From ff07014b2657730101e826d7e82716989d43214c Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Mon, 31 Aug 2020 14:35:22 -0500 Subject: [PATCH] Disable providers of user and status metadata when instance is private --- CHANGELOG.md | 3 +++ lib/pleroma/web/metadata.ex | 12 ++++++++++-- test/web/metadata/metadata_test.exs | 9 +++++++++ 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f57e191fa..496c78ffe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## unreleased-patch - ??? +### Security +- Fix metadata leak for accounts and statuses on private instances + ### Added - Rich media failure tracking (along with `:failure_backoff` option) diff --git a/lib/pleroma/web/metadata.ex b/lib/pleroma/web/metadata.ex index e45e74e7b..0f0b56321 100644 --- a/lib/pleroma/web/metadata.ex +++ b/lib/pleroma/web/metadata.ex @@ -8,8 +8,8 @@ defmodule Pleroma.Web.Metadata do def build_tags(params) do providers = [ Pleroma.Web.Metadata.Providers.RestrictIndexing, - Pleroma.Web.Metadata.Providers.RelMe, - | Pleroma.Config.get([__MODULE__, :providers], []) + Pleroma.Web.Metadata.Providers.RelMe + | activated_providers() ] Enum.reduce(providers, "", fn parser, acc -> @@ -43,4 +43,12 @@ defmodule Pleroma.Web.Metadata do def activity_nsfw?(_) do false end + + defp activated_providers do + if Pleroma.Config.get!([:instance, :public]) do + Pleroma.Config.get([__MODULE__, :providers], []) + else + [] + end + end end diff --git a/test/web/metadata/metadata_test.exs b/test/web/metadata/metadata_test.exs index 3f8b29e58..4dd0d2f5c 100644 --- a/test/web/metadata/metadata_test.exs +++ b/test/web/metadata/metadata_test.exs @@ -22,4 +22,13 @@ defmodule Pleroma.Web.MetadataTest do "" end end + + describe "no metadata for private instances" do + test "for local user" do + Pleroma.Config.put([:instance, :public], false) + user = insert(:user, bio: "This is my secret fedi account bio") + + assert "" = Pleroma.Web.Metadata.build_tags(%{user: user}) + end + end end -- 2.45.2