michael/pyfedi
1
0
Fork 0
mirror of https://codeberg.org/rimu/pyfedi synced 2025-01-23 19:36:56 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

apf part 06: reject any ActivityPub activity from a local actor

Browse source
This commit is contained in:
freamon 2024-11-18 17:47:26 +00:00
parent 20f17000f5
commit 479bbe4dcc
1 changed files with 17 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
app/activitypub/routes.py
View file

@ -442,6 +442,23 @@ def shared_inbox():
actor.ap_fetched_at = utcnow() # use stored pubkey, don't try to re-fetch for next step (signature verification) actor.ap_fetched_at = utcnow() # use stored pubkey, don't try to re-fetch for next step (signature verification)
db.session.commit() db.session.commit()
actor = find_actor_or_create(request_json['actor'])
if not actor:
actor_name = request_json['actor']
log_incoming_ap(request_json['id'], APLOG_NOTYPE, APLOG_FAILURE, request_json if store_ap_json else None, f'Actor could not be found 1: {actor_name}')
return '', 400
if actor.is_local(): # should be impossible (can be Announced back, but not sent without access to privkey)
log_incoming_ap(request_json['id'], APLOG_NOTYPE, APLOG_FAILURE, request_json if store_ap_json else None, 'ActivityPub activity from a local actor')
return '', 400
else:
actor.instance.last_seen = utcnow()
actor.instance.dormant = False
actor.instance.gone_forever = False
actor.instance.failures = 0
actor.instance.ip_address = ip_address()
db.session.commit()
if request.method == 'POST': if request.method == 'POST':
# save all incoming data to aid in debugging and development. Set result to 'success' if things go well # save all incoming data to aid in debugging and development. Set result to 'success' if things go well
activity_log = ActivityPubLog(direction='in', result='failure') activity_log = ActivityPubLog(direction='in', result='failure')
@ -462,7 +479,6 @@ def shared_inbox():
process_delete_request.delay(request_json, activity_log.id, ip_address()) process_delete_request.delay(request_json, activity_log.id, ip_address())
return '' return ''
actor = find_actor_or_create(request_json['actor']) if 'actor' in request_json else None
if actor is not None: if actor is not None:
try: try:
HttpSignature.verify_request(request, actor.public_key, skip_date=True) HttpSignature.verify_request(request, actor.public_key, skip_date=True)
@ -476,9 +492,6 @@ def shared_inbox():
activity_log.result = 'failure' activity_log.result = 'failure'
db.session.commit() db.session.commit()
return '', 400 return '', 400
else:
actor_name = request_json['actor'] if 'actor' in request_json else ''
activity_log.exception_message = f'Actor could not be found 1: {actor_name}'
if activity_log.exception_message is not None: if activity_log.exception_message is not None:
activity_log.result = 'failure' activity_log.result = 'failure'