SECURITY: don't onebox whispers

2024-11-22 09:42:02 +08:00 · 2018-02-16 08:56:13 +11:00 · 2018-02-16 08:56:13 +11:00 · cda3f72ab8
commit cda3f72ab8
parent 32ad98161f
2 changed files with 31 additions and 20 deletions
--- a/lib/oneboxer.rb
+++ b/lib/oneboxer.rb
@ -170,16 +170,26 @@ module Oneboxer
        return unless Guardian.new(current_user).can_see_category?(current_category)
      end

+      topic = Topic.find_by(id: route[:topic_id])
+
+      return unless topic
+      return if topic.private_message?
+
+      if current_category&.id != topic.category_id
+        return unless Guardian.new.can_see_topic?(topic)
+      end
+
+      post = nil
+      post_number = route[:post_number].to_i
+      if post_number > 1
+        post = topic.posts.where(post_number: route[:post_number].to_i).first
+      else
+        post = topic.ordered_posts.first
+      end
+
+      return if !post || post.hidden || post.post_type != Post.types[:regular]
+
      if route[:post_number].to_i > 1
-        post = Post.find_by(topic_id: route[:topic_id], post_number: route[:post_number])
-
-        return if !post || post.hidden || post.topic.private_message?
-
-        if current_category&.id != post.topic.category_id
-          return if !Guardian.new.can_see_post?(post)
-        end
-
-        topic = post.topic
        excerpt = post.excerpt(SiteSetting.post_onebox_maxlength)
        excerpt.gsub!(/[\r\n]+/, " ")
        excerpt.gsub!("[/quote]", "[quote]") # don't break my quote
@ -188,23 +198,13 @@ module Oneboxer

        PrettyText.cook(quote)
      else
-        topic = Topic.find_by(id: route[:topic_id])
-
-        return if !topic || topic.private_message?
-
-        if current_category&.id != topic.category_id
-          return if !Guardian.new.can_see_topic?(topic)
-        end
-
-        first_post = topic.ordered_posts.first
-
        args = {
          topic_id: topic.id,
          avatar: PrettyText.avatar_img(topic.user.avatar_template, "tiny"),
          original_url: url,
          title: PrettyText.unescape_emoji(CGI::escapeHTML(topic.title)),
          category_html: CategoryBadge.html_for(topic.category),
-          quote: first_post.excerpt(SiteSetting.post_onebox_maxlength),
+          quote: post.excerpt(SiteSetting.post_onebox_maxlength),
        }

        template = File.read("#{Rails.root}/lib/onebox/templates/discourse_topic_onebox.hbs")
--- a/spec/controllers/onebox_controller_spec.rb
+++ b/spec/controllers/onebox_controller_spec.rb
@ -139,6 +139,17 @@ describe OneboxController do
      expect(response.body).not_to include('blockquote')
    end

+    it 'does not allow whisper onebox' do
+      log_in
+
+      post = create_post
+      whisper = create_post(topic_id: post.topic_id, post_type: Post.types[:whisper])
+      url = Discourse.base_url + whisper.url
+
+      get :show, params: { url: url }, format: :json
+      expect(response.body).not_to include('blockquote')
+    end
+
    it 'allows onebox to public topics/posts in PM' do
      log_in