From 50e7706b269d6008ae4778db86bc4462ffce5ee4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?marcin=20miko=C5=82ajczak?= Date: Sun, 20 Nov 2022 23:19:52 +0100 Subject: [PATCH 1/3] Verify link ownership with rel="me" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: marcin mikołajczak --- changelog.d/link-verification.add | 1 + lib/pleroma/user.ex | 63 ++++++++++++++++++- lib/pleroma/workers/background_worker.ex | 5 ++ test/pleroma/user_test.exs | 25 ++++++++ .../mastodon_api/update_credentials_test.exs | 20 +++--- 5 files changed, 105 insertions(+), 9 deletions(-) create mode 100644 changelog.d/link-verification.add diff --git a/changelog.d/link-verification.add b/changelog.d/link-verification.add new file mode 100644 index 000000000..d8b11ebbc --- /dev/null +++ b/changelog.d/link-verification.add @@ -0,0 +1 @@ +Verify profile link ownership with rel="me" \ No newline at end of file diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index ce125d608..d81aa5252 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -8,6 +8,7 @@ defmodule Pleroma.User do import Ecto.Changeset import Ecto.Query import Ecto, only: [assoc: 2] + import Pleroma.Web.Utils.Guards, only: [not_empty_string: 1] alias Ecto.Multi alias Pleroma.Activity @@ -595,9 +596,23 @@ def update_changeset(struct, params \\ %{}) do defp put_fields(changeset) do if raw_fields = get_change(changeset, :raw_fields) do + old_fields = changeset.data.raw_fields + raw_fields = raw_fields |> Enum.filter(fn %{"name" => n} -> n != "" end) + |> Enum.map(fn field -> + previous = + old_fields + |> Enum.find(fn %{"value" => value} -> field["value"] == value end) + + if previous && Map.has_key?(previous, "verified_at") do + field + |> Map.put("verified_at", previous["verified_at"]) + else + field + end + end) fields = raw_fields @@ -1198,6 +1213,10 @@ def update_and_set_cache(struct, params) do def update_and_set_cache(changeset) do with {:ok, user} <- Repo.update(changeset, stale_error_field: :id) do + if get_change(changeset, :raw_fields) do + BackgroundWorker.enqueue("verify_fields_links", %{"user_id" => user.id}) + end + set_cache(user) end end @@ -1970,8 +1989,47 @@ def perform(:delete, %User{} = user) do maybe_delete_from_db(user) end + def perform(:verify_fields_links, user) do + profile_urls = [user.ap_id] + + fields = + user.raw_fields + |> Enum.map(&verify_field_link(&1, profile_urls)) + + changeset = + user + |> update_changeset(%{raw_fields: fields}) + + with {:ok, user} <- Repo.update(changeset, stale_error_field: :id) do + set_cache(user) + end + end + def perform(:set_activation_async, user, status), do: set_activation(user, status) + defp verify_field_link(field, profile_urls) do + verified_at = + with %{"value" => value} <- field, + {:verified_at, nil} <- {:verified_at, Map.get(field, "verified_at")}, + %{scheme: scheme, userinfo: nil, host: host} + when not_empty_string(host) and scheme in ["http", "https"] <- + URI.parse(value), + {:not_idn, true} <- {:not_idn, to_string(:idna.encode(host)) == host}, + attr <- Pleroma.Web.RelMe.maybe_put_rel_me(value, profile_urls) do + if attr == "me" do + CommonUtils.to_masto_date(NaiveDateTime.utc_now()) + end + else + {:verified_at, value} when not_empty_string(value) -> + value + + _ -> + nil + end + + Map.put(field, "verified_at", verified_at) + end + @spec external_users_query() :: Ecto.Query.t() def external_users_query do User.Query.build(%{ @@ -2659,10 +2717,11 @@ def sanitize_html(%User{} = user) do # - display name def sanitize_html(%User{} = user, filter) do fields = - Enum.map(user.fields, fn %{"name" => name, "value" => value} -> + Enum.map(user.fields, fn %{"name" => name, "value" => value} = fields -> %{ "name" => name, - "value" => HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly) + "value" => HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly), + "verified_at" => Map.get(fields, "verified_at") } end) diff --git a/lib/pleroma/workers/background_worker.ex b/lib/pleroma/workers/background_worker.ex index 794417612..eef1c4f15 100644 --- a/lib/pleroma/workers/background_worker.ex +++ b/lib/pleroma/workers/background_worker.ex @@ -40,6 +40,11 @@ def perform(%Job{ Pleroma.FollowingRelationship.move_following(origin, target) end + def perform(%Job{args: %{"op" => "verify_fields_links", "user_id" => user_id}}) do + user = User.get_by_id(user_id) + User.perform(:verify_fields_links, user) + end + def perform(%Job{args: %{"op" => "delete_instance", "host" => host}}) do Instance.perform(:delete_instance, host) end diff --git a/test/pleroma/user_test.exs b/test/pleroma/user_test.exs index 7f60b959a..93de980c9 100644 --- a/test/pleroma/user_test.exs +++ b/test/pleroma/user_test.exs @@ -2913,4 +2913,29 @@ test "it doesn't pin users you do not follow" do refute User.endorses?