From: nutomic <nutomic@noreply.yerbamate.ml>
Date: Tue, 1 Dec 2020 18:30:15 +0000 (+0000)
Subject: Add check to make sure that inbox doesnt receive local activities (ref #1283) (#147)
X-Git-Url: http://these/git/%22https:/nerdica.net/photo/contact/80/44b525e5e979775f3ab2722747f7f07704134945?a=commitdiff_plain;h=2b5c69d6789c51c528e6654101623bd0c368ad5c;p=lemmy.git

Add check to make sure that inbox doesnt receive local activities (ref #1283) (#147)

Fixed comparison

Add check to make sure that inbox doesnt receive local activities (ref #1283)

Co-authored-by: Felix Ableitner <me@nutomic.com>
Reviewed-on: https://yerbamate.ml/LemmyNet/lemmy/pulls/147
---

diff --git a/lemmy_apub/src/inbox/community_inbox.rs b/lemmy_apub/src/inbox/community_inbox.rs
index 137f3fea..7c144a00 100644
--- a/lemmy_apub/src/inbox/community_inbox.rs
+++ b/lemmy_apub/src/inbox/community_inbox.rs
@@ -1,6 +1,7 @@
 use crate::{
   activities::receive::verify_activity_domains_valid,
   inbox::{
+    assert_activity_not_local,
     get_activity_id,
     get_activity_to_and_cc,
     inbox_verify_http_signature,
@@ -85,6 +86,7 @@ pub async fn community_inbox(
     return Err(anyhow!("Activity delivered to wrong community").into());
   }
 
+  assert_activity_not_local(&activity)?;
   insert_activity(&activity_id, activity.clone(), false, true, context.pool()).await?;
 
   info!(
diff --git a/lemmy_apub/src/inbox/mod.rs b/lemmy_apub/src/inbox/mod.rs
index 4fdbb7a5..ce6c7ede 100644
--- a/lemmy_apub/src/inbox/mod.rs
+++ b/lemmy_apub/src/inbox/mod.rs
@@ -14,7 +14,7 @@ use actix_web::HttpRequest;
 use anyhow::{anyhow, Context};
 use lemmy_db::{activity::Activity, community::Community, user::User_, DbPool};
 use lemmy_structs::blocking;
-use lemmy_utils::{location_info, LemmyError};
+use lemmy_utils::{location_info, settings::Settings, LemmyError};
 use lemmy_websocket::LemmyContext;
 use serde::{export::fmt::Debug, Serialize};
 use url::Url;
@@ -151,3 +151,22 @@ pub(crate) async fn is_addressed_to_community_followers(
   }
   Ok(None)
 }
+
+pub(in crate::inbox) fn assert_activity_not_local<T, Kind>(activity: &T) -> Result<(), LemmyError>
+where
+  T: BaseExt<Kind> + Debug,
+{
+  let id = activity.id_unchecked().context(location_info!())?;
+  let activity_domain = id.domain().context(location_info!())?;
+
+  if activity_domain == Settings::get().hostname {
+    return Err(
+      anyhow!(
+        "Error: received activity which was sent by local instance: {:?}",
+        activity
+      )
+      .into(),
+    );
+  }
+  Ok(())
+}
diff --git a/lemmy_apub/src/inbox/shared_inbox.rs b/lemmy_apub/src/inbox/shared_inbox.rs
index dfd58366..2875696e 100644
--- a/lemmy_apub/src/inbox/shared_inbox.rs
+++ b/lemmy_apub/src/inbox/shared_inbox.rs
@@ -1,5 +1,6 @@
 use crate::{
   inbox::{
+    assert_activity_not_local,
     community_inbox::{community_receive_message, CommunityAcceptedActivities},
     get_activity_id,
     get_activity_to_and_cc,
@@ -58,6 +59,7 @@ pub async fn shared_inbox(
     return Ok(HttpResponse::Ok().finish());
   }
 
+  assert_activity_not_local(&activity)?;
   // Log the activity, so we avoid receiving and parsing it twice. Note that this could still happen
   // if we receive the same activity twice in very quick succession.
   insert_activity(&activity_id, activity.clone(), false, true, context.pool()).await?;
diff --git a/lemmy_apub/src/inbox/user_inbox.rs b/lemmy_apub/src/inbox/user_inbox.rs
index dfcb2d61..2f847a5c 100644
--- a/lemmy_apub/src/inbox/user_inbox.rs
+++ b/lemmy_apub/src/inbox/user_inbox.rs
@@ -19,6 +19,7 @@ use crate::{
   check_is_apub_id_valid,
   fetcher::get_or_fetch_and_upsert_community,
   inbox::{
+    assert_activity_not_local,
     get_activity_id,
     get_activity_to_and_cc,
     inbox_verify_http_signature,
@@ -106,6 +107,7 @@ pub async fn user_inbox(
     return Err(anyhow!("Activity delivered to wrong user").into());
   }
 
+  assert_activity_not_local(&activity)?;
   insert_activity(&activity_id, activity.clone(), false, true, context.pool()).await?;
 
   debug!(