Fix some user-independent endpoints potentially reading session cookies (#24650)

1 year ago · 1419f90ef2
parent 276c39361b
commit 1419f90ef2
6 changed files with 32 additions and 0 deletions
--- a/app/controllers/api/v1/instances/extended_descriptions_controller.rb
+++ b/app/controllers/api/v1/instances/extended_descriptions_controller.rb
@ -2,11 +2,17 @@

 class Api::V1::Instances::ExtendedDescriptionsController < Api::BaseController
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
+  skip_around_action :set_locale

  before_action :set_extended_description

  vary_by ''

+  # Override `current_user` to avoid reading session cookies unless in whitelist mode
+  def current_user
+    super if whitelist_mode?
+  end
+
  def show
    cache_even_if_authenticated!
    render json: @extended_description, serializer: REST::ExtendedDescriptionSerializer
--- a/app/controllers/api/v1/instances/peers_controller.rb
+++ b/app/controllers/api/v1/instances/peers_controller.rb
@ -4,9 +4,15 @@ class Api::V1::Instances::PeersController < Api::BaseController
  before_action :require_enabled_api!

  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
+  skip_around_action :set_locale

  vary_by ''

+  # Override `current_user` to avoid reading session cookies unless in whitelist mode
+  def current_user
+    super if whitelist_mode?
+  end
+
  def index
    cache_even_if_authenticated!
    render_with_cache(expires_in: 1.day) { Instance.where.not(domain: DomainBlock.select(:domain)).pluck(:domain) }
--- a/app/controllers/api/v1/instances/rules_controller.rb
+++ b/app/controllers/api/v1/instances/rules_controller.rb
@ -2,11 +2,17 @@

 class Api::V1::Instances::RulesController < Api::BaseController
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
+  skip_around_action :set_locale

  before_action :set_rules

  vary_by ''

+  # Override `current_user` to avoid reading session cookies unless in whitelist mode
+  def current_user
+    super if whitelist_mode?
+  end
+
  def index
    cache_even_if_authenticated!
    render json: @rules, each_serializer: REST::RuleSerializer
--- a/app/controllers/api/v1/instances_controller.rb
+++ b/app/controllers/api/v1/instances_controller.rb
@ -2,9 +2,15 @@

 class Api::V1::InstancesController < Api::BaseController
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
+  skip_around_action :set_locale

  vary_by ''

+  # Override `current_user` to avoid reading session cookies unless in whitelist mode
+  def current_user
+    super if whitelist_mode?
+  end
+
  def show
    cache_even_if_authenticated!
    render_with_cache json: InstancePresenter.new, serializer: REST::V1::InstanceSerializer, root: 'instance'
--- a/app/controllers/manifests_controller.rb
+++ b/app/controllers/manifests_controller.rb
@ -1,6 +1,10 @@
 # frozen_string_literal: true

 class ManifestsController < ActionController::Base # rubocop:disable Rails/ApplicationController
+  # Prevent `active_model_serializer`'s `ActionController::Serialization` from calling `current_user`
+  # and thus re-issuing session cookies
+  serialization_scope nil
+
  def show
    expires_in 3.minutes, public: true
    render json: InstancePresenter.new, serializer: ManifestSerializer, root: 'instance'
--- a/app/controllers/well_known/nodeinfo_controller.rb
+++ b/app/controllers/well_known/nodeinfo_controller.rb
@ -4,6 +4,10 @@ module WellKnown
  class NodeInfoController < ActionController::Base # rubocop:disable Rails/ApplicationController
    include CacheConcern

+    # Prevent `active_model_serializer`'s `ActionController::Serialization` from calling `current_user`
+    # and thus re-issuing session cookies
+    serialization_scope nil
+
    def index
      expires_in 3.days, public: true
      render_with_cache json: {}, serializer: NodeInfo::DiscoverySerializer, adapter: NodeInfo::Adapter, expires_in: 3.days, root: 'nodeinfo'