2019-03-28 12:39:10 +03:00
|
|
|
# Pleroma: A lightweight social networking server
|
2021-01-13 07:49:20 +01:00
|
|
|
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
|
2019-03-28 12:39:10 +03:00
|
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
|
|
|
|
defmodule Pleroma.ScheduledActivity do
|
|
|
|
use Ecto.Schema
|
|
|
|
|
2019-12-03 21:30:10 +03:00
|
|
|
alias Ecto.Multi
|
2019-04-02 01:31:01 +03:00
|
|
|
alias Pleroma.Config
|
2019-03-28 12:39:10 +03:00
|
|
|
alias Pleroma.Repo
|
|
|
|
alias Pleroma.ScheduledActivity
|
|
|
|
alias Pleroma.User
|
2019-04-02 01:31:01 +03:00
|
|
|
alias Pleroma.Web.CommonAPI.Utils
|
2019-12-03 21:30:10 +03:00
|
|
|
alias Pleroma.Workers.ScheduledActivityWorker
|
2019-03-28 12:39:10 +03:00
|
|
|
|
|
|
|
import Ecto.Query
|
|
|
|
import Ecto.Changeset
|
|
|
|
|
2019-12-04 09:53:01 +03:00
|
|
|
@type t :: %__MODULE__{}
|
|
|
|
|
2019-03-30 12:58:40 +03:00
|
|
|
@min_offset :timer.minutes(5)
|
|
|
|
|
2019-03-28 12:39:10 +03:00
|
|
|
schema "scheduled_activities" do
|
2019-09-18 21:54:31 +07:00
|
|
|
belongs_to(:user, User, type: FlakeId.Ecto.CompatType)
|
2019-03-28 12:39:10 +03:00
|
|
|
field(:scheduled_at, :naive_datetime)
|
|
|
|
field(:params, :map)
|
|
|
|
|
|
|
|
timestamps()
|
|
|
|
end
|
|
|
|
|
2024-04-23 23:09:41 +02:00
|
|
|
defp changeset(%ScheduledActivity{} = scheduled_activity, attrs) do
|
2019-03-28 12:39:10 +03:00
|
|
|
scheduled_activity
|
|
|
|
|> cast(attrs, [:scheduled_at, :params])
|
2019-04-02 01:31:01 +03:00
|
|
|
|> validate_required([:scheduled_at, :params])
|
|
|
|
|> validate_scheduled_at()
|
|
|
|
|> with_media_attachments()
|
2019-03-28 12:39:10 +03:00
|
|
|
end
|
|
|
|
|
2019-04-02 01:31:01 +03:00
|
|
|
defp with_media_attachments(
|
|
|
|
%{changes: %{params: %{"media_ids" => media_ids} = params}} = changeset
|
|
|
|
)
|
|
|
|
when is_list(media_ids) do
|
Restrict media usage to owners
In Mastodon media can only be used by owners and only be associated with
a single post. We currently allow media to be associated with several
posts and until now did not limit their usage in posts to media owners.
However, media update and GET lookup was already limited to owners.
(In accordance with allowing media reuse, we also still allow GET
lookups of media already used in a post unlike Mastodon)
Allowing reuse isn’t problematic per se, but allowing use by non-owners
can be problematic if media ids of private-scoped posts can be guessed
since creating a new post with this media id will reveal the uploaded
file content and alt text.
Given media ids are currently just part of a sequentieal series shared
with some other objects, guessing media ids is with some persistence
indeed feasible.
E.g. sampline some public media ids from a real-world
instance with 112 total and 61 monthly-active users:
17.465.096 at t0
17.472.673 at t1 = t0 + 4h
17.473.248 at t2 = t1 + 20min
This gives about 30 new ids per minute of which most won't be
local media but remote and local posts, poll answers etc.
Assuming the default ratelimit of 15 post actions per 10s, scraping all
media for the 4h interval takes about 84 minutes and scraping the 20min
range mere 6.3 minutes. (Until the preceding commit, post updates were
not rate limited at all, allowing even faster scraping.)