(user, pinned_user) end end + + test "it checks fields links for a backlink" do + user = insert(:user, ap_id: "https://social.example.org/users/lain") + + fields = [ + %{"name" => "Link", "value" => "http://example.com/rel_me/null"}, + %{"name" => "Verified link", "value" => "http://example.com/rel_me/link"}, + %{"name" => "Not a link", "value" => "i'm not a link"} + ] + + user + |> User.update_and_set_cache(%{raw_fields: fields}) + + ObanHelpers.perform_all() + + user = User.get_cached_by_id(user.id) + + assert [ + %{"verified_at" => nil}, + %{"verified_at" => verified_at}, + %{"verified_at" => nil} + ] = user.fields + + assert is_binary(verified_at) + end end diff --git a/test/pleroma/web/mastodon_api/update_credentials_test.exs b/test/pleroma/web/mastodon_api/update_credentials_test.exs index 45412bb34..c1db21ac2 100644 --- a/test/pleroma/web/mastodon_api/update_credentials_test.exs +++ b/test/pleroma/web/mastodon_api/update_credentials_test.exs @@ -502,10 +502,15 @@ test "update fields", %{conn: conn} do |> json_response_and_validate_schema(200) assert account_data["fields"] == [ - %{"name" => "foo", "value" => "bar"}, + %{ + "name" => "foo", + "value" => "bar", + "verified_at" => nil + }, %{ "name" => "link.io", - "value" => ~S(cofe.io) + "value" => ~S(cofe.io), + "verified_at" => nil } ] @@ -564,8 +569,8 @@ test "emojis in fields labels", %{conn: conn} do |> json_response_and_validate_schema(200) assert account_data["fields"] == [ - %{"name" => ":firefox:", "value" => "is best 2hu"}, - %{"name" => "they wins", "value" => ":blank:"} + %{"name" => ":firefox:", "value" => "is best 2hu", "verified_at" => nil}, + %{"name" => "they wins", "value" => ":blank:", "verified_at" => nil} ] assert account_data["source"]["fields"] == [ @@ -593,10 +598,11 @@ test "update fields via x-www-form-urlencoded", %{conn: conn} do |> json_response_and_validate_schema(200) assert account["fields"] == [ - %{"name" => "foo", "value" => "bar"}, + %{"name" => "foo", "value" => "bar", "verified_at" => nil}, %{ "name" => "link", - "value" => ~S(http://cofe.io) + "value" => ~S(http://cofe.io), + "verified_at" => nil } ] @@ -618,7 +624,7 @@ test "update fields with empty name", %{conn: conn} do |> json_response_and_validate_schema(200) assert account["fields"] == [ - %{"name" => "foo", "value" => ""} + %{"name" => "foo", "value" => "", "verified_at" => nil} ] end From 47ce33a90d09878d5231ce9654853ebcd1b88c08 Mon Sep 17 00:00:00 2001 From: tusooa Date: Thu, 7 Mar 2024 11:55:31 +0000 Subject: [PATCH 2/3] Apply tusooa's suggestion --- lib/pleroma/user.ex | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index d81aa5252..ecf537475 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -2015,10 +2015,8 @@ defp verify_field_link(field, profile_urls) do when not_empty_string(host) and scheme in ["http", "https"] <- URI.parse(value), {:not_idn, true} <- {:not_idn, to_string(:idna.encode(host)) == host}, - attr <- Pleroma.Web.RelMe.maybe_put_rel_me(value, profile_urls) do - if attr == "me" do - CommonUtils.to_masto_date(NaiveDateTime.utc_now()) - end + "me" <- Pleroma.Web.RelMe.maybe_put_rel_me(value, profile_urls) do + CommonUtils.to_masto_date(NaiveDateTime.utc_now()) else {:verified_at, value} when not_empty_string(value) -> value From 961a5dd4cda7f807455001e1eb936d9c1e14c895 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?marcin=20miko=C5=82ajczak?= Date: Thu, 7 Mar 2024 13:32:50 +0100 Subject: [PATCH 3/3] Add test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: marcin mikołajczak --- test/pleroma/user_test.exs | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/test/pleroma/user_test.exs b/test/pleroma/user_test.exs index d6ed744f1..a93f81659 100644 --- a/test/pleroma/user_test.exs +++ b/test/pleroma/user_test.exs @@ -2953,4 +2953,26 @@ test "it checks fields links for a backlink" do assert is_binary(verified_at) end + + test "updating fields does not invalidate previously validated links" do + user = insert(:user, ap_id: "https://social.example.org/users/lain") + + user + |> User.update_and_set_cache(%{ + raw_fields: [%{"name" => "verified link", "value" => "http://example.com/rel_me/link"}] + }) + + ObanHelpers.perform_all() + + %User{fields: [%{"verified_at" => verified_at}]} = user = User.get_cached_by_id(user.id) + + user + |> User.update_and_set_cache(%{ + raw_fields: [%{"name" => "Verified link", "value" => "http://example.com/rel_me/link"}] + }) + + user = User.get_cached_by_id(user.id) + + assert [%{"verified_at" => ^verified_at}] = user.fields + end end