commit: 6a4e2db661f47a318bbf93a07ba9f16f7bac3ee0
parent: bfa7f9ebf22581a387606716fe3f86e85e1c9db5
Author: unarist <m.unarist@gmail.com>
Date: Sun, 3 Sep 2017 00:42:47 +0900
Raise an error for remote url in StatusFinder (#4776)
* Raise an error for remote url in StatusFinder
Previous implementation had allowed remote url with status id which also exists on local.
Then that bug leads /api/web/embed to return wrong embed url.
* Fix oembed_controller_spec
Diffstat:
3 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/app/lib/status_finder.rb b/app/lib/status_finder.rb
@@ -10,6 +10,8 @@ class StatusFinder
def status
verify_action!
+ raise ActiveRecord::RecordNotFound unless TagManager.instance.local_url?(url)
+
case recognized_params[:controller]
when 'stream_entries'
StreamEntry.find(recognized_params[:id]).status
diff --git a/spec/controllers/api/oembed_controller_spec.rb b/spec/controllers/api/oembed_controller_spec.rb
@@ -8,6 +8,7 @@ RSpec.describe Api::OEmbedController, type: :controller do
describe 'GET #show' do
before do
+ request.host = Rails.configuration.x.local_domain
get :show, params: { url: account_stream_entry_url(alice, status.stream_entry) }, format: :json
end
diff --git a/spec/lib/status_finder_spec.rb b/spec/lib/status_finder_spec.rb
@@ -34,6 +34,16 @@ describe StatusFinder do
end
end
+ context 'with a remote url even if id exists on local' do
+ let(:status) { Fabricate(:status) }
+ let(:url) { "https://example.com/users/test/statuses/#{status.id}" }
+ subject { described_class.new(url) }
+
+ it 'raises an error' do
+ expect { subject.status }.to raise_error(ActiveRecord::RecordNotFound)
+ end
+ end
+
context 'with a plausible url' do
let(:url) { 'https://example.com/users/test/updates/123/embed' }
subject { described_class.new(url) }
