Posts from other profiles showing in profile view timeline

[fishcharlie]

Current Result

Profile timeline view shows posts/notes from users other than the user I'm viewing.

Expected Result

I expect when viewing a profile that it only shows me posts/notes from that specific user and posts/notes that user has reposted.

Steps to reproduce

From my perspective:

1. Open any profile
2. Scroll through profile timeline
3. Observe that other posts not by the profile owner or reposted by profile owner are included in that timeline

Obviously I wouldn't be surprised if more steps took place prior to this to get damus into this state, but I can not identify what those would be.

Video Recording

nostrTimelineBug.mp4

Version

Damus:

1.6 (28) 2585a37
TestFlight

Also observed on a2cac14 (development build I was using).

iOS:

17.2.1
iPhone 15 Pro Max

Other Information

• Obviously the Charlie Fish is my account and is currently the account I'm logged into
• The AirportStatusBot account is a separate nostr account that I created. I have never logged into this account on damus. But I am following it from my Charlie Fish account.

[alltheseas]

Never seen this before. Thanks @fishcharlie

@jb55 @danieldaquino @tyiu @ericholguin have yall seen this behavior?

[danieldaquino]

Same, I haven't seen this before either. 🤔

[fishcharlie]

Notes:

• The first time my breakpoint on Line 36 in InnerTImelineView.swift (the evs variable) only contains my posts, it doesn't include any of the posts from other timelines
• However, when I continued my debugging session, the breakpoint on line 36 in InnerTImelineView.swift got hit again, and posts from other profiles were now included in the evs variable
• Digging into EventHolder.swift I set breakpoints in each add method and filtered those breakpoints to only hit when the npub pubkey isn't mine
• This generated the following stack trace when it was hit:

• After digging into the RelayConnection (basically root of the stack trace), the self.url is wss://nostrrelay.win (which is my personal nostr relay running custom software)
  • This makes me think it might be an issue with my relay not handling filters properly
• I'm unsure if Damus should fix this or not.
• If it were up to me, I'd truly consider adding a guard self.pubkey == ev.pubkey else { break } right above add_event(ev) in ProfileModel.swift line 121. This would ensure that for this ProfileModel we are only handling events that match the profiles pubkey (even if the relay sends bad data).

I'd be happy to submit a patch to add that guard statement if it is determined that Damus should be defensive here and protect against relays not filtering data properly. If not we can close this issue.

I should also note that a client like https://iris.to handles this as expected (I don't see other people's posts in my profile view). I'm unsure about other clients.

---

TLDR:

Question for Damus maintainers: should I submit a patch to filter events that don't match your pubkey in ProfileModel.swift, to protect against relays sending bad data (not properly filtering events sent)? Or should Damus not be responsible for that?

[alltheseas]

Can this be exploited by a malicious relay to add notes where they shouldnt be?

cc @jb55

[fishcharlie]

@alltheseas From my perspective, yes. When Damus asks for a users notes, a relay can return any list of notes it wants (not necessarily from that user that Damus asked about). And Damus will (currently) happily show them on every users profile page (even if the notes aren't associated with that user).

Technically a relay returning notes that aren't associated with that user is a NIP spec violation. But obviously bugs (and malicious actors) can exist.

---

Also. If anyone wants to test this. You can add wss://nostrrelay.win to your relays list in Damus, and open any profile page. Posts from myself (and my AirportStatusBot) will be included in that view. (At least until I fix the bug on my end).

[alltheseas]

Recreated. Your airport npub appears on @fishcakeday profile.

[jb55]

On Mon, Jan 01, 2024 at 06:33:06PM -0800, alltheseas wrote: Can this be exploited by a malicious relay to add notes where they shouldnt be? cc @jb55

yes, which is why we don't connect to random relays, and why I'm switching to a different way to pull notes: Only ever query the local relay (nostrdb). The only role of network code that pulls notes from other relays is to dump into nostrdb. This will completely eliminate these types of exploits, and make the outbox model doable in damus apps.

[fishcharlie]

@jb55 Ok it sounds like you have a better solution than just adding a guard to check that the pubkeys match.

I will work on fixing this on my end for the relay.

@alltheseas Not sure if you want to close this issue or link it to whatever ticket @jb55 has for changing how Damus pulls notes. But that's up to you 😃.

Thanks all for the insight here.

[jb55]

On Tue, Jan 02, 2024 at 09:40:09AM -0800, Charlie Fish wrote: @jb55 Ok it sounds like you have a better solution than just adding a guard to check that the pubkeys match. I will work on fixing this on my end for the relay. @alltheseas Not sure if you want to close this issue or link it to whatever ticket @jb55 has for changing how Damus pulls notes. But that's up to you 😃. Thanks all for the insight here.

I'm ok with having the guard for now until we have switched over to this new model.

[fishcharlie]

I'm ok with having the guard for now until we have switched over to this
new model.

@jb55 Awesome, I'll submit a patch hopefully today or tomorrow for that.

[alltheseas]

Thanks @fishcharlie

I added #1851 as a follow on long-term solution in the local relay migration

[fishcharlie]

Patch sent: https://groups.google.com/a/damus.io/g/patches/c/urCE7i1-HOg