Sanitize html (#3708)

[lemmy.git] / crates / apub / src / objects / instance.rs

diff --git a/crates/apub/src/objects/instance.rs b/crates/apub/src/objects/instance.rs
index 8fa3976ac6b1c0e6e58cb868451a7bd5c34bcdd2..52fc210b069c945a13a13edc51633c37a7d4dd78 100644 (file)
--- a/crates/apub/src/objects/instance.rs
+++ b/crates/apub/src/objects/instance.rs
@@ -1,24 +1,25 @@
 use crate::{
   check_apub_id_valid_with_strictness,
-  fetch_local_site_data,
-  local_instance,
+  local_site_data_cached,
   objects::read_from_string_or_source_opt,
   protocol::{
     objects::{instance::Instance, LanguageTag},
     ImageObject,
     Source,
   },
-  ActorType,
 };
 use activitypub_federation::{
-  core::object_id::ObjectId,
-  deser::values::MediaTypeHtml,
-  traits::{Actor, ApubObject},
-  utils::verify_domains_match,
+  config::Data,
+  fetch::object_id::ObjectId,
+  kinds::actor::ApplicationType,
+  protocol::{values::MediaTypeHtml, verification::verify_domains_match},
+  traits::{Actor, Object},
 };
-use activitystreams_kinds::actor::ApplicationType;
 use chrono::NaiveDateTime;
-use lemmy_api_common::{context::LemmyContext, utils::local_site_opt_to_slur_regex};
+use lemmy_api_common::{
+  context::LemmyContext,
+  utils::{local_site_opt_to_slur_regex, sanitize_html_opt},
+};
 use lemmy_db_schema::{
   newtypes::InstanceId,
   source::{
@@ -57,11 +58,10 @@ impl From<Site> for ApubSite {
   }
 }
 
-#[async_trait::async_trait(?Send)]
-impl ApubObject for ApubSite {
+#[async_trait::async_trait]
+impl Object for ApubSite {
   type DataType = LemmyContext;
-  type ApubType = Instance;
-  type DbType = Site;
+  type Kind = Instance;
   type Error = LemmyError;
 
   fn last_refreshed_at(&self) -> Option<NaiveDateTime> {
@@ -69,30 +69,30 @@ impl ApubObject for ApubSite {
   }
 
   #[tracing::instrument(skip_all)]
-  async fn read_from_apub_id(
+  async fn read_from_id(
     object_id: Url,
-    data: &Self::DataType,
+    data: &Data<Self::DataType>,
   ) -> Result<Option<Self>, LemmyError> {
     Ok(
-      Site::read_from_apub_id(data.pool(), object_id)
+      Site::read_from_apub_id(&mut data.pool(), &object_id.into())
         .await?
         .map(Into::into),
     )
   }
 
-  async fn delete(self, _data: &Self::DataType) -> Result<(), LemmyError> {
+  async fn delete(self, _data: &Data<Self::DataType>) -> Result<(), LemmyError> {
     unimplemented!()
   }
 
   #[tracing::instrument(skip_all)]
-  async fn into_apub(self, data: &Self::DataType) -> Result<Self::ApubType, LemmyError> {
+  async fn into_json(self, data: &Data<Self::DataType>) -> Result<Self::Kind, LemmyError> {
     let site_id = self.id;
-    let langs = SiteLanguage::read(data.pool(), site_id).await?;
-    let language = LanguageTag::new_multiple(langs, data.pool()).await?;
+    let langs = SiteLanguage::read(&mut data.pool(), site_id).await?;
+    let language = LanguageTag::new_multiple(langs, &mut data.pool()).await?;
 
     let instance = Instance {
       kind: ApplicationType::Application,
-      id: ObjectId::new(self.actor_id()),
+      id: self.id().into(),
       name: self.name.clone(),
       content: self.sidebar.as_ref().map(|d| markdown_to_html(d)),
       source: self.sidebar.clone().map(Source::new),
@@ -102,7 +102,7 @@ impl ApubObject for ApubSite {
       image: self.banner.clone().map(ImageObject::new),
       inbox: self.inbox_url.clone().into(),
       outbox: Url::parse(&format!("{}/site_outbox", self.actor_id))?,
-      public_key: self.get_public_key(),
+      public_key: self.public_key(),
       language,
       published: convert_datetime(self.published),
       updated: self.updated.map(convert_datetime),
@@ -112,39 +112,37 @@ impl ApubObject for ApubSite {
 
