diff options
| author |  kim <89579420+NyaaaWhatsUpDoc@users.noreply.github.com> | 2024-06-10 18:42:41 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2024-06-10 19:42:41 +0100 |
| commit | fd6637df4aeed721442bff6dfbce9bdd1b5ac7b8 (patch) | |
| tree | 8d4ddffdd8742b3cd7aa0be5e26ea235e76b127d /internal/federation | |
| parent | [chore] Roll back use of `(created)` pseudo-header pending #2991 (#2992) (diff) | |
| download | gotosocial-fd6637df4aeed721442bff6dfbce9bdd1b5ac7b8.tar.xz | |
[bugfix] boost and account recursion (#2982)
* fix possible infinite recursion if moved accounts are self-referential
* adds a defensive check for a boost being a boost of a boost wrapper
* add checks on input for a boost of a boost
* remove unnecessary check
* add protections on account move to prevent move recursion loops
* separate status conversion without boost logic into separate function to remove risk of recursion
* move boost check to boost function itself
* formatting
* use error 422 instead of 500
* use gtserror not standard errors package for error creation
Diffstat (limited to 'internal/federation')
| -rw-r--r-- | internal/federation/dereferencing/announce.go | 27 |
1 files changed, 9 insertions, 18 deletions
diff --git a/internal/federation/dereferencing/announce.go b/internal/federation/dereferencing/announce.go index 02b1d5e5c..6516bdced 100644 --- a/internal/federation/dereferencing/announce.go +++ b/internal/federation/dereferencing/announce.go @@ -22,7 +22,6 @@ import ( "errors" "net/url" - "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" @@ -56,25 +55,17 @@ func (d *Dereferencer) EnrichAnnounce( ) } - // Fetch/deref status being boosted. - var target *gtsmodel.Status - - if targetURIObj.Host == config.GetHost() { - // This is a local status, fetch from the database - target, err = d.state.DB.GetStatusByURI(ctx, targetURI) - } else { - // This is a remote status, we need to dereference it. - // - // d.GetStatusByURI will handle domain block checking for us, - // so we don't try to deref an announce target on a blocked host. - target, _, err = d.GetStatusByURI(ctx, requestUser, targetURIObj) + // Fetch and dereference status being boosted, noting that + // d.GetStatusByURI handles domain blocks and local statuses. + target, _, err := d.GetStatusByURI(ctx, requestUser, targetURIObj) + if err != nil { + return nil, gtserror.Newf("error fetching boost target %s: %w", targetURI, err) } - if err != nil { - return nil, gtserror.Newf( - "error getting boost target status %s: %w", - targetURI, err, - ) + if target.BoostOfID != "" { + // Ensure that the target is not a boost (should not be possible). + err := gtserror.Newf("target status %s is a boost", targetURI) + return nil, err } // Generate an ID for the boost wrapper status. |