If an attacker can infer (e.g. via reply to a follower-only post not
accessbile to the attacker) some sensitive information was uploaded
during a specific time interval and has some pointers regarding the
nature of the information, identifying the specific upload out of all
scraped media for this timerange is not impossible.
Thus restrict media usage to owners.
Checking ownership just in ActivitDraft would already be sufficient,
since when a scheduled status actually gets posted it goes through
ActivityDraft again, but would erroneously return a success status
when scheduling an illegal post.
Independently discovered and fixed by mint in Pleroma
https://git.pleroma.social/pleroma/pleroma/-/commit/1afde067b12ad0062c1820091ea9b0a680819281
2024-04-24 17:46:18 +02:00
|
|
|
user = User.get_by_id(changeset.data.user_id)
|
2019-04-02 01:31:01 +03:00
|
|
|
|
Restrict media usage to owners
In Mastodon media can only be used by owners and only be associated with
a single post. We currently allow media to be associated with several
posts and until now did not limit their usage in posts to media owners.
However, media update and GET lookup was already limited to owners.
(In accordance with allowing media reuse, we also still allow GET
lookups of media already used in a post unlike Mastodon)
Allowing reuse isn’t problematic per se, but allowing use by non-owners
can be problematic if media ids of private-scoped posts can be guessed
since creating a new post with this media id will reveal the uploaded
file content and alt text.
Given media ids are currently just part of a sequentieal series shared
with some other objects, guessing media ids is with some persistence
indeed feasible.
E.g. sampline some public media ids from a real-world
instance with 112 total and 61 monthly-active users:
17.465.096 at t0
17.472.673 at t1 = t0 + 4h
17.473.248 at t2 = t1 + 20min
This gives about 30 new ids per minute of which most won't be
local media but remote and local posts, poll answers etc.
Assuming the default ratelimit of 15 post actions per 10s, scraping all
media for the 4h interval takes about 84 minutes and scraping the 20min
range mere 6.3 minutes. (Until the preceding commit, post updates were
not rate limited at all, allowing even faster scraping.)
If an attacker can infer (e.g. via reply to a follower-only post not
accessbile to the attacker) some sensitive information was uploaded
during a specific time interval and has some pointers regarding the
nature of the information, identifying the specific upload out of all
scraped media for this timerange is not impossible.
Thus restrict media usage to owners.
Checking ownership just in ActivitDraft would already be sufficient,
since when a scheduled status actually gets posted it goes through
ActivityDraft again, but would erroneously return a success status
when scheduling an illegal post.
Independently discovered and fixed by mint in Pleroma
https://git.pleroma.social/pleroma/pleroma/-/commit/1afde067b12ad0062c1820091ea9b0a680819281
2024-04-24 17:46:18 +02:00
|
|
|
case Utils.attachments_from_ids(user, %{media_ids: media_ids}) do
|
|
|
|
media_attachments when is_list(media_attachments) ->
|
|
|
|
params =
|
|
|
|
params
|
|
|
|
|> Map.put("media_attachments", media_attachments)
|
|
|
|
|> Map.put("media_ids", media_ids)
|
2019-04-02 01:31:01 +03:00
|
|
|
|
Restrict media usage to owners
In Mastodon media can only be used by owners and only be associated with
a single post. We currently allow media to be associated with several
posts and until now did not limit their usage in posts to media owners.
However, media update and GET lookup was already limited to owners.
(In accordance with allowing media reuse, we also still allow GET
lookups of media already used in a post unlike Mastodon)
Allowing reuse isn’t problematic per se, but allowing use by non-owners
can be problematic if media ids of private-scoped posts can be guessed
since creating a new post with this media id will reveal the uploaded
file content and alt text.
Given media ids are currently just part of a sequentieal series shared
with some other objects, guessing media ids is with some persistence
indeed feasible.
E.g. sampline some public media ids from a real-world
instance with 112 total and 61 monthly-active users:
17.465.096 at t0
17.472.673 at t1 = t0 + 4h
17.473.248 at t2 = t1 + 20min
This gives about 30 new ids per minute of which most won't be
local media but remote and local posts, poll answers etc.
Assuming the default ratelimit of 15 post actions per 10s, scraping all
media for the 4h interval takes about 84 minutes and scraping the 20min
range mere 6.3 minutes. (Until the preceding commit, post updates were
not rate limited at all, allowing even faster scraping.)
