Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-01-15 12:02:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: guard against negative uids crossposting

Browse Source
This commit is contained in:
Julian Lam
2026-01-12 14:07:45 -05:00
parent 943b53b0bc
commit 2f96eed4af
2 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/topics/crossposts.js
View File

@@ -37,6 +37,13 @@ Crossposts.get = async function (tid) {
};
Crossposts.add = async function (tid, cid, uid) {
console.log('ADD WAS CALLED!!', tid, cid, uid);
return;
/**
* NOTE: If uid is 0, the assumption is that it is a "system" crosspost, not a guest!
* (Normally guest uid is 0)
*/
// Target cid must exist
if (!utils.isNumber(cid)) {
await activitypub.actors.assert(cid);
@@ -45,6 +52,9 @@ Crossposts.add = async function (tid, cid, uid) {
if (!exists) {
throw new Error('[[error:invalid-cid]]');
}
if (uid < 0) {
throw new Error('[[error:invalid-uid]]');
}
const crossposts = await Crossposts.get(tid);
const crosspostedCids = crossposts.map(crosspost => String(crosspost.cid));

7
test/topics/crossposts.js
View File

@@ -84,6 +84,13 @@ describe('Crossposting (& related logic)', () => {
tid = topicData.tid;
});
it('should not allow a spider (uid -1) to crosspost', async () => {
await assert.rejects(
topics.crossposts.add(tid, cid2, -1),
{ message: '[[error:invalid-uid]]' }
);
});
it('should successfully crosspost to another cid', async () => {
const crossposts = await topics.crossposts.add(tid, cid2, uid);