Skip to content

Commit

Permalink
Update ApiV1Controller, enforce blocked instance domain logic
Browse files Browse the repository at this point in the history
  • Loading branch information
@dansup
dansup committed Feb 7, 2024
1 parent 01b33fb commit 5b284ca
Showing 1 changed file with 65 additions and 4 deletions.
69 changes: 65 additions & 4 deletions app/Http/Controllers/Api/ApiV1Controller.php
View file
Expand Up @@ -219,6 +219,10 @@ public function accountById(Request $request, $id)
if(!$res) {
return response()->json(['error' => 'Record not found'], 404);
}
if($res && strpos($res['acct'], '@') != -1) {
$domain = parse_url($res['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
return $this->json($res);
}

Expand Down Expand Up @@ -483,6 +487,11 @@ public function accountFollowersById(Request $request, $id)
$limit = $request->input('limit', 10);
$napi = $request->has(self::PF_API_ENTITY_KEY);

if($account && strpos($account['acct'], '@') != -1) {
$domain = parse_url($account['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}

if(intval($pid) !== intval($account['id'])) {
if($account['locked']) {
if(!FollowerService::follows($pid, $account['id'])) {
Expand Down Expand Up @@ -575,6 +584,11 @@ public function accountFollowingById(Request $request, $id)
$limit = $request->input('limit', 10);
$napi = $request->has(self::PF_API_ENTITY_KEY);

if($account && strpos($account['acct'], '@') != -1) {
$domain = parse_url($account['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}

if(intval($pid) !== intval($account['id'])) {
if($account['locked']) {
if(!FollowerService::follows($pid, $account['id'])) {
Expand Down Expand Up @@ -676,6 +690,11 @@ public function accountStatusesById(Request $request, $id)
return $this->json(['error' => 'Account not found'], 404);
}

if($profile && strpos($profile['acct'], '@') != -1) {
$domain = parse_url($profile['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}

$limit = $request->limit ?? 20;
$max_id = $request->max_id;
$min_id = $request->min_id;
Expand Down Expand Up @@ -766,6 +785,11 @@ public function accountFollowById(Request $request, $id)
->whereNull('status')
->findOrFail($id);

if($target && $target->domain) {
$domain = $target->domain;
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}

$private = (bool) $target->is_private;
$remote = (bool) $target->domain;
$blocked = UserFilter::whereUserId($target->id)
Expand Down Expand Up @@ -1252,14 +1276,19 @@ public function statusFavouriteById(Request $request, $id)
$user = $request->user();
abort_if($user->has_roles && !UserRoleService::can('can-like', $user->id), 403, 'Invalid permissions for this action');

AccountService::setLastActive($user->id);

$status = StatusService::getMastodon($id, false);

abort_unless($status, 400);
abort_unless($status, 404);

if($status && isset($status['account'], $status['account']['acct']) && strpos($status['account']['acct'], '@') != -1) {
$domain = parse_url($status['account']['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}

$spid = $status['account']['id'];

AccountService::setLastActive($user->id);

if(intval($spid) !== intval($user->profile_id)) {
if($status['visibility'] == 'private') {
abort_if(!FollowerService::follows($user->profile_id, $spid), 403);
Expand Down Expand Up @@ -1404,6 +1433,11 @@ public function accountFollowRequestAccept(Request $request, $id)
return response()->json(['error' => 'Record not found'], 404);
}

if($target && strpos($target['acct'], '@') != -1) {
$domain = parse_url($target['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}

$followRequest = FollowRequest::whereFollowingId($pid)->whereFollowerId($id)->first();

if(!$followRequest) {
Expand Down Expand Up @@ -2011,6 +2045,11 @@ public function accountMuteById(Request $request, $id)

$account = Profile::findOrFail($id);

if($account && $account->domain) {
$domain = $account->domain;
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}

$count = UserFilterService::muteCount($pid);
$maxLimit = intval(config('instance.user_filters.max_user_mutes'));
if($count == 0) {
Expand Down Expand Up @@ -2653,6 +2692,11 @@ public function statusById(Request $request, $id)
abort(404);
}

if($res && isset($res['account'], $res['account']['acct'], $res['account']['url']) && strpos($res['account']['acct'], '@') != -1) {
$domain = parse_url($res['account']['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}

$scope = $res['visibility'];
if(!in_array($scope, ['public', 'unlisted'])) {
if($scope === 'private') {
Expand Down Expand Up @@ -2697,6 +2741,11 @@ public function statusContext(Request $request, $id)
return response('', 404);
}

if($status && isset($status['account'], $status['account']['acct']) && strpos($status['account']['acct'], '@') != -1) {
$domain = parse_url($status['account']['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}

if(intval($status['account']['id']) !== intval($user->profile_id)) {
if($status['visibility'] == 'private') {
if(!FollowerService::follows($user->profile_id, $status['account']['id'])) {
Expand Down Expand Up @@ -2780,6 +2829,10 @@ public function statusRebloggedBy(Request $request, $id)
$status = Status::findOrFail($id);
$account = AccountService::get($status->profile_id, true);
abort_if(!$account, 404);
if($account && strpos($account['acct'], '@') != -1) {
$domain = parse_url($account['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
$author = intval($status->profile_id) === intval($pid) || $user->is_admin;
$napi = $request->has(self::PF_API_ENTITY_KEY);

Expand Down Expand Up @@ -2871,6 +2924,10 @@ public function statusFavouritedBy(Request $request, $id)
$pid = $user->profile_id;
$status = Status::findOrFail($id);
$account = AccountService::get($status->profile_id, true);
if($account && strpos($account['acct'], '@') != -1) {
$domain = parse_url($account['url'], PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
abort_if(!$account, 404);
$author = intval($status->profile_id) === intval($pid) || $user->is_admin;
$napi = $request->has(self::PF_API_ENTITY_KEY);
Expand Down Expand Up @@ -3200,7 +3257,11 @@ public function statusShare(Request $request, $id)
abort_if($user->has_roles && !UserRoleService::can('can-share', $user->id), 403, 'Invalid permissions for this action');
AccountService::setLastActive($user->id);
$status = Status::whereScope('public')->findOrFail($id);

if($status && ($status->uri || $status->url || $status->object_url)) {
$url = $status->uri ?? $status->url ?? $status->object_url;
$domain = parse_url($url, PHP_URL_HOST);
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
}
if(intval($status->profile_id) !== intval($user->profile_id)) {
if($status->scope == 'private') {
abort_if(!FollowerService::follows($user->profile_id, $status->profile_id), 403);
Expand Down

0 comments on commit 5b284ca

Please sign in to comment.