If an attacker can infer (e.g. via reply to a follower-only post not
accessbile to the attacker) some sensitive information was uploaded
during a specific time interval and has some pointers regarding the
nature of the information, identifying the specific upload out of all
scraped media for this timerange is not impossible.
Thus restrict media usage to owners.
Checking ownership just in ActivitDraft would already be sufficient,
since when a scheduled status actually gets posted it goes through
ActivityDraft again, but would erroneously return a success status
when scheduling an illegal post.
Independently discovered and fixed by mint in Pleroma
https://git.pleroma.social/pleroma/pleroma/-/commit/1afde067b12ad0062c1820091ea9b0a680819281
2024-04-24 17:46:18 +02:00
|
|
|
put_change(changeset, :params, params)
|
|
|
|
|
|
|
|
{:error, _} = e ->
|
|
|
|
e
|
|
|
|
|
|
|
|
e ->
|
|
|
|
{:error, e}
|
|
|
|
end
|
2019-04-02 01:31:01 +03:00
|
|
|
end
|
|
|
|
|
|
|
|
defp with_media_attachments(changeset), do: changeset
|
|
|
|
|
2024-04-23 23:09:41 +02:00
|
|
|
defp update_changeset(%ScheduledActivity{} = scheduled_activity, attrs) do
|
Restrict media usage to owners
In Mastodon media can only be used by owners and only be associated with
a single post. We currently allow media to be associated with several
posts and until now did not limit their usage in posts to media owners.
However, media update and GET lookup was already limited to owners.
(In accordance with allowing media reuse, we also still allow GET
lookups of media already used in a post unlike Mastodon)
Allowing reuse isn’t problematic per se, but allowing use by non-owners
can be problematic if media ids of private-scoped posts can be guessed
since creating a new post with this media id will reveal the uploaded
file content and alt text.
Given media ids are currently just part of a sequentieal series shared
with some other objects, guessing media ids is with some persistence
indeed feasible.
E.g. sampline some public media ids from a real-world
instance with 112 total and 61 monthly-active users:
17.465.096 at t0
17.472.673 at t1 = t0 + 4h
17.473.248 at t2 = t1 + 20min
This gives about 30 new ids per minute of which most won't be
local media but remote and local posts, poll answers etc.
Assuming the default ratelimit of 15 post actions per 10s, scraping all
media for the 4h interval takes about 84 minutes and scraping the 20min
range mere 6.3 minutes. (Until the preceding commit, post updates were
not rate limited at all, allowing even faster scraping.)
If an attacker can infer (e.g. via reply to a follower-only post not
accessbile to the attacker) some sensitive information was uploaded
during a specific time interval and has some pointers regarding the
nature of the information, identifying the specific upload out of all
scraped media for this timerange is not impossible.
Thus restrict media usage to owners.
Checking ownership just in ActivitDraft would already be sufficient,
since when a scheduled status actually gets posted it goes through
ActivityDraft again, but would erroneously return a success status
when scheduling an illegal post.
