Disable providers of user and status metadata when instance is private

CHANGELOG.md

@@ -16,6 +16,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## unreleased-patch - ???
 
+### Security
+- Fix metadata leak for accounts and statuses on private instances
+
 ### Added
 
 - Rich media failure tracking (along with `:failure_backoff` option)

lib/pleroma/web/metadata.ex

@@ -8,8 +8,8 @@ defmodule Pleroma.Web.Metadata do
   def build_tags(params) do
     providers = [
       Pleroma.Web.Metadata.Providers.RestrictIndexing,
-      Pleroma.Web.Metadata.Providers.RelMe,
-      | Pleroma.Config.get([__MODULE__, :providers], [])
+      Pleroma.Web.Metadata.Providers.RelMe
+      | activated_providers()
     ]
 
     Enum.reduce(providers, "", fn parser, acc ->
@@ -43,4 +43,12 @@ def activity_nsfw?(%{data: %{"sensitive" => sensitive}}) do
   def activity_nsfw?(_) do
     false
   end
+
+  defp activated_providers do
+    if Pleroma.Config.get!([:instance, :public]) do
+      Pleroma.Config.get([__MODULE__, :providers], [])
+    else
+      []
+    end
+  end
 end

test/web/metadata/metadata_test.exs

@@ -22,4 +22,13 @@ test "for local user" do
                "<meta content=\"noindex, noarchive\" name=\"robots\">"
     end
   end
+
+  describe "no metadata for private instances" do
+    test "for local user" do
+      Pleroma.Config.put([:instance, :public], false)
+      user = insert(:user, bio: "This is my secret fedi account bio")
+
+      assert "" = Pleroma.Web.Metadata.build_tags(%{user: user})
+    end
+  end
 end