[bugfix] Fix potential dereference of accounts on own instance (#757)

* add GetAccountByUsernameDomain * simplify search * add escape to not deref accounts on own domain * check if local + we have account by ap uri
2025-11-27 21:03:33 -06:00 · 2022-08-20 22:47:19 +02:00 · 2022-08-20 22:47:19 +02:00 · 570fa7c359
commit 570fa7c359
parent 2ca234f42e
8 changed files with 243 additions and 92 deletions
--- a/internal/db/account.go
+++ b/internal/db/account.go
@ -36,6 +36,9 @@ type Account interface {
 	// GetAccountByURL returns one account with the given URL, or an error if something goes wrong.
 	GetAccountByURL(ctx context.Context, uri string) (*gtsmodel.Account, Error)

+	// GetAccountByUsernameDomain returns one account with the given username and domain, or an error if something goes wrong.
+	GetAccountByUsernameDomain(ctx context.Context, username string, domain string) (*gtsmodel.Account, Error)
+
 	// UpdateAccount updates one account by ID.
 	UpdateAccount(ctx context.Context, account *gtsmodel.Account) (*gtsmodel.Account, Error)

--- a/internal/db/bundb/account.go
+++ b/internal/db/bundb/account.go
@ -84,6 +84,26 @@ func (a *accountDB) GetAccountByURL(ctx context.Context, url string) (*gtsmodel.
 	)
 }

+func (a *accountDB) GetAccountByUsernameDomain(ctx context.Context, username string, domain string) (*gtsmodel.Account, db.Error) {
+	return a.getAccount(
+		ctx,
+		func() (*gtsmodel.Account, bool) {
+			return a.cache.GetByUsernameDomain(username, domain)
+		},
+		func(account *gtsmodel.Account) error {
+			q := a.newAccountQ(account).Where("account.username = ?", username)
+
+			if domain != "" {
+				q = q.Where("account.domain = ?", domain)
+			} else {
+				q = q.Where("account.domain IS NULL")
+			}
+
+			return q.Scan(ctx)
+		},
+	)
+}
+
 func (a *accountDB) getAccount(ctx context.Context, cacheGet func() (*gtsmodel.Account, bool), dbQuery func(*gtsmodel.Account) error) (*gtsmodel.Account, db.Error) {
 	// Attempt to fetch cached account
 	account, cached := cacheGet()
--- a/internal/db/bundb/account_test.go
+++ b/internal/db/bundb/account_test.go
@ -58,6 +58,18 @@ func (suite *AccountTestSuite) TestGetAccountByIDWithExtras() {
 	suite.NotEmpty(account.HeaderMediaAttachment.URL)
 }

+func (suite *AccountTestSuite) TestGetAccountByUsernameDomain() {
+	testAccount1 := suite.testAccounts["local_account_1"]
+	account1, err := suite.db.GetAccountByUsernameDomain(context.Background(), testAccount1.Username, testAccount1.Domain)
+	suite.NoError(err)
+	suite.NotNil(account1)
+
+	testAccount2 := suite.testAccounts["remote_account_1"]
+	account2, err := suite.db.GetAccountByUsernameDomain(context.Background(), testAccount2.Username, testAccount2.Domain)
+	suite.NoError(err)
+	suite.NotNil(account2)
+}
+
 func (suite *AccountTestSuite) TestUpdateAccount() {
 	testAccount := suite.testAccounts["local_account_1"]