Independently discovered and fixed by mint in Pleroma
https://git.pleroma.social/pleroma/pleroma/-/commit/1afde067b12ad0062c1820091ea9b0a680819281
2024-04-24 17:46:18 +02:00
|
|
|
# note: should this ever allow swapping media attachments, make sure ownership is checked
|
2019-03-28 12:39:10 +03:00
|
|
|
scheduled_activity
|
|
|
|
|> cast(attrs, [:scheduled_at])
|
2019-04-02 01:31:01 +03:00
|
|
|
|> validate_required([:scheduled_at])
|
|
|
|
|> validate_scheduled_at()
|
|
|
|
end
|
|
|
|
|
2024-04-23 23:09:41 +02:00
|
|
|
defp validate_scheduled_at(changeset) do
|
2019-04-02 01:31:01 +03:00
|
|
|
validate_change(changeset, :scheduled_at, fn _, scheduled_at ->
|
|
|
|
cond do
|
|
|
|
not far_enough?(scheduled_at) ->
|
|
|
|
[scheduled_at: "must be at least 5 minutes from now"]
|
|
|
|
|
|
|
|
exceeds_daily_user_limit?(changeset.data.user_id, scheduled_at) ->
|
|
|
|
[scheduled_at: "daily limit exceeded"]
|
|
|
|
|
|
|
|
exceeds_total_user_limit?(changeset.data.user_id) ->
|
|
|
|
[scheduled_at: "total limit exceeded"]
|
|
|
|
|
|
|
|
true ->
|
|
|
|
[]
|
|
|
|
end
|
|
|
|
end)
|
|
|
|
end
|
|
|
|
|
2024-04-23 23:09:41 +02:00
|
|
|
defp exceeds_daily_user_limit?(user_id, scheduled_at) do
|
2019-04-02 01:31:01 +03:00
|
|
|
ScheduledActivity
|
|
|
|
|> where(user_id: ^user_id)
|
2019-04-03 18:55:04 +03:00
|
|
|
|> where([sa], type(sa.scheduled_at, :date) == type(^scheduled_at, :date))
|
|
|
|
|> select([sa], count(sa.id))
|
2019-04-02 01:31:01 +03:00
|
|
|
|> Repo.one()
|
|
|
|
|> Kernel.>=(Config.get([ScheduledActivity, :daily_user_limit]))
|
|
|
|
end
|
|
|
|
|
2024-04-23 23:09:41 +02:00
|
|
|
defp exceeds_total_user_limit?(user_id) do
|
2019-04-02 01:31:01 +03:00
|
|
|
ScheduledActivity
|
|
|
|
|> where(user_id: ^user_id)
|
2019-04-03 18:55:04 +03:00
|
|
|
|> select([sa], count(sa.id))
|
2019-04-02 01:31:01 +03:00
|
|
|
|> Repo.one()
|
|
|
|
|> Kernel.>=(Config.get([ScheduledActivity, :total_user_limit]))
|
2019-03-28 12:39:10 +03:00
|
|
|
end
|
2019-03-30 12:58:40 +03:00
|
|
|
|
|
|
|
def far_enough?(scheduled_at) when is_binary(scheduled_at) do
|
|
|
|
with {:ok, scheduled_at} <- Ecto.Type.cast(:naive_datetime, scheduled_at) do
|
|
|
|
far_enough?(scheduled_at)
|
|
|
|
else
|
|
|
|
_ -> false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def far_enough?(scheduled_at) do
|
|
|
|
now = NaiveDateTime.utc_now()
|
|
|
|
diff = NaiveDateTime.diff(scheduled_at, now, :millisecond)
|
|
|
|
diff > @min_offset
|
|
|
|
end
|
2019-03-28 12:39:10 +03:00
|
|
|
|
2024-04-23 23:09:41 +02:00
|
|
|
defp new(%User{} = user, attrs) do
|
2019-12-03 21:30:10 +03:00
|
|
|
changeset(%ScheduledActivity{user_id: user.id}, attrs)
|
2019-03-28 12:39:10 +03:00
|
|
|
end
|
|
|
|
|
2019-12-03 21:30:10 +03:00
|
|
|
@doc """
|
|
|
|
Creates ScheduledActivity and add to queue to perform at scheduled_at date
|
|
|
|
"""
|
Restrict media usage to owners
In Mastodon media can only be used by owners and only be associated with
a single post. We currently allow media to be associated with several
posts and until now did not limit their usage in posts to media owners.
However, media update and GET lookup was already limited to owners.
(In accordance with allowing media reuse, we also still allow GET
lookups of media already used in a post unlike Mastodon)
Allowing reuse isn’t problematic per se, but allowing use by non-owners
can be problematic if media ids of private-scoped posts can be guessed
since creating a new post with this media id will reveal the uploaded
file content and alt text.
Given media ids are currently just part of a sequentieal series shared
with some other objects, guessing media ids is with some persistence
indeed feasible.
E.g. sampline some public media ids from a real-world
instance with 112 total and 61 monthly-active users:
17.465.096 at t0
17.472.673 at t1 = t0 + 4h
17.473.248 at t2 = t1 + 20min
This gives about 30 new ids per minute of which most won't be
local media but remote and local posts, poll answers etc.
