From fb3e900b2841a4f2efcb86b3912411774f43664d Mon Sep 17 00:00:00 2001
From: Diogo Peralta Cordeiro <mail@diogo.site>
Date: Fri, 11 Feb 2022 00:17:20 +0000
Subject: [PATCH] [CORE] Add CONFIG_ prefix to environment whitelist

Fixed minor issues with Commong:config of env not being included and ported to local social yaml

Fixed some regressions introduced with [CORE] Unset sensitive information from the environment
---
 bin/configure                            | 4 ++--
 components/FreeNetwork/FreeNetwork.php   | 8 ++++----
 components/Link/Entity/Link.php          | 2 +-
 plugins/ActivityPub/ActivityPub.php      | 4 ++--
 plugins/ActivityPub/Controller/Inbox.php | 3 ++-
 public/index.php                         | 4 ++--
 src/Core/GNUsocial.php                   | 7 +++++--
 tests/Entity/LinkTest.php                | 3 ++-
 8 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/bin/configure b/bin/configure
index bcf68e23c8..473f6e9ed8 100755
--- a/bin/configure
+++ b/bin/configure
@@ -352,8 +352,8 @@ SOCIAL_DBMS=${DBMS}
 SOCIAL_DB=${DB_NAME}
 SOCIAL_USER=${DB_USER}
 SOCIAL_PASSWORD=${DB_PASSWORD}
-SOCIAL_DOMAIN=${DOMAIN}
-SOCIAL_NODE_NAME=${NODE_NAME}
+CONFIG_DOMAIN=${DOMAIN}
+CONFIG_NODE_NAME=${NODE_NAME}
 SOCIAL_ADMIN_EMAIL=${EMAIL}
 SOCIAL_SITE_PROFILE=${PROFILE}
 MAILER_DSN=${MAILER_DSN}
diff --git a/components/FreeNetwork/FreeNetwork.php b/components/FreeNetwork/FreeNetwork.php
index 2ac081c620..0bb90380c7 100644
--- a/components/FreeNetwork/FreeNetwork.php
+++ b/components/FreeNetwork/FreeNetwork.php
@@ -152,7 +152,7 @@ class FreeNetwork extends Component
             $parts = explode('@', mb_substr(urldecode($resource), 5)); // 5 is strlen of 'acct:'
             if (\count($parts) === 2) {
                 [$nick, $domain] = $parts;
-                if ($domain !== $_ENV['SOCIAL_DOMAIN']) {
+                if ($domain !== Common::config('site', 'server')) {
                     throw new ServerException(_m('Remote profiles not supported via WebFinger yet.'));
                 }
 
@@ -169,7 +169,7 @@ class FreeNetwork extends Component
                     // This means $resource is a valid url
                     $resource_parts = parse_url($resource);
                     // TODO: Use URLMatcher
-                    if ($resource_parts['host'] === $_ENV['SOCIAL_DOMAIN']) { // XXX: Common::config('site', 'server')) {
+                    if ($resource_parts['host'] === Common::config('site', 'server')) {
                         $str = $resource_parts['path'];
                         // actor_view_nickname
                         $renick = '/\/@(' . Nickname::DISPLAY_FMT . ')\/?/m';
@@ -379,7 +379,7 @@ class FreeNetwork extends Component
             $actor = null;
 
