[bugfix] boost and account recursion (#2982)

* fix possible infinite recursion if moved accounts are self-referential * adds a defensive check for a boost being a boost of a boost wrapper * add checks on input for a boost of a boost * remove unnecessary check * add protections on account move to prevent move recursion loops * separate status conversion without boost logic into separate function to remove risk of recursion * move boost check to boost function itself * formatting * use error 422 instead of 500 * use gtserror not standard errors package for error creation
2025-06-05 21:59:39 +02:00 · 2024-06-10 18:42:41 +00:00
parent ebdcb00d0a
commit fd6637df4a
7 changed files with 244 additions and 127 deletions
--- a/internal/processing/status/boost.go
+++ b/internal/processing/status/boost.go
@ -49,6 +49,7 @@ func (p *Processor) BoostCreate(
 		return nil, errWithCode
 	}

+	// Unwrap target in case it is a boost.
 	target, errWithCode = p.c.UnwrapIfBoost(
 		ctx,
 		requester,
@ -58,7 +59,13 @@ func (p *Processor) BoostCreate(
 		return nil, errWithCode
 	}

-	// Ensure valid boost target.
+	// Check is viable target.
+	if target.BoostOfID != "" {
+		err := gtserror.Newf("target status %s is boost wrapper", target.URI)
+		return nil, gtserror.NewErrorUnprocessableEntity(err)
+	}
+
+	// Ensure valid boost target for requester.
 	boostable, err := p.filter.StatusBoostable(ctx,
 		requester,
 		target,