Change verify link service to use CSS selectors instead of a complex …

…XPath query (mastodon#31815)
interledger · Sep 8, 2024 · afa2e25 · afa2e25
1 parent 10143d0
commit afa2e25
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 8 deletions.
diff --git a/app/services/verify_link_service.rb b/app/services/verify_link_service.rb
@@ -26,7 +26,7 @@ def perform_request!
   def link_back_present?
     return false if @body.blank?
 
-    links = Nokogiri::HTML5(@body).xpath('//a[contains(concat(" ", normalize-space(@rel), " "), " me ")]|//link[contains(concat(" ", normalize-space(@rel), " "), " me ")]')
+    links = Nokogiri::HTML5(@body).css("a[rel~='me'],link[rel~='me']")
 
     if links.any? { |link| link['href']&.downcase == @link_back.downcase }
       true

diff --git a/spec/services/verify_link_service_spec.rb b/spec/services/verify_link_service_spec.rb
@@ -11,13 +11,14 @@
 
     before do
       stub_request(:head, 'https://redirect.me/abc').to_return(status: 301, headers: { 'Location' => ActivityPub::TagManager.instance.url_for(account) })
+      stub_request(:head, 'http://unrelated-site.com').to_return(status: 301)
       stub_request(:get, 'http://example.com').to_return(status: 200, body: html)
       subject.call(field)
     end
 
     context 'when a link contains an <a> back' do
       let(:html) do
-        <<-HTML
+        <<~HTML
           <!doctype html>
           <body>
             <a href="#{ActivityPub::TagManager.instance.url_for(account)}" rel="me">Follow me on Mastodon</a>
@@ -30,9 +31,9 @@
       end
     end
 
-    context 'when a link contains an <a rel="noopener noreferrer"> back' do
+    context 'when a link contains an <a rel="me noopener noreferrer"> back' do
       let(:html) do
-        <<-HTML
+        <<~HTML
           <!doctype html>
           <body>
             <a href="#{ActivityPub::TagManager.instance.url_for(account)}" rel="me noopener noreferrer" target="_blank">Follow me on Mastodon</a>
@@ -47,7 +48,7 @@
 
     context 'when a link contains a <link> back' do
       let(:html) do
-        <<-HTML
+        <<~HTML
           <!doctype html>
           <head>
             <link type="text/html" href="#{ActivityPub::TagManager.instance.url_for(account)}" rel="me" />
@@ -62,7 +63,7 @@
 
     context 'when a link goes through a redirect back' do
       let(:html) do
-        <<-HTML
+        <<~HTML
           <!doctype html>
           <head>
             <link type="text/html" href="https://redirect.me/abc" rel="me" />
@@ -113,7 +114,7 @@
 
     context 'when link has no `href` attribute' do
       let(:html) do
-        <<-HTML
+        <<~HTML
           <!doctype html>
           <head>
             <link type="text/html" rel="me" />
@@ -128,6 +129,21 @@
         expect(field.verified?).to be false
       end
     end
+
+    context 'when a link contains a link to an unexpected URL' do
+      let(:html) do
+        <<~HTML
+          <!doctype html>
+          <body>
+            <a href="http://unrelated-site.com" rel="me">Follow me on Unrelated Site</a>
+          </body>
+        HTML
+      end
+
+      it 'does not mark the field as verified' do
+        expect(field.verified?).to be false
+      end
+    end
   end
 
   context 'when given a remote account' do
@@ -141,7 +157,7 @@
 
     context 'when a link contains an <a> back' do
       let(:html) do
-        <<-HTML
+        <<~HTML
           <!doctype html>
           <body>
             <a href="https://profile.example.com/alice" rel="me">Follow me on Mastodon</a>