   #[tracing::instrument(skip_all)]
   async fn verify(
-    apub: &Self::ApubType,
+    apub: &Self::Kind,
     expected_domain: &Url,
-    data: &Self::DataType,
-    _request_counter: &mut i32,
+    data: &Data<Self::DataType>,
   ) -> Result<(), LemmyError> {
-    let local_site_data = fetch_local_site_data(data.pool()).await?;
-
-    check_apub_id_valid_with_strictness(apub.id.inner(), true, &local_site_data, data.settings())?;
+    check_apub_id_valid_with_strictness(apub.id.inner(), true, data).await?;
     verify_domains_match(expected_domain, apub.id.inner())?;
 
+    let local_site_data = local_site_data_cached(&mut data.pool()).await?;
     let slur_regex = &local_site_opt_to_slur_regex(&local_site_data.local_site);
-
     check_slurs(&apub.name, slur_regex)?;
     check_slurs_opt(&apub.summary, slur_regex)?;
+
     Ok(())
   }
 
   #[tracing::instrument(skip_all)]
-  async fn from_apub(
-    apub: Self::ApubType,
-    data: &Self::DataType,
-    _request_counter: &mut i32,
-  ) -> Result<Self, LemmyError> {
+  async fn from_json(apub: Self::Kind, data: &Data<Self::DataType>) -> Result<Self, LemmyError> {
     let domain = apub.id.inner().domain().expect("group id has domain");
-    let instance = DbInstance::read_or_create(data.pool(), domain.to_string()).await?;
+    let instance = DbInstance::read_or_create(&mut data.pool(), domain.to_string()).await?;
+
+    let sidebar = read_from_string_or_source_opt(&apub.content, &None, &apub.source);
+    let sidebar = sanitize_html_opt(&sidebar);
+    let description = sanitize_html_opt(&apub.summary);
 
     let site_form = SiteInsertForm {
       name: apub.name.clone(),
-      sidebar: read_from_string_or_source_opt(&apub.content, &None, &apub.source),
+      sidebar,
       updated: apub.updated.map(|u| u.clone().naive_local()),
       icon: apub.icon.clone().map(|i| i.url.into()),
       banner: apub.image.clone().map(|i| i.url.into()),
-      description: apub.summary.clone(),
+      description,
       actor_id: Some(apub.id.clone().into()),
       last_refreshed_at: Some(naive_now()),
       inbox_url: Some(apub.inbox.clone().into()),
@@ -152,28 +150,27 @@ impl ApubObject for ApubSite {
       private_key: None,
       instance_id: instance.id,
     };
-    let languages = LanguageTag::to_language_id_multiple(apub.language, data.pool()).await?;
+    let languages = LanguageTag::to_language_id_multiple(apub.language, &mut data.pool()).await?;
 
-    let site = Site::create(data.pool(), &site_form).await?;
-    SiteLanguage::update(data.pool(), languages, &site).await?;
+    let site = Site::create(&mut data.pool(), &site_form).await?;
+    SiteLanguage::update(&mut data.pool(), languages, &site).await?;
     Ok(site.into())
   }
 }
 
-impl ActorType for ApubSite {
-  fn actor_id(&self) -> Url {
-    self.actor_id.clone().into()
-  }
-  fn private_key(&self) -> Option<String> {
-    self.private_key.clone()
+impl Actor for ApubSite {
+  fn id(&self) -> Url {
+    self.actor_id.inner().clone()
   }
-}
 
-impl Actor for ApubSite {
-  fn public_key(&self) -> &str {
+  fn public_key_pem(&self) -> &str {
     &self.public_key
   }
 
