Raise an error for remote url in StatusFinder (#4776)
* Raise an error for remote url in StatusFinder Previous implementation had allowed remote url with status id which also exists on local. Then that bug leads /api/web/embed to return wrong embed url. * Fix oembed_controller_specshrike
parent
bfa7f9ebf2
commit
6a4e2db661
|
@ -10,6 +10,8 @@ class StatusFinder
|
||||||
def status
|
def status
|
||||||
verify_action!
|
verify_action!
|
||||||
|
|
||||||
|
raise ActiveRecord::RecordNotFound unless TagManager.instance.local_url?(url)
|
||||||
|
|
||||||
case recognized_params[:controller]
|
case recognized_params[:controller]
|
||||||
when 'stream_entries'
|
when 'stream_entries'
|
||||||
StreamEntry.find(recognized_params[:id]).status
|
StreamEntry.find(recognized_params[:id]).status
|
||||||
|
|
|
@ -8,6 +8,7 @@ RSpec.describe Api::OEmbedController, type: :controller do
|
||||||
|
|
||||||
describe 'GET #show' do
|
describe 'GET #show' do
|
||||||
before do
|
before do
|
||||||
|
request.host = Rails.configuration.x.local_domain
|
||||||
get :show, params: { url: account_stream_entry_url(alice, status.stream_entry) }, format: :json
|
get :show, params: { url: account_stream_entry_url(alice, status.stream_entry) }, format: :json
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -34,6 +34,16 @@ describe StatusFinder do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with a remote url even if id exists on local' do
|
||||||
|
let(:status) { Fabricate(:status) }
|
||||||
|
let(:url) { "https://example.com/users/test/statuses/#{status.id}" }
|
||||||
|
subject { described_class.new(url) }
|
||||||
|
|
||||||
|
it 'raises an error' do
|
||||||
|
expect { subject.status }.to raise_error(ActiveRecord::RecordNotFound)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context 'with a plausible url' do
|
context 'with a plausible url' do
|
||||||
let(:url) { 'https://example.com/users/test/updates/123/embed' }
|
let(:url) { 'https://example.com/users/test/updates/123/embed' }
|
||||||
subject { described_class.new(url) }
|
subject { described_class.new(url) }
|
||||||
|
|
Loading…
Reference in New Issue