SECURITY: do not include links from whispers in topic summary map

https://meta.discourse.org/t/staff-whispers-links-in-whispers-showing-up-publicly-in-topics-summary/69134?u=techapj
2017-08-31 23:44:54 +05:30 · 2017-08-31 23:44:54 +05:30 · 66f2925348
parent ef0f346eec
commit 66f2925348
3 changed files with 19 additions and 1 deletions
--- a/app/models/topic_link.rb
+++ b/app/models/topic_link.rb
@ -105,7 +105,7 @@ SQL

  # Extract any urls in body
  def self.extract_from(post)
-    return unless post.present?
+    return unless post.present? && !post.whisper?

    added_urls = []
    TopicLink.transaction do
--- a/db/migrate/20170831180419_remove_whisper_topic_links.rb
+++ b/db/migrate/20170831180419_remove_whisper_topic_links.rb
@ -0,0 +1,11 @@
+class RemoveWhisperTopicLinks < ActiveRecord::Migration
+  def change
+    execute <<-SQL
+      DELETE FROM topic_links
+       USING topic_links tl
+   LEFT JOIN posts p ON p.id = tl.post_id
+       WHERE p.post_type = 4
+         AND topic_links.id = tl.id
+    SQL
+  end
+end
--- a/spec/models/topic_link_spec.rb
+++ b/spec/models/topic_link_spec.rb
@ -349,6 +349,13 @@ http://b.com/#{'a' * 500}
        expect(TopicLink.counts_for(Guardian.new(admin), post.topic, [post]).length).to eq(1)
      end

+      it 'does not include links from whisper' do
+        url = "https://blog.codinghorror.com/hacker-hack-thyself/"
+        post = Fabricate(:post, raw: "whisper post... #{url}", post_type: Post.types[:whisper])
+        TopicLink.extract_from(post)
+
+        expect(TopicLink.topic_map(Guardian.new, post.topic_id).count).to eq(0)
+      end
    end

    describe ".duplicate_lookup" do