Update ApiV1Controller, enforce blocked instance domain logic

2024-11-09 16:24:51 +00:00 · 2024-02-07 04:41:12 -07:00 · 2024-02-07 04:41:12 -07:00 · 5b284cacea
commit 5b284cacea
parent 01b33fb37e
1 changed files with 65 additions and 4 deletions
--- a/app/Http/Controllers/Api/ApiV1Controller.php
+++ b/app/Http/Controllers/Api/ApiV1Controller.php
@ -219,6 +219,10 @@ class ApiV1Controller extends Controller
        if(!$res) {
            return response()->json(['error' => 'Record not found'], 404);
        }
+        if($res && strpos($res['acct'], '@') != -1) {
+            $domain = parse_url($res['url'], PHP_URL_HOST);
+            abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
+        }
        return $this->json($res);
    }

@ -483,6 +487,11 @@ class ApiV1Controller extends Controller
        $limit = $request->input('limit', 10);
        $napi = $request->has(self::PF_API_ENTITY_KEY);

+        if($account && strpos($account['acct'], '@') != -1) {
+            $domain = parse_url($account['url'], PHP_URL_HOST);
+            abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
+        }
+
        if(intval($pid) !== intval($account['id'])) {
            if($account['locked']) {
                if(!FollowerService::follows($pid, $account['id'])) {
@ -575,6 +584,11 @@ class ApiV1Controller extends Controller
        $limit = $request->input('limit', 10);
        $napi = $request->has(self::PF_API_ENTITY_KEY);

+        if($account && strpos($account['acct'], '@') != -1) {
+            $domain = parse_url($account['url'], PHP_URL_HOST);
+            abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
+        }
+
        if(intval($pid) !== intval($account['id'])) {
            if($account['locked']) {
                if(!FollowerService::follows($pid, $account['id'])) {
@ -676,6 +690,11 @@ class ApiV1Controller extends Controller
            return $this->json(['error' => 'Account not found'], 404);
        }

+        if($profile && strpos($profile['acct'], '@') != -1) {
+            $domain = parse_url($profile['url'], PHP_URL_HOST);
+            abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
+        }
+
        $limit = $request->limit ?? 20;
        $max_id = $request->max_id;
        $min_id = $request->min_id;
@ -766,6 +785,11 @@ class ApiV1Controller extends Controller
            ->whereNull('status')
            ->findOrFail($id);

+        if($target && $target->domain) {
+            $domain = $target->domain;
+            abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
+        }
+
        $private = (bool) $target->is_private;
        $remote = (bool) $target->domain;
        $blocked = UserFilter::whereUserId($target->id)
@ -1252,14 +1276,19 @@ class ApiV1Controller extends Controller
        $user = $request->user();
        abort_if($user->has_roles && !UserRoleService::can('can-like', $user->id), 403, 'Invalid permissions for this action');

-        AccountService::setLastActive($user->id);
-
        $status = StatusService::getMastodon($id, false);

-        abort_unless($status, 400);
+        abort_unless($status, 404);
+
+        if($status && isset($status['account'], $status['account']['acct']) && strpos($status['account']['acct'], '@') != -1) {
+            $domain = parse_url($status['account']['url'], PHP_URL_HOST);
+            abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
+        }

        $spid = $status['account']['id'];

+        AccountService::setLastActive($user->id);
+
        if(intval($spid) !== intval($user->profile_id)) {
            if($status['visibility'] == 'private') {
                abort_if(!FollowerService::follows($user->profile_id, $spid), 403);
@ -1404,6 +1433,11 @@ class ApiV1Controller extends Controller
            return response()->json(['error' => 'Record not found'], 404);
        }

+        if($target && strpos($target['acct'], '@') != -1) {
+            $domain = parse_url($target['url'], PHP_URL_HOST);
+            abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
+        }
+
        $followRequest = FollowRequest::whereFollowingId($pid)->whereFollowerId($id)->first();

        if(!$followRequest) {
@ -2011,6 +2045,11 @@ class ApiV1Controller extends Controller

        $account = Profile::findOrFail($id);

+        if($account && $account->domain) {
+            $domain = $account->domain;
+            abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
+        }
+
        $count = UserFilterService::muteCount($pid);
        $maxLimit = intval(config('instance.user_filters.max_user_mutes'));
        if($count == 0) {
@ -2653,6 +2692,11 @@ class ApiV1Controller extends Controller
            abort(404);
        }

+        if($res && isset($res['account'], $res['account']['acct'], $res['account']['url']) && strpos($res['account']['acct'], '@') != -1) {
+            $domain = parse_url($res['account']['url'], PHP_URL_HOST);
+            abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
+        }
+
        $scope = $res['visibility'];
        if(!in_array($scope, ['public', 'unlisted'])) {
            if($scope === 'private') {
@ -2697,6 +2741,11 @@ class ApiV1Controller extends Controller
            return response('', 404);
        }

+        if($status && isset($status['account'], $status['account']['acct']) && strpos($status['account']['acct'], '@') != -1) {
+            $domain = parse_url($status['account']['url'], PHP_URL_HOST);
+            abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
+        }
+
        if(intval($status['account']['id']) !== intval($user->profile_id)) {
            if($status['visibility'] == 'private') {
                if(!FollowerService::follows($user->profile_id, $status['account']['id'])) {
@ -2780,6 +2829,10 @@ class ApiV1Controller extends Controller
        $status = Status::findOrFail($id);
        $account = AccountService::get($status->profile_id, true);
        abort_if(!$account, 404);
+        if($account && strpos($account['acct'], '@') != -1) {
+            $domain = parse_url($account['url'], PHP_URL_HOST);
+            abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
+        }
        $author = intval($status->profile_id) === intval($pid) || $user->is_admin;
        $napi = $request->has(self::PF_API_ENTITY_KEY);

@ -2871,6 +2924,10 @@ class ApiV1Controller extends Controller
        $pid = $user->profile_id;
        $status = Status::findOrFail($id);
        $account = AccountService::get($status->profile_id, true);
+        if($account && strpos($account['acct'], '@') != -1) {
+            $domain = parse_url($account['url'], PHP_URL_HOST);
+            abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
+        }
        abort_if(!$account, 404);
        $author = intval($status->profile_id) === intval($pid) || $user->is_admin;
        $napi = $request->has(self::PF_API_ENTITY_KEY);
@ -3200,7 +3257,11 @@ class ApiV1Controller extends Controller
        abort_if($user->has_roles && !UserRoleService::can('can-share', $user->id), 403, 'Invalid permissions for this action');
        AccountService::setLastActive($user->id);
        $status = Status::whereScope('public')->findOrFail($id);
-
+        if($status && ($status->uri || $status->url || $status->object_url)) {
+            $url = $status->uri ?? $status->url ?? $status->object_url;
+            $domain = parse_url($url, PHP_URL_HOST);
+            abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
+        }
        if(intval($status->profile_id) !== intval($user->profile_id)) {
            if($status->scope == 'private') {
                abort_if(!FollowerService::follows($user->profile_id, $status->profile_id), 403);