UserRoleService::can('can-share', $user->id), 403, 'Invalid permissions for this action');
AccountService::setLastActive($user->id); AccountService::setLastActive($user->id);
$status = Status::whereScope('public')->findOrFail($id); $status = Status::whereScope('public')->findOrFail($id);
if($status && ($status->uri || $status->url || $status->object_url)) {
$url = $status->uri ?? $status->url ?? $status->object_url;
$domain = parse_url($url, PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
if(intval($status->profile_id) !== intval($user->profile_id)) { if(intval($status->profile_id) !== intval($user->profile_id)) {
if($status->scope == 'private') { if($status->scope == 'private') {
abort_if(!FollowerService::follows($user->profile_id, $status->profile_id), 403); abort_if(!FollowerService::follows($user->profile_id, $status->profile_id), 403);