[bugfix] Prevent future statuses entering timelines (#1134)

* [bugfix] Prevent future statuses entering timeline Statuses created more than 5 minutes into the future are now rejected in the visibility package. * Come on buddy
2025-11-10 04:57:29 -06:00 · 2022-11-24 13:54:49 +01:00 · 2022-11-24 13:54:49 +01:00 · da8954858a
commit da8954858a
parent fcb9c0bb8b
5 changed files with 69 additions and 13 deletions
--- a/internal/visibility/statushometimelineable.go
+++ b/internal/visibility/statushometimelineable.go
@ -21,17 +21,27 @@ package visibility
 import (
 	"context"
 	"fmt"
+	"time"

 	"codeberg.org/gruf/go-kv"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/id"
 	"github.com/superseriousbusiness/gotosocial/internal/log"
 )

 func (f *filter) StatusHometimelineable(ctx context.Context, targetStatus *gtsmodel.Status, timelineOwnerAccount *gtsmodel.Account) (bool, error) {
-	l := log.WithFields(kv.Fields{
+	l := log.WithFields(kv.Fields{{"statusID", targetStatus.ID}}...)

-		{"statusID", targetStatus.ID},
-	}...)
+	// don't timeline statuses more than 5 min in the future
+	maxID, err := id.NewULIDFromTime(time.Now().Add(5 * time.Minute))
+	if err != nil {
+		return false, err
+	}
+
+	if targetStatus.ID > maxID {
+		l.Debug("status not hometimelineable because it's from more than 5 minutes in the future")
+		return false, nil
+	}

 	// status owner should always be able to see their own status in their timeline so we can return early if this is the case
 	if targetStatus.AccountID == timelineOwnerAccount.ID {