From cda3f72ab88bd10164ab2f25ffbf6366a7d6ede9 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Fri, 16 Feb 2018 08:56:13 +1100
Subject: [PATCH] SECURITY: don't onebox whispers

---
 lib/oneboxer.rb                            | 40 +++++++++++-----------
 spec/controllers/onebox_controller_spec.rb | 11 ++++++
 2 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/lib/oneboxer.rb b/lib/oneboxer.rb
index 6c3027f17d7..88fd33245a3 100644
--- a/lib/oneboxer.rb
+++ b/lib/oneboxer.rb
@@ -170,16 +170,26 @@ module Oneboxer
         return unless Guardian.new(current_user).can_see_category?(current_category)
       end
 
+      topic = Topic.find_by(id: route[:topic_id])
+
+      return unless topic
+      return if topic.private_message?
+
+      if current_category&.id != topic.category_id
+        return unless Guardian.new.can_see_topic?(topic)
+      end
+
+      post = nil
+      post_number = route[:post_number].to_i
+      if post_number > 1
+        post = topic.posts.where(post_number: route[:post_number].to_i).first
+      else
+        post = topic.ordered_posts.first
+      end
+
+      return if !post || post.hidden || post.post_type != Post.types[:regular]
+
       if route[:post_number].to_i > 1
-        post = Post.find_by(topic_id: route[:topic_id], post_number: route[:post_number])
-
-        return if !post || post.hidden || post.topic.private_message?
-
-        if current_category&.id != post.topic.category_id
-          return if !Guardian.new.can_see_post?(post)
-        end
-
-        topic = post.topic
         excerpt = post.excerpt(SiteSetting.post_onebox_maxlength)
         excerpt.gsub!(/[\r\n]+/, " ")
         excerpt.gsub!("[/quote]", "[quote]") # don't break my quote
@@ -188,23 +198,13 @@ module Oneboxer
 
         PrettyText.cook(quote)
       else
-        topic = Topic.find_by(id: route[:topic_id])
-
-        return if !topic || topic.private_message?
-
-        if current_category&.id != topic.category_id
-          return if !Guardian.new.can_see_topic?(topic)
-        end
-
-        first_post = topic.ordered_posts.first
-
         args = {
           topic_id: topic.id,
           avatar: PrettyText.avatar_img(topic.user.avatar_template, "tiny"),
           original_url: url,
           title: PrettyText.unescape_emoji(CGI::escapeHTML(topic.title)),
           category_html: CategoryBadge.html_for(topic.category),
-          quote: first_post.excerpt(SiteSetting.post_onebox_maxlength),
+          quote: post.excerpt(SiteSetting.post_onebox_maxlength),
         }
 
         template = File.read("#{Rails.root}/lib/onebox/templates/discourse_topic_onebox.hbs")
diff --git a/spec/controllers/onebox_controller_spec.rb b/spec/controllers/onebox_controller_spec.rb
index b53090ec28a..5eb7f074d5a 100644
--- a/spec/controllers/onebox_controller_spec.rb
+++ b/spec/controllers/onebox_controller_spec.rb
@@ -139,6 +139,17 @@ describe OneboxController do
       expect(response.body).not_to include('blockquote')
     end
 
+    it 'does not allow whisper onebox' do
+      log_in
+
+      post = create_post
+      whisper = create_post(topic_id: post.topic_id, post_type: Post.types[:whisper])
+      url = Discourse.base_url + whisper.url
+
+      get :show, params: { url: url }, format: :json
+      expect(response.body).not_to include('blockquote')
+    end
+
     it 'allows onebox to public topics/posts in PM' do
       log_in