             $resource_parts = explode($preMention, $target);
-            if ($resource_parts[1] === $_ENV['SOCIAL_DOMAIN']) { // XXX: Common::config('site', 'server')) {
+            if ($resource_parts[1] === Common::config('site', 'server')) {
                 $actor = LocalUser::getByPK(['nickname' => $resource_parts[0]])->getActor();
             } else {
                 Event::handle('FreeNetworkFindMentions', [$target, &$actor]);
@@ -408,7 +408,7 @@ class FreeNetwork extends Component
                 // This means $resource is a valid url
                 $resource_parts = parse_url($url);
                 // TODO: Use URLMatcher
-                if ($resource_parts['host'] === $_ENV['SOCIAL_DOMAIN']) { // XXX: Common::config('site', 'server')) {
+                if ($resource_parts['host'] === Common::config('site', 'server')) {
                     $str = $resource_parts['path'];
                     // actor_view_nickname
                     $renick = '/\/@(' . Nickname::DISPLAY_FMT . ')\/?/m';
diff --git a/components/Link/Entity/Link.php b/components/Link/Entity/Link.php
index d5d65c0d14..ec304165d3 100644
--- a/components/Link/Entity/Link.php
+++ b/components/Link/Entity/Link.php
@@ -126,7 +126,7 @@ class Link extends Entity
     {
         if (Common::isValidHttpUrl($url)) {
             // If the URL is a local one, do not create a Link to it
-            if (parse_url($url, \PHP_URL_HOST) === $_ENV['SOCIAL_DOMAIN']) {
+            if (parse_url($url, \PHP_URL_HOST) === Common::config('site', 'server')) {
                 Log::warning("It was attempted to create a Link to a local location {$url}.");
                 // Forbidden
                 throw new InvalidArgumentException(message: "A Link can't point to a local location ({$url}), it must be a remote one", code: 400);
diff --git a/plugins/ActivityPub/ActivityPub.php b/plugins/ActivityPub/ActivityPub.php
index d44d4d39b1..f0f0b81499 100644
--- a/plugins/ActivityPub/ActivityPub.php
+++ b/plugins/ActivityPub/ActivityPub.php
@@ -446,7 +446,7 @@ class ActivityPub extends Plugin
             // This means $resource is a valid url
             $resource_parts = parse_url($resource);
             // TODO: Use URLMatcher
-            if ($resource_parts['host'] === $_ENV['SOCIAL_DOMAIN']) { // XXX: Common::config('site', 'server')) {
+            if ($resource_parts['host'] === Common::config('site', 'server')) {
                 $local_note = DB::findOneBy('note', ['url' => $resource], return_null: true);
                 if ($local_note instanceof Note) {
                     return $local_note;
@@ -493,7 +493,7 @@ class ActivityPub extends Plugin
             // This means $resource is a valid url
             $resource_parts = parse_url($resource);
             // TODO: Use URLMatcher
-            if ($resource_parts['host'] === $_ENV['SOCIAL_DOMAIN']) { // XXX: Common::config('site', 'server')) {
+            if ($resource_parts['host'] === Common::config('site', 'server')) {
                 $str = $resource_parts['path'];
                 // actor_view_nickname
                 $renick = '/\/@(' . Nickname::DISPLAY_FMT . ')\/?/m';
diff --git a/plugins/ActivityPub/Controller/Inbox.php b/plugins/ActivityPub/Controller/Inbox.php
index eac213de43..0b1a2435f5 100644
--- a/plugins/ActivityPub/Controller/Inbox.php
+++ b/plugins/ActivityPub/Controller/Inbox.php
@@ -35,6 +35,7 @@ namespace Plugin\ActivityPub\Controller;
 use App\Core\Controller;
 use App\Core\DB\DB;
 use App\Core\Event;
+use App\Util\Common;
 use function App\Core\I18n\_m;
 use App\Core\Log;
 use App\Core\Router\Router;
@@ -90,7 +91,7 @@ class Inbox extends Controller
 
         try {
             $resource_parts = parse_url($type->get('actor'));
-            if ($resource_parts['host'] !== $_ENV['SOCIAL_DOMAIN']) { // XXX: Common::config('site', 'server')) {
+            if ($resource_parts['host'] !== Common::config('site', 'server')) {
                 $ap_actor = ActivitypubActor::fromUri($type->get('actor'));
                 $actor    = Actor::getById($ap_actor->getActorId());
                 DB::flush();
diff --git a/public/index.php b/public/index.php
index f89a742a9e..e55329771d 100755
--- a/public/index.php
+++ b/public/index.php
@@ -65,14 +65,14 @@ if ($trustedHosts = $_ENV['TRUSTED_HOSTS'] ?? $_SERVER['TRUSTED_HOSTS'] ?? false
 $kernel = new Kernel($_SERVER['APP_ENV'], (bool) $_SERVER['APP_DEBUG']);
 
