From 3cddfd86e85c3b88bd387ed097bb32b415e7c26f Mon Sep 17 00:00:00 2001 From: freamon Date: Wed, 24 Apr 2024 13:44:25 +0100 Subject: [PATCH] Ensure domains of 'id' and 'actor'/'attributedTo' match --- app/activitypub/routes.py | 14 +++++++++++++- app/activitypub/util.py | 26 ++++++++++++++++++++++++++ app/community/util.py | 9 +++++++-- 3 files changed, 46 insertions(+), 3 deletions(-) diff --git a/app/activitypub/routes.py b/app/activitypub/routes.py index 3c95e2b5..0b561f87 100644 --- a/app/activitypub/routes.py +++ b/app/activitypub/routes.py @@ -21,7 +21,7 @@ from app.activitypub.util import public_key, users_total, active_half_year, acti upvote_post, delete_post_or_comment, community_members, \ user_removed_from_remote_server, create_post, create_post_reply, update_post_reply_from_activity, \ update_post_from_activity, undo_vote, undo_downvote, post_to_page, get_redis_connection, find_reported_object, \ - process_report + process_report, ensure_domains_match from app.utils import gibberish, get_setting, is_image_url, allowlist_html, render_template, \ domain_from_url, markdown_to_html, community_membership, ap_datetime, ip_address, can_downvote, \ can_upvote, can_create_post, awaken_dormant_instance, shorten_string, can_create_post_reply, sha256_digest, \ @@ -513,6 +513,12 @@ def process_inbox_request(request_json, activitypublog_id, ip_address): activity_log.activity_type = 'exception' db.session.commit() return + if 'object' in request_json: + if not ensure_domains_match(request_json['object']): + activity_log.result = 'failure' + activity_log.exception_message = 'Domains do not match' + db.session.commit() + return community = find_actor_or_create(community_ap_id, community_only=True) if community and community.local_only: activity_log.exception_message = 'Remote Create in local_only community' @@ -567,6 +573,12 @@ def process_inbox_request(request_json, activitypublog_id, ip_address): activity_log.exception_message = 'invalid json?' elif request_json['object']['type'] == 'Create': activity_log.activity_type = request_json['object']['type'] + if 'object' in request_json and 'object' in request_json['object']: + if not ensure_domains_match(request_json['object']['object']): + activity_log.exception_message = 'Domains do not match' + activity_log.result = 'failure' + db.session.commit() + return user_ap_id = request_json['object']['object']['attributedTo'] try: community_ap_id = request_json['object']['audience'] if 'audience' in request_json['object'] else request_json['actor'] diff --git a/app/activitypub/util.py b/app/activitypub/util.py index 643e9bb6..4337892f 100644 --- a/app/activitypub/util.py +++ b/app/activitypub/util.py @@ -2013,3 +2013,29 @@ def lemmy_site_data(): } data['admins'].append({'person': person, 'counts': counts}) return data + + +def ensure_domains_match(activity: dict) -> bool: + if 'id' in activity: + note_id = activity['id'] + else: + note_id = None + + if 'actor' in activity: + note_actor = activity['actor'] + elif 'attributedTo' in activity: + note_actor = activity['attributedTo'] + else: + note_actor = None + + if note_id and note_actor: + parsed_url = urlparse(note_id) + id_domain = parsed_url.netloc + parsed_url = urlparse(note_actor) + actor_domain = parsed_url.netloc + + if id_domain == actor_domain: + return True + + return False + diff --git a/app/community/util.py b/app/community/util.py index 981100c4..01232cab 100644 --- a/app/community/util.py +++ b/app/community/util.py @@ -10,7 +10,7 @@ from pillow_heif import register_heif_opener from app import db, cache, celery from app.activitypub.signature import post_request -from app.activitypub.util import find_actor_or_create, actor_json_to_model, post_json_to_model, default_context +from app.activitypub.util import find_actor_or_create, actor_json_to_model, post_json_to_model, default_context, ensure_domains_match from app.constants import POST_TYPE_ARTICLE, POST_TYPE_LINK, POST_TYPE_IMAGE, POST_TYPE_VIDEO from app.models import Community, File, BannedInstances, PostReply, PostVote, Post, utcnow, CommunityMember, Site, \ Instance, Notification, User, ActivityPubLog @@ -99,11 +99,16 @@ def retrieve_mods_and_backfill(community_id: int): if 'type' in outbox_data and outbox_data['type'] == 'OrderedCollection' and 'orderedItems' in outbox_data: activities_processed = 0 for activity in outbox_data['orderedItems']: - user = find_actor_or_create(activity['object']['actor']) activity_log = ActivityPubLog(direction='in', activity_id=activity['id'], activity_type='Announce', result='failure') if site.log_activitypub_json: activity_log.activity_json = json.dumps(activity) db.session.add(activity_log) + if 'object' in activity and 'object' in activity['object']: + if not ensure_domains_match(activity['object']['object']): + activity_log.exception_message = 'Domains do not match' + db.session.commit() + continue + user = find_actor_or_create(activity['object']['actor']) if user: post = post_json_to_model(activity_log, activity['object']['object'], user, community) if post: