From 66f2925348b2324ff952ce650ac13d8e6eb6b33e Mon Sep 17 00:00:00 2001
From: Arpit Jalan <arpit@techapj.com>
Date: Thu, 31 Aug 2017 23:44:54 +0530
Subject: [PATCH] SECURITY: do not include links from whispers in topic summary
 map

https://meta.discourse.org/t/staff-whispers-links-in-whispers-showing-up-publicly-in-topics-summary/69134?u=techapj
---
 app/models/topic_link.rb                              |  2 +-
 .../20170831180419_remove_whisper_topic_links.rb      | 11 +++++++++++
 spec/models/topic_link_spec.rb                        |  7 +++++++
 3 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 db/migrate/20170831180419_remove_whisper_topic_links.rb

diff --git a/app/models/topic_link.rb b/app/models/topic_link.rb
index b4b5caf236a..633aca2fe7a 100644
--- a/app/models/topic_link.rb
+++ b/app/models/topic_link.rb
@@ -105,7 +105,7 @@ SQL
 
   # Extract any urls in body
   def self.extract_from(post)
-    return unless post.present?
+    return unless post.present? && !post.whisper?
 
     added_urls = []
     TopicLink.transaction do
diff --git a/db/migrate/20170831180419_remove_whisper_topic_links.rb b/db/migrate/20170831180419_remove_whisper_topic_links.rb
new file mode 100644
index 00000000000..c9798c59f0c
--- /dev/null
+++ b/db/migrate/20170831180419_remove_whisper_topic_links.rb
@@ -0,0 +1,11 @@
+class RemoveWhisperTopicLinks < ActiveRecord::Migration
+  def change
+    execute <<-SQL
+      DELETE FROM topic_links
+       USING topic_links tl
+   LEFT JOIN posts p ON p.id = tl.post_id
+       WHERE p.post_type = 4
+         AND topic_links.id = tl.id
+    SQL
+  end
+end
diff --git a/spec/models/topic_link_spec.rb b/spec/models/topic_link_spec.rb
index 9601a996aa7..64b5a694011 100644
--- a/spec/models/topic_link_spec.rb
+++ b/spec/models/topic_link_spec.rb
@@ -349,6 +349,13 @@ http://b.com/#{'a' * 500}
         expect(TopicLink.counts_for(Guardian.new(admin), post.topic, [post]).length).to eq(1)
       end
 
+      it 'does not include links from whisper' do
+        url = "https://blog.codinghorror.com/hacker-hack-thyself/"
+        post = Fabricate(:post, raw: "whisper post... #{url}", post_type: Post.types[:whisper])
+        TopicLink.extract_from(post)
+
+        expect(TopicLink.topic_map(Guardian.new, post.topic_id).count).to eq(0)
+      end
     end
 
     describe ".duplicate_lookup" do