From 1419f90ef2252e7ef87418b12749968a9eab3de9 Mon Sep 17 00:00:00 2001 From: Claire Date: Tue, 25 Apr 2023 22:14:44 +0200 Subject: [PATCH] Fix some user-independent endpoints potentially reading session cookies (#24650) --- .../api/v1/instances/extended_descriptions_controller.rb | 6 ++++++ app/controllers/api/v1/instances/peers_controller.rb | 6 ++++++ app/controllers/api/v1/instances/rules_controller.rb | 6 ++++++ app/controllers/api/v1/instances_controller.rb | 6 ++++++ app/controllers/manifests_controller.rb | 4 ++++ app/controllers/well_known/nodeinfo_controller.rb | 4 ++++ 6 files changed, 32 insertions(+) diff --git a/app/controllers/api/v1/instances/extended_descriptions_controller.rb b/app/controllers/api/v1/instances/extended_descriptions_controller.rb index 17cf0d790..a0665725b 100644 --- a/app/controllers/api/v1/instances/extended_descriptions_controller.rb +++ b/app/controllers/api/v1/instances/extended_descriptions_controller.rb @@ -2,11 +2,17 @@ class Api::V1::Instances::ExtendedDescriptionsController < Api::BaseController skip_before_action :require_authenticated_user!, unless: :whitelist_mode? + skip_around_action :set_locale before_action :set_extended_description vary_by '' + # Override `current_user` to avoid reading session cookies unless in whitelist mode + def current_user + super if whitelist_mode? + end + def show cache_even_if_authenticated! render json: @extended_description, serializer: REST::ExtendedDescriptionSerializer diff --git a/app/controllers/api/v1/instances/peers_controller.rb b/app/controllers/api/v1/instances/peers_controller.rb index 20809d755..70281362a 100644 --- a/app/controllers/api/v1/instances/peers_controller.rb +++ b/app/controllers/api/v1/instances/peers_controller.rb @@ -4,9 +4,15 @@ class Api::V1::Instances::PeersController < Api::BaseController before_action :require_enabled_api! skip_before_action :require_authenticated_user!, unless: :whitelist_mode? + skip_around_action :set_locale vary_by '' + # Override `current_user` to avoid reading session cookies unless in whitelist mode + def current_user + super if whitelist_mode? + end + def index cache_even_if_authenticated! render_with_cache(expires_in: 1.day) { Instance.where.not(domain: DomainBlock.select(:domain)).pluck(:domain) } diff --git a/app/controllers/api/v1/instances/rules_controller.rb b/app/controllers/api/v1/instances/rules_controller.rb index cd5cc7b08..d3eeca326 100644 --- a/app/controllers/api/v1/instances/rules_controller.rb +++ b/app/controllers/api/v1/instances/rules_controller.rb @@ -2,11 +2,17 @@ class Api::V1::Instances::RulesController < Api::BaseController skip_before_action :require_authenticated_user!, unless: :whitelist_mode? + skip_around_action :set_locale before_action :set_rules vary_by '' + # Override `current_user` to avoid reading session cookies unless in whitelist mode + def current_user + super if whitelist_mode? + end + def index cache_even_if_authenticated! render json: @rules, each_serializer: REST::RuleSerializer diff --git a/app/controllers/api/v1/instances_controller.rb b/app/controllers/api/v1/instances_controller.rb index d4c822e64..5a6701ff9 100644 --- a/app/controllers/api/v1/instances_controller.rb +++ b/app/controllers/api/v1/instances_controller.rb @@ -2,9 +2,15 @@ class Api::V1::InstancesController < Api::BaseController skip_before_action :require_authenticated_user!, unless: :whitelist_mode? + skip_around_action :set_locale vary_by '' + # Override `current_user` to avoid reading session cookies unless in whitelist mode + def current_user + super if whitelist_mode? + end + def show cache_even_if_authenticated! render_with_cache json: InstancePresenter.new, serializer: REST::V1::InstanceSerializer, root: 'instance' diff --git a/app/controllers/manifests_controller.rb b/app/controllers/manifests_controller.rb index 593b76c53..4fba9198f 100644 --- a/app/controllers/manifests_controller.rb +++ b/app/controllers/manifests_controller.rb @@ -1,6 +1,10 @@ # frozen_string_literal: true class ManifestsController < ActionController::Base # rubocop:disable Rails/ApplicationController + # Prevent `active_model_serializer`'s `ActionController::Serialization` from calling `current_user` + # and thus re-issuing session cookies + serialization_scope nil + def show expires_in 3.minutes, public: true render json: InstancePresenter.new, serializer: ManifestSerializer, root: 'instance' diff --git a/app/controllers/well_known/nodeinfo_controller.rb b/app/controllers/well_known/nodeinfo_controller.rb index ab6b8f5a4..e20e8c62a 100644 --- a/app/controllers/well_known/nodeinfo_controller.rb +++ b/app/controllers/well_known/nodeinfo_controller.rb @@ -4,6 +4,10 @@ module WellKnown class NodeInfoController < ActionController::Base # rubocop:disable Rails/ApplicationController include CacheConcern + # Prevent `active_model_serializer`'s `ActionController::Serialization` from calling `current_user` + # and thus re-issuing session cookies + serialization_scope nil + def index expires_in 3.days, public: true render_with_cache json: {}, serializer: NodeInfo::DiscoverySerializer, adapter: NodeInfo::Adapter, expires_in: 3.days, root: 'nodeinfo'