Assuming the default ratelimit of 15 post actions per 10s, scraping all
media for the 4h interval takes about 84 minutes and scraping the 20min
range mere 6.3 minutes. (Until the preceding commit, post updates were
not rate limited at all, allowing even faster scraping.)
If an attacker can infer (e.g. via reply to a follower-only post not
accessbile to the attacker) some sensitive information was uploaded
during a specific time interval and has some pointers regarding the
nature of the information, identifying the specific upload out of all
scraped media for this timerange is not impossible.
Thus restrict media usage to owners.
Checking ownership just in ActivitDraft would already be sufficient,
since when a scheduled status actually gets posted it goes through
ActivityDraft again, but would erroneously return a success status
when scheduling an illegal post.
Independently discovered and fixed by mint in Pleroma
https://git.pleroma.social/pleroma/pleroma/-/commit/1afde067b12ad0062c1820091ea9b0a680819281
2024-04-24 17:46:18 +02:00
|
|
|
@spec create(User.t(), map()) :: {:ok, ScheduledActivity.t()} | {:error, any()}
|
2019-03-28 12:39:10 +03:00
|
|
|
def create(%User{} = user, attrs) do
|
Restrict media usage to owners
In Mastodon media can only be used by owners and only be associated with
a single post. We currently allow media to be associated with several
posts and until now did not limit their usage in posts to media owners.
However, media update and GET lookup was already limited to owners.
(In accordance with allowing media reuse, we also still allow GET
lookups of media already used in a post unlike Mastodon)
Allowing reuse isn’t problematic per se, but allowing use by non-owners
can be problematic if media ids of private-scoped posts can be guessed
since creating a new post with this media id will reveal the uploaded
file content and alt text.
Given media ids are currently just part of a sequentieal series shared
with some other objects, guessing media ids is with some persistence
indeed feasible.
E.g. sampline some public media ids from a real-world
instance with 112 total and 61 monthly-active users:
17.465.096 at t0
17.472.673 at t1 = t0 + 4h
17.473.248 at t2 = t1 + 20min
This gives about 30 new ids per minute of which most won't be
local media but remote and local posts, poll answers etc.
Assuming the default ratelimit of 15 post actions per 10s, scraping all
media for the 4h interval takes about 84 minutes and scraping the 20min
range mere 6.3 minutes. (Until the preceding commit, post updates were
not rate limited at all, allowing even faster scraping.)
If an attacker can infer (e.g. via reply to a follower-only post not
accessbile to the attacker) some sensitive information was uploaded
during a specific time interval and has some pointers regarding the
nature of the information, identifying the specific upload out of all
scraped media for this timerange is not impossible.
Thus restrict media usage to owners.
Checking ownership just in ActivitDraft would already be sufficient,
since when a scheduled status actually gets posted it goes through
ActivityDraft again, but would erroneously return a success status
when scheduling an illegal post.
Independently discovered and fixed by mint in Pleroma
https://git.pleroma.social/pleroma/pleroma/-/commit/1afde067b12ad0062c1820091ea9b0a680819281
2024-04-24 17:46:18 +02:00
|
|
|
case new(user, attrs) do