 // Wrap the default Kernel with the CacheKernel one in 'prod' environment
-if ('prod' === $kernel->getEnvironment() || isset($_ENV['SOCIAL_USE_CACHE_KERNEL'])) {
+if ('prod' === $kernel->getEnvironment() || isset($_ENV['CONFIG_USE_CACHE_KERNEL'])) {
     $kernel = new CacheKernel($kernel);
 }
 
 $request = Request::createFromGlobals();
 $_ENV    = array_filter(
     $_ENV,
-    fn (string $key) => Formatting::startsWith($key, ['HTTP', 'APP']) && $key !== 'APP_SECRET',
+    fn (string $key) => Formatting::startsWith($key, ['HTTP', 'APP', 'CONFIG']) && $key !== 'APP_SECRET',
     \ARRAY_FILTER_USE_KEY,
 );
 $response = $kernel->handle($request);
diff --git a/src/Core/GNUsocial.php b/src/Core/GNUsocial.php
index 0e62cc816c..e94d44e22f 100644
--- a/src/Core/GNUsocial.php
+++ b/src/Core/GNUsocial.php
@@ -79,6 +79,7 @@ use Symfony\Contracts\Translation\TranslatorInterface;
 use SymfonyCasts\Bundle\ResetPassword\ResetPasswordHelperInterface;
 use SymfonyCasts\Bundle\VerifyEmail\VerifyEmailHelperInterface;
 use Twig\Environment;
+use Symfony\Component\Yaml;
 
 /**
  * @codeCoverageIgnore
@@ -228,8 +229,10 @@ class GNUsocial implements EventSubscriberInterface
         // Overriding doesn't work as we want, overrides the top-most key, do it manually
         $local_file = INSTALLDIR . '/social.local.yaml';
         if (!file_exists($local_file)) {
-            $node_name = $_ENV['SOCIAL_NODE_NAME'];
-            file_put_contents($local_file, "parameters:\n  locals:\n    gnusocial:\n      site:\n        name: {$node_name}\n");
+            $node_name = $_ENV['CONFIG_NODE_NAME'];
+            $domain = $_ENV['CONFIG_DOMAIN'];
+            $yaml = (new Yaml\Dumper(indentation: 2))->dump(['parameters' => ['locals' => ['gnusocial' => ['site' => ['server' => $domain, 'name' => $node_name]]]]], Yaml\Yaml::DUMP_OBJECT_AS_MAP);
+            file_put_contents($local_file, $yaml);
         }
 
         // Load .local
diff --git a/tests/Entity/LinkTest.php b/tests/Entity/LinkTest.php
index 639ddb7a2e..6aff721368 100644
--- a/tests/Entity/LinkTest.php
+++ b/tests/Entity/LinkTest.php
@@ -21,6 +21,7 @@ declare(strict_types = 1);
 
 namespace App\Tests\Entity;
 
+use App\Util\Common;
 use App\Util\GNUsocialTestCase;
 use Component\Link\Entity\Link;
 use InvalidArgumentException;
@@ -36,6 +37,6 @@ class LinkTest extends GNUsocialTestCase
         $link = Link::getOrCreate('https://gnu.org');
         static::assertNotNull($link->getUrl());
 
-        static::assertThrows(InvalidArgumentException::class, fn () => Link::getOrCreate('https://' . $_ENV['SOCIAL_DOMAIN']));
+        static::assertThrows(InvalidArgumentException::class, fn () => Link::getOrCreate('https://' . Common::config('site', 'server')));
     }
 }