[bugfix] boost and account recursion (#2982)

* fix possible infinite recursion if moved accounts are self-referential * adds a defensive check for a boost being a boost of a boost wrapper * add checks on input for a boost of a boost * remove unnecessary check * add protections on account move to prevent move recursion loops * separate status conversion without boost logic into separate function to remove risk of recursion * move boost check to boost function itself * formatting * use error 422 instead of 500 * use gtserror not standard errors package for error creation
2025-11-26 01:13:33 -06:00 · 2024-06-10 18:42:41 +00:00 · 2024-06-10 18:42:41 +00:00 · fd6637df4a
commit fd6637df4a
parent ebdcb00d0a
7 changed files with 244 additions and 127 deletions
--- a/internal/federation/dereferencing/announce.go
+++ b/internal/federation/dereferencing/announce.go
@ -22,7 +22,6 @@ import (
 	"errors"
 	"net/url"

-	"github.com/superseriousbusiness/gotosocial/internal/config"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
@ -56,25 +55,17 @@ func (d *Dereferencer) EnrichAnnounce(
 		)
 	}

-	// Fetch/deref status being boosted.
-	var target *gtsmodel.Status
-
-	if targetURIObj.Host == config.GetHost() {
-		// This is a local status, fetch from the database
-		target, err = d.state.DB.GetStatusByURI(ctx, targetURI)
-	} else {
-		// This is a remote status, we need to dereference it.
-		//
-		// d.GetStatusByURI will handle domain block checking for us,
-		// so we don't try to deref an announce target on a blocked host.
-		target, _, err = d.GetStatusByURI(ctx, requestUser, targetURIObj)
+	// Fetch and dereference status being boosted, noting that
+	// d.GetStatusByURI handles domain blocks and local statuses.
+	target, _, err := d.GetStatusByURI(ctx, requestUser, targetURIObj)
+	if err != nil {
+		return nil, gtserror.Newf("error fetching boost target %s: %w", targetURI, err)
 	}

-	if err != nil {
-		return nil, gtserror.Newf(
-			"error getting boost target status %s: %w",
-			targetURI, err,
-		)
+	if target.BoostOfID != "" {
+		// Ensure that the target is not a boost (should not be possible).
+		err := gtserror.Newf("target status %s is a boost", targetURI)
+		return nil, err
 	}

 	// Generate an ID for the boost wrapper status.