[backend/frontend] Disable post imports for security reasons

packages/backend/src/queue/processors/db/import-firefish-post.ts

@@ -11,41 +11,5 @@ export async function importCkPost(
 	job: Bull.Job<DbUserImportMastoPostJobData>,
 	done: any,
 ): Promise<void> {
-	const user = await Users.findOneBy({ id: job.data.user.id });
-	if (user == null) {
-		done();
-		return;
-	}
-	const post = job.data.post;
-	if (post.replyId != null) {
-		done();
-		return;
-	}
-	if (post.renoteId != null) {
-		done();
-		return;
-	}
-	if (post.visibility !== "public") {
-		done();
-		return;
-	}
-	const { text, cw, localOnly, createdAt } = Post.parse(post);
-	const note = await create(user, {
-		createdAt: createdAt,
-		files: undefined,
-		poll: undefined,
-		text: text || undefined,
-		reply: null,
-		renote: null,
-		cw: cw,
-		localOnly,
-		visibility: "hidden",
-		visibleUsers: [],
-		channel: null,
-		apMentions: new Array(0),
-		apHashtags: undefined,
-		apEmojis: undefined,
-	});
-	logger.succ("Imported");
 	done();
 }

packages/backend/src/queue/processors/db/import-masto-post.ts

@@ -15,77 +15,5 @@ export async function importMastoPost(
 	job: Bull.Job<DbUserImportMastoPostJobData>,
 	done: any,
 ): Promise<void> {
-	const user = await Users.findOneBy({ id: job.data.user.id });
-	if (user == null) {
-		done();
-		return;
-	}
-	const post = job.data.post;
-	let reply: Note | null = null;
-	job.progress(20);
-	if (post.object.inReplyTo != null) {
-		reply = await resolveNote(post.object.inReplyTo);
-	}
-	job.progress(40);
-	if (post.directMessage) {
-		done();
-		return;
-	}
-	if (job.data.signatureCheck) {
-		if (!post.signature) {
-			done();
-			return;
-		}
-	}
-	job.progress(60);
-	let text;
-	try {
-		text = await htmlToMfm(post.object.content, post.object.tag);
-	} catch (e) {
-		throw e;
-	}
-	job.progress(80);
-
-	let files: DriveFile[] = (post.object.attachment || [])
-		.map((x: any) => x?.driveFile)
-		.filter((x: any) => x);
-
-	if (files.length == 0) {
-		const urls = post.object.attachment
-			.map((x: any) => x.url)
-			.filter((x: String) => x.startsWith("http"));
-		files = [];
-		for (const url of urls) {
-			try {
-				const file = await uploadFromUrl({
-					url: url,
-					user: user,
-				});
-				files.push(file);
-			} catch (e) {
-				logger.error(`Skipped adding file to drive: ${url}`);
-			}
-		}
-	}
-
-	const note = await create(user, {
-		createdAt: new Date(post.object.published),
-		files: files.length == 0 ? undefined : files,
-		poll: undefined,
-		text: text || undefined,
-		reply,
-		renote: null,
-		cw: post.object.sensitive ? post.object.summary : undefined,
-		localOnly: false,
-		visibility: "hidden",
-		visibleUsers: [],
-		channel: null,
-		apMentions: new Array(0),
-		apHashtags: undefined,
-		apEmojis: undefined,
-	});
-	job.progress(100);
 	done();
-
-	logger.succ("Imported");
 }

packages/backend/src/server/api/endpoints/i/import-posts.ts

@@ -1,9 +1,6 @@
 import define from "../../define.js";
-import { createImportPostsJob } from "@/queue/index.js";
 import { ApiError } from "../../error.js";
-import { DriveFiles } from "@/models/index.js";
 import { DAY } from "@/const.js";
-import { fetchMeta } from "@/misc/fetch-meta.js";
 
 export const meta = {
 	secure: true,
@@ -26,7 +23,7 @@ export const meta = {
 		},
 
 		importsDisabled: {
-			message: "Post imports are disabled.",
+			message: "Post imports are disabled for security reasons.",
 			code: "IMPORTS_DISABLED",
 			id: " bc9227e4-fb82-11ed-be56-0242ac120002",
 		},
@@ -43,13 +40,5 @@ export const paramDef = {
 } as const;
 
 export default define(meta, paramDef, async (ps, user) => {
-	const file = await DriveFiles.findOneBy({ id: ps.fileId });
+	throw new ApiError(meta.errors.importsDisabled);
-
-	const instanceMeta = await fetchMeta();
-	if (instanceMeta.experimentalFeatures?.postImports === false)
-		throw new ApiError(meta.errors.importsDisabled);
-
-	if (file == null) throw new ApiError(meta.errors.noSuchFile);
-	if (file.size === 0) throw new ApiError(meta.errors.emptyFile);
-	createImportPostsJob(user, file.id, ps.signatureCheck);
 });

packages/client/src/pages/settings/import-export.vue

@@ -16,24 +16,6 @@
 					{{ i18n.ts.export }}</MkButton
 				>
 			</FormFolder>
-			<FormFolder class="_formBlock">
-				<template #label>{{ i18n.ts.import }}</template>
-				<template #icon
-					><i class="ph-upload-simple ph-bold ph-lg"></i
-				></template>
-				<FormRadios v-model="importType" class="_formBlock">
-					<option value="iceshrimp">Iceshrimp/Misskey</option>
-					<option value="mastodon">Mastodon/Akkoma/Pleroma</option>
-				</FormRadios>
-				<MkButton
-					primary
-					:class="$style.button"
-					inline
-					@click="importPosts($event)"
-					><i class="ph-upload-simple ph-bold ph-lg"></i>
-					{{ i18n.ts.import }}</MkButton
-				>
-			</FormFolder>
 		</FormSection>
 		<FormSection>
 			<template #label>{{
@@ -213,16 +195,6 @@ const exportNotes = () => {
 	os.api("i/export-notes", {}).then(onExportSuccess).catch(onError);
 };
 
-const importPosts = async (ev) => {
-	const file = await selectFile(ev.currentTarget ?? ev.target);
-	os.api("i/import-posts", {
-		fileId: file.id,
-		signatureCheck: false,
-	})
-		.then(onImportSuccess)
-		.catch(onError);
-};
-
 const exportFollowing = () => {
 	os.api("i/export-following", {
 		excludeMuting: excludeMutingUsers.value,