From fd6637df4aeed721442bff6dfbce9bdd1b5ac7b8 Mon Sep 17 00:00:00 2001 From: kim <89579420+NyaaaWhatsUpDoc@users.noreply.github.com> Date: Mon, 10 Jun 2024 18:42:41 +0000 Subject: [bugfix] boost and account recursion (#2982) * fix possible infinite recursion if moved accounts are self-referential * adds a defensive check for a boost being a boost of a boost wrapper * add checks on input for a boost of a boost * remove unnecessary check * add protections on account move to prevent move recursion loops * separate status conversion without boost logic into separate function to remove risk of recursion * move boost check to boost function itself * formatting * use error 422 instead of 500 * use gtserror not standard errors package for error creation --- internal/federation/dereferencing/announce.go | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) (limited to 'internal/federation') diff --git a/internal/federation/dereferencing/announce.go b/internal/federation/dereferencing/announce.go index 02b1d5e5c..6516bdced 100644 --- a/internal/federation/dereferencing/announce.go +++ b/internal/federation/dereferencing/announce.go @@ -22,7 +22,6 @@ import ( "errors" "net/url" - "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" @@ -56,25 +55,17 @@ func (d *Dereferencer) EnrichAnnounce( ) } - // Fetch/deref status being boosted. - var target *gtsmodel.Status - - if targetURIObj.Host == config.GetHost() { - // This is a local status, fetch from the database - target, err = d.state.DB.GetStatusByURI(ctx, targetURI) - } else { - // This is a remote status, we need to dereference it. - // - // d.GetStatusByURI will handle domain block checking for us, - // so we don't try to deref an announce target on a blocked host. - target, _, err = d.GetStatusByURI(ctx, requestUser, targetURIObj) + // Fetch and dereference status being boosted, noting that + // d.GetStatusByURI handles domain blocks and local statuses. + target, _, err := d.GetStatusByURI(ctx, requestUser, targetURIObj) + if err != nil { + return nil, gtserror.Newf("error fetching boost target %s: %w", targetURI, err) } - if err != nil { - return nil, gtserror.Newf( - "error getting boost target status %s: %w", - targetURI, err, - ) + if target.BoostOfID != "" { + // Ensure that the target is not a boost (should not be possible). + err := gtserror.Newf("target status %s is a boost", targetURI) + return nil, err } // Generate an ID for the boost wrapper status. -- cgit v1.3