+  fn private_key_pem(&self) -> Option<String> {
+    self.private_key.clone()
+  }
+
   fn inbox(&self) -> Url {
     self.inbox_url.clone().into()
   }
@@ -182,13 +179,12 @@ impl Actor for ApubSite {
 /// Try to fetch the instance actor (to make things like instance rules available).
 pub(in crate::objects) async fn fetch_instance_actor_for_object<T: Into<Url> + Clone>(
   object_id: &T,
-  context: &LemmyContext,
-  request_counter: &mut i32,
+  context: &Data<LemmyContext>,
 ) -> Result<InstanceId, LemmyError> {
   let object_id: Url = object_id.clone().into();
   let instance_id = Site::instance_actor_id_from_url(object_id);
-  let site = ObjectId::<ApubSite>::new(instance_id.clone())
-    .dereference(context, local_instance(context).await, request_counter)
+  let site = ObjectId::<ApubSite>::from(instance_id.clone())
+    .dereference(context)
     .await;
   match site {
     Ok(s) => Ok(s.instance_id),
@@ -197,7 +193,7 @@ pub(in crate::objects) async fn fetch_instance_actor_for_object<T: Into<Url> + C
       debug!("Failed to dereference site for {}: {}", &instance_id, e);
       let domain = instance_id.domain().expect("has domain");
       Ok(
-        DbInstance::read_or_create(context.pool(), domain.to_string())
+        DbInstance::read_or_create(&mut context.pool(), domain.to_string())
           .await?
           .id,
       )
@@ -205,7 +201,7 @@ pub(in crate::objects) async fn fetch_instance_actor_for_object<T: Into<Url> + C
   }
 }
 
-pub(crate) async fn remote_instance_inboxes(pool: &DbPool) -> Result<Vec<Url>, LemmyError> {
+pub(crate) async fn remote_instance_inboxes(pool: &mut DbPool<'_>) -> Result<Vec<Url>, LemmyError> {
   Ok(
     Site::read_remote_sites(pool)
       .await?
@@ -217,26 +213,24 @@ pub(crate) async fn remote_instance_inboxes(pool: &DbPool) -> Result<Vec<Url>, L
 
 #[cfg(test)]
 pub(crate) mod tests {
+  #![allow(clippy::unwrap_used)]
+  #![allow(clippy::indexing_slicing)]
+
   use super::*;
   use crate::{objects::tests::init_context, protocol::tests::file_to_json_object};
   use lemmy_db_schema::traits::Crud;
   use serial_test::serial;
 
-  pub(crate) async fn parse_lemmy_instance(context: &LemmyContext) -> ApubSite {
+  pub(crate) async fn parse_lemmy_instance(context: &Data<LemmyContext>) -> ApubSite {
     let json: Instance = file_to_json_object("assets/lemmy/objects/instance.json").unwrap();
     let id = Url::parse("https://enterprise.lemmy.ml/").unwrap();
-    let mut request_counter = 0;
-    ApubSite::verify(&json, &id, context, &mut request_counter)
-      .await
-      .unwrap();
-    let site = ApubSite::from_apub(json, context, &mut request_counter)
-      .await
-      .unwrap();
-    assert_eq!(request_counter, 0);
+    ApubSite::verify(&json, &id, context).await.unwrap();
+    let site = ApubSite::from_json(json, context).await.unwrap();
+    assert_eq!(context.request_count(), 0);
     site
   }
 
-  #[actix_rt::test]
+  #[tokio::test]
   #[serial]
   async fn test_parse_lemmy_instance() {
     let context = init_context().await;
@@ -245,6 +239,6 @@ pub(crate) mod tests {
     assert_eq!(site.name, "Enterprise");
     assert_eq!(site.description.as_ref().unwrap().len(), 15);
 
-    Site::delete(context.pool(), site.id).await.unwrap();
+    Site::delete(&mut context.pool(), site.id).await.unwrap();
   }
 }