Ensure domains of 'id' and 'actor'/'attributedTo' match

This commit is contained in:
freamon 2024-04-24 13:44:25 +01:00
parent 5c1da0a0be
commit 3cddfd86e8
3 changed files with 46 additions and 3 deletions

View file

@ -21,7 +21,7 @@ from app.activitypub.util import public_key, users_total, active_half_year, acti
upvote_post, delete_post_or_comment, community_members, \ upvote_post, delete_post_or_comment, community_members, \
user_removed_from_remote_server, create_post, create_post_reply, update_post_reply_from_activity, \ user_removed_from_remote_server, create_post, create_post_reply, update_post_reply_from_activity, \
update_post_from_activity, undo_vote, undo_downvote, post_to_page, get_redis_connection, find_reported_object, \ update_post_from_activity, undo_vote, undo_downvote, post_to_page, get_redis_connection, find_reported_object, \
process_report process_report, ensure_domains_match
from app.utils import gibberish, get_setting, is_image_url, allowlist_html, render_template, \ from app.utils import gibberish, get_setting, is_image_url, allowlist_html, render_template, \
domain_from_url, markdown_to_html, community_membership, ap_datetime, ip_address, can_downvote, \ domain_from_url, markdown_to_html, community_membership, ap_datetime, ip_address, can_downvote, \
can_upvote, can_create_post, awaken_dormant_instance, shorten_string, can_create_post_reply, sha256_digest, \ can_upvote, can_create_post, awaken_dormant_instance, shorten_string, can_create_post_reply, sha256_digest, \
@ -513,6 +513,12 @@ def process_inbox_request(request_json, activitypublog_id, ip_address):
activity_log.activity_type = 'exception' activity_log.activity_type = 'exception'
db.session.commit() db.session.commit()
return return
if 'object' in request_json:
if not ensure_domains_match(request_json['object']):
activity_log.result = 'failure'
activity_log.exception_message = 'Domains do not match'
db.session.commit()
return
community = find_actor_or_create(community_ap_id, community_only=True) community = find_actor_or_create(community_ap_id, community_only=True)
if community and community.local_only: if community and community.local_only:
activity_log.exception_message = 'Remote Create in local_only community' activity_log.exception_message = 'Remote Create in local_only community'
@ -567,6 +573,12 @@ def process_inbox_request(request_json, activitypublog_id, ip_address):
activity_log.exception_message = 'invalid json?' activity_log.exception_message = 'invalid json?'
elif request_json['object']['type'] == 'Create': elif request_json['object']['type'] == 'Create':
activity_log.activity_type = request_json['object']['type'] activity_log.activity_type = request_json['object']['type']
if 'object' in request_json and 'object' in request_json['object']:
if not ensure_domains_match(request_json['object']['object']):
activity_log.exception_message = 'Domains do not match'
activity_log.result = 'failure'
db.session.commit()
return
user_ap_id = request_json['object']['object']['attributedTo'] user_ap_id = request_json['object']['object']['attributedTo']
try: try:
community_ap_id = request_json['object']['audience'] if 'audience' in request_json['object'] else request_json['actor'] community_ap_id = request_json['object']['audience'] if 'audience' in request_json['object'] else request_json['actor']

View file

@ -2013,3 +2013,29 @@ def lemmy_site_data():
} }
data['admins'].append({'person': person, 'counts': counts}) data['admins'].append({'person': person, 'counts': counts})
return data return data
def ensure_domains_match(activity: dict) -> bool:
if 'id' in activity:
note_id = activity['id']
else:
note_id = None
if 'actor' in activity:
note_actor = activity['actor']
elif 'attributedTo' in activity:
note_actor = activity['attributedTo']
else:
note_actor = None
if note_id and note_actor:
parsed_url = urlparse(note_id)
id_domain = parsed_url.netloc
parsed_url = urlparse(note_actor)
actor_domain = parsed_url.netloc
if id_domain == actor_domain:
return True
return False

View file

@ -10,7 +10,7 @@ from pillow_heif import register_heif_opener
from app import db, cache, celery from app import db, cache, celery
from app.activitypub.signature import post_request from app.activitypub.signature import post_request
from app.activitypub.util import find_actor_or_create, actor_json_to_model, post_json_to_model, default_context from app.activitypub.util import find_actor_or_create, actor_json_to_model, post_json_to_model, default_context, ensure_domains_match
from app.constants import POST_TYPE_ARTICLE, POST_TYPE_LINK, POST_TYPE_IMAGE, POST_TYPE_VIDEO from app.constants import POST_TYPE_ARTICLE, POST_TYPE_LINK, POST_TYPE_IMAGE, POST_TYPE_VIDEO
from app.models import Community, File, BannedInstances, PostReply, PostVote, Post, utcnow, CommunityMember, Site, \ from app.models import Community, File, BannedInstances, PostReply, PostVote, Post, utcnow, CommunityMember, Site, \
Instance, Notification, User, ActivityPubLog Instance, Notification, User, ActivityPubLog
@ -99,11 +99,16 @@ def retrieve_mods_and_backfill(community_id: int):
if 'type' in outbox_data and outbox_data['type'] == 'OrderedCollection' and 'orderedItems' in outbox_data: if 'type' in outbox_data and outbox_data['type'] == 'OrderedCollection' and 'orderedItems' in outbox_data:
activities_processed = 0 activities_processed = 0
for activity in outbox_data['orderedItems']: for activity in outbox_data['orderedItems']:
user = find_actor_or_create(activity['object']['actor'])
activity_log = ActivityPubLog(direction='in', activity_id=activity['id'], activity_type='Announce', result='failure') activity_log = ActivityPubLog(direction='in', activity_id=activity['id'], activity_type='Announce', result='failure')
if site.log_activitypub_json: if site.log_activitypub_json:
activity_log.activity_json = json.dumps(activity) activity_log.activity_json = json.dumps(activity)
db.session.add(activity_log) db.session.add(activity_log)
if 'object' in activity and 'object' in activity['object']:
if not ensure_domains_match(activity['object']['object']):
activity_log.exception_message = 'Domains do not match'
db.session.commit()
continue
user = find_actor_or_create(activity['object']['actor'])
if user: if user:
post = post_json_to_model(activity_log, activity['object']['object'], user, community) post = post_json_to_model(activity_log, activity['object']['object'], user, community)
if post: if post: