Asking the dangerous questions

2023-02-28 18:01:24 +00:00 · 2023-02-28 18:01:24 +00:00 · a7c0e187b5
parent 27fce3ba0e
commit a7c0e187b5
2 changed files with 26 additions and 2 deletions
--- a/inbox.py
+++ b/inbox.py
@ -122,6 +122,7 @@ from webapp_post import individual_post_as_html
 from question import question_update_votes
 from question import is_vote
 from question import is_question
+from question import dangerous_question
 from media import replace_you_tube
 from media import replace_twitter
 from git import is_git_patch
@ -1219,7 +1220,8 @@ def _person_receive_update(base_dir: str,
 def _receive_update_to_question(recent_posts_cache: {}, message_json: {},
                                base_dir: str,
                                nickname: str, domain: str,
-                                system_language: str) -> bool:
+                                system_language: str,
+                                allow_local_network_access: bool) -> bool:
    """Updating a question as new votes arrive
    """
    # message url of the question
@ -1243,6 +1245,8 @@ def _receive_update_to_question(recent_posts_cache: {}, message_json: {},
    if is_question_filtered(base_dir, nickname, domain,
                            system_language, post_json_object):
        return False
+    if dangerous_question(post_json_object, allow_local_network_access):
+        return False
    # does the actor match?
    if post_json_object['actor'] != message_json['actor']:
        return False
@ -1460,7 +1464,8 @@ def _receive_update_activity(recent_posts_cache: {}, session, base_dir: str,
    if message_json['object']['type'] == 'Question':
        if _receive_update_to_question(recent_posts_cache, message_json,
                                       base_dir, nickname, domain,
-                                       system_language):
+                                       system_language,
+                                       allow_local_network_access):
            if debug:
                print('DEBUG: Question update was received')
            return True
@ -3123,6 +3128,9 @@ def _valid_post_content(base_dir: str, nickname: str, domain: str,
                                system_language, message_json):
            print('REJECT: incoming question options filter')
            return False
+        if dangerous_question(message_json, allow_local_network_access):
+            print('REJECT: incoming question markup filter')
+            return False

    content_str = get_base_content_from_post(message_json, system_language)
    if dangerous_markup(content_str, allow_local_network_access):
--- a/question.py
+++ b/question.py
@ -13,6 +13,7 @@ from utils import load_json
 from utils import save_json
 from utils import has_object_dict
 from utils import text_in_file
+from utils import dangerous_markup


 def is_vote(base_dir: str, nickname: str, domain: str,
@ -208,3 +209,18 @@ def is_question(post_json_object: {}) -> bool:
    if not isinstance(post_json_object['object']['oneOf'], list):
        return False
    return True
+
+
+def dangerous_question(question_json: {},
+                       allow_local_network_access: bool) -> bool:
+    """does the given question contain dangerous markup?
+    """
+    if question_json.get('oneOf'):
+        question_options = question_json['oneOf']
+    else:
+        question_options = question_json['object']['oneOf']
+    for option in question_options:
+        if option.get('name'):
+            if dangerous_markup(option['name'], allow_local_network_access):
+                return True
+    return False