From 8d1fa36ad22a21a9b0fb6bf51a27d09954220013 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Fri, 16 Nov 2018 11:18:13 +0100 Subject: Do not host remote AP objects --- server/controllers/activitypub/client.ts | 12 +++++++++++- server/middlewares/cache.ts | 7 +++++++ server/models/redundancy/video-redundancy.ts | 7 +++++-- server/tests/api/check-params/user-subscriptions.ts | 5 +++++ 4 files changed, 28 insertions(+), 3 deletions(-) diff --git a/server/controllers/activitypub/client.ts b/server/controllers/activitypub/client.ts index ffbf1ba19..a342a48d4 100644 --- a/server/controllers/activitypub/client.ts +++ b/server/controllers/activitypub/client.ts @@ -39,6 +39,7 @@ import { import { VideoCaptionModel } from '../../models/video/video-caption' import { videoRedundancyGetValidator } from '../../middlewares/validators/redundancy' import { getServerActor } from '../../helpers/utils' +import { VideoRedundancyModel } from '../../models/redundancy/video-redundancy' const activityPubClientRouter = express.Router() @@ -164,6 +165,8 @@ function getAccountVideoRate (rateType: VideoRateType) { async function videoController (req: express.Request, res: express.Response, next: express.NextFunction) { const video: VideoModel = res.locals.video + if (video.isOwned() === false) return res.redirect(video.url) + // We need captions to render AP object video.VideoCaptions = await VideoCaptionModel.listVideoCaptions(video.id) @@ -180,6 +183,9 @@ async function videoController (req: express.Request, res: express.Response, nex async function videoAnnounceController (req: express.Request, res: express.Response, next: express.NextFunction) { const share = res.locals.videoShare as VideoShareModel + + if (share.Actor.isOwned() === false) return res.redirect(share.url) + const { activity } = await buildAnnounceWithVideoAudience(share.Actor, share, res.locals.video, undefined) return activityPubResponse(activityPubContextify(activity), res) @@ -252,6 +258,8 @@ async function videoChannelFollowingController (req: express.Request, res: expre async function videoCommentController (req: express.Request, res: express.Response, next: express.NextFunction) { const videoComment: VideoCommentModel = res.locals.videoComment + if (videoComment.isOwned() === false) return res.redirect(videoComment.url) + const threadParentComments = await VideoCommentModel.listThreadParentComments(videoComment, undefined) const isPublic = true // Comments are always public const audience = getAudience(videoComment.Account.Actor, isPublic) @@ -267,7 +275,9 @@ async function videoCommentController (req: express.Request, res: express.Respon } async function videoRedundancyController (req: express.Request, res: express.Response) { - const videoRedundancy = res.locals.videoRedundancy + const videoRedundancy: VideoRedundancyModel = res.locals.videoRedundancy + if (videoRedundancy.isOwned() === false) return res.redirect(videoRedundancy.url) + const serverActor = await getServerActor() const audience = getAudience(serverActor) diff --git a/server/middlewares/cache.ts b/server/middlewares/cache.ts index 1e00fc731..8ffe75700 100644 --- a/server/middlewares/cache.ts +++ b/server/middlewares/cache.ts @@ -19,6 +19,7 @@ function cacheRoute (lifetimeArg: string | number) { logger.debug('No cached results for route %s.', req.originalUrl) const sendSave = res.send.bind(res) + const redirectSave = res.redirect.bind(res) res.send = (body) => { if (res.statusCode >= 200 && res.statusCode < 400) { @@ -38,6 +39,12 @@ function cacheRoute (lifetimeArg: string | number) { return sendSave(body) } + res.redirect = url => { + done() + + return redirectSave(url) + } + return next() } diff --git a/server/models/redundancy/video-redundancy.ts b/server/models/redundancy/video-redundancy.ts index 35e0cd3b1..9de4356b4 100644 --- a/server/models/redundancy/video-redundancy.ts +++ b/server/models/redundancy/video-redundancy.ts @@ -117,8 +117,7 @@ export class VideoRedundancyModel extends Model { @BeforeDestroy static async removeFile (instance: VideoRedundancyModel) { - // Not us - if (!instance.strategy) return + if (!instance.isOwned()) return const videoFile = await VideoFileModel.loadWithVideo(instance.videoFileId) @@ -404,6 +403,10 @@ export class VideoRedundancyModel extends Model { })) } + isOwned () { + return !!this.strategy + } + toActivityPubObject (): CacheFileObject { return { id: this.url, diff --git a/server/tests/api/check-params/user-subscriptions.ts b/server/tests/api/check-params/user-subscriptions.ts index 9fba99ac8..6af7ed43b 100644 --- a/server/tests/api/check-params/user-subscriptions.ts +++ b/server/tests/api/check-params/user-subscriptions.ts @@ -15,6 +15,7 @@ import { userLogin } from '../../utils' import { checkBadCountPagination, checkBadSortPagination, checkBadStartPagination } from '../../utils/requests/check-api-params' +import { waitJobs } from '../../utils/server/jobs' describe('Test user subscriptions API validators', function () { const path = '/api/v1/users/me/subscriptions' @@ -141,6 +142,8 @@ describe('Test user subscriptions API validators', function () { }) it('Should succeed with the correct parameters', async function () { + this.timeout(20000) + await makePostBodyRequest({ url: server.url, path, @@ -148,6 +151,8 @@ describe('Test user subscriptions API validators', function () { fields: { uri: 'user1_channel@localhost:9001' }, statusCodeExpected: 204 }) + + await waitJobs([ server ]) }) }) -- cgit v1.2.3