|
|
|
|
%Ecto.Changeset{} = sched_data ->
|
|
|
|
Multi.new()
|
|
|
|
|> Multi.insert(:scheduled_activity, sched_data)
|
|
|
|
|> maybe_add_jobs(Config.get([ScheduledActivity, :enabled]))
|
|
|
|
|> Repo.transaction()
|
|
|
|
|> transaction_response
|
|
|
|
|
|
|
|
{:error, _} = e ->
|
|
|
|
e
|
|
|
|
|
|
|
|
e ->
|
|
|
|
{:error, e}
|
|
|
|
end
|
2019-03-28 12:39:10 +03:00
|
|
|
end
|
|
|
|
|
2019-12-04 21:18:05 +03:00
|
|
|
defp maybe_add_jobs(multi, true) do
|
|
|
|
multi
|
|
|
|
|> Multi.run(:scheduled_activity_job, fn _repo, %{scheduled_activity: activity} ->
|
|
|
|
%{activity_id: activity.id}
|
|
|
|
|> ScheduledActivityWorker.new(scheduled_at: activity.scheduled_at)
|
|
|
|
|> Oban.insert()
|
|
|
|
end)
|
|
|
|
end
|
|
|
|
|
|
|
|
defp maybe_add_jobs(multi, _), do: multi
|
|
|
|
|
2019-03-28 12:39:10 +03:00
|
|
|
def get(%User{} = user, scheduled_activity_id) do
|
|
|
|
ScheduledActivity
|
|
|
|
|> where(user_id: ^user.id)
|
|
|
|
|> where(id: ^scheduled_activity_id)
|
|
|
|
|> Repo.one()
|
|
|
|
end
|
|
|
|
|
2019-12-03 21:30:10 +03:00
|
|
|
@spec update(ScheduledActivity.t(), map()) ::
|
|
|
|
{:ok, ScheduledActivity.t()} | {:error, Ecto.Changeset.t()}
|
|
|
|
def update(%ScheduledActivity{id: id} = scheduled_activity, attrs) do
|
|
|
|
with {:error, %Ecto.Changeset{valid?: true} = changeset} <-
|
|
|
|
{:error, update_changeset(scheduled_activity, attrs)} do
|
|
|
|
Multi.new()
|
|
|
|
|> Multi.update(:scheduled_activity, changeset)
|
|
|
|
|> Multi.update_all(:scheduled_job, job_query(id),
|
2020-01-23 11:05:08 +03:00
|
|
|
set: [scheduled_at: get_field(changeset, :scheduled_at)]
|
2019-12-03 21:30:10 +03:00
|
|
|
)
|
|
|
|
|> Repo.transaction()
|
2020-01-23 17:18:23 +03:00
|
|
|
|> transaction_response
|
2019-12-03 21:30:10 +03:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-01-23 17:18:23 +03:00
|
|
|
@doc "Deletes a ScheduledActivity and linked jobs."
|
|
|
|
@spec delete(ScheduledActivity.t() | binary() | integer) ::
|
|
|
|
{:ok, ScheduledActivity.t()} | {:error, Ecto.Changeset.t()}
|
|
|
|
def delete(%ScheduledActivity{id: id} = scheduled_activity) do
|
|
|
|
Multi.new()
|
|
|
|
|> Multi.delete(:scheduled_activity, scheduled_activity, stale_error_field: :id)
|
|
|
|
|> Multi.delete_all(:jobs, job_query(id))
|
|
|
|
|> Repo.transaction()
|
|
|
|
|> transaction_response
|
2019-03-28 12:39:10 +03:00
|
|
|
end
|
|
|
|
|
2020-01-23 17:18:23 +03:00
|
|
|
def delete(id) when is_binary(id) or is_integer(id) do
|
|
|
|
delete(%__MODULE__{id: id})
|
2019-03-28 12:39:10 +03:00
|
|
|
end
|
|
|
|
|
2020-01-23 17:18:23 +03:00
|
|
|
defp transaction_response(result) do
|
|
|
|
case result do
|
|
|
|
{:ok, %{scheduled_activity: scheduled_activity}} ->
|
|
|
|
{:ok, scheduled_activity}
|
|
|
|
|
|
|
|
{:error, _, changeset, _} ->
|
|
|
|
{:error, changeset}
|
2019-04-03 18:55:04 +03:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-03-28 12:39:10 +03:00
|
|
|
def for_user_query(%User{} = user) do
|
|
|
|
ScheduledActivity
|
|
|
|
|> where(user_id: ^user.id)
|
|
|
|
end
|
2019-04-03 18:55:04 +03:00
|
|
|
|
2024-04-23 23:09:41 +02:00
|
|
|
defp job_query(scheduled_activity_id) do
|
2019-12-03 21:30:10 +03:00
|
|
|
from(j in Oban.Job,
|
|
|
|
where: j.queue == "scheduled_activities",
|
|
|
|
where: fragment("args ->> 'activity_id' = ?::text", ^to_string(scheduled_activity_id))
|
|
|
|
)
|
|
|
|
end
|
2019-03-28 12:39:10 +03:00
|
|
|
end
|