From: Felix Ableitner Date: Wed, 5 Aug 2020 12:18:08 +0000 (+0200) Subject: Verify ID of received apub objects against domain allowlist etc X-Git-Url: http://these/git/%7B%60%24%7BwebArchiveUrl%7D/%22%7B%7D/%24%7B%60data:application/%22https:/hacktivis.me/README.zh.hant.md?a=commitdiff_plain;h=233aa34d54697c366a23a31a34990616e4231ec7;p=lemmy.git Verify ID of received apub objects against domain allowlist etc --- diff --git a/server/src/apub/comment.rs b/server/src/apub/comment.rs index 05b40dbe..8bd79b79 100644 --- a/server/src/apub/comment.rs +++ b/server/src/apub/comment.rs @@ -1,6 +1,7 @@ use crate::{ apub::{ activities::{generate_activity_id, send_activity_to_community}, + check_is_apub_id_valid, create_apub_response, create_apub_tombstone_response, create_tombstone, @@ -166,6 +167,9 @@ impl FromApub for CommentForm { None => None, }; + let ap_id = note.id_unchecked().unwrap().to_string(); + check_is_apub_id_valid(&Url::parse(&ap_id)?)?; + Ok(CommentForm { creator_id: creator.id, post_id: post.id, @@ -181,7 +185,7 @@ impl FromApub for CommentForm { published: note.published().map(|u| u.to_owned().naive_local()), updated: note.updated().map(|u| u.to_owned().naive_local()), deleted: None, - ap_id: note.id_unchecked().unwrap().to_string(), + ap_id, local: false, }) } diff --git a/server/src/apub/community.rs b/server/src/apub/community.rs index 96f0f84c..b35c47bb 100644 --- a/server/src/apub/community.rs +++ b/server/src/apub/community.rs @@ -1,6 +1,7 @@ use crate::{ apub::{ activities::{generate_activity_id, send_activity}, + check_is_apub_id_valid, create_apub_response, create_apub_tombstone_response, create_tombstone, @@ -334,6 +335,8 @@ impl FromApub for CommunityForm { .unwrap(); let creator = get_or_fetch_and_upsert_user(creator_uri, client, pool).await?; + let actor_id = group.inner.id_unchecked().unwrap().to_string(); + check_is_apub_id_valid(&Url::parse(&actor_id)?)?; Ok(CommunityForm { name: group @@ -359,7 +362,7 @@ impl FromApub for CommunityForm { updated: group.inner.updated().map(|u| u.to_owned().naive_local()), deleted: None, nsfw: group.ext_one.sensitive, - actor_id: group.inner.id_unchecked().unwrap().to_string(), + actor_id, local: false, private_key: None, public_key: Some(group.ext_two.to_owned().public_key.public_key_pem), diff --git a/server/src/apub/post.rs b/server/src/apub/post.rs index 4b687b0a..ed4dfe0f 100644 --- a/server/src/apub/post.rs +++ b/server/src/apub/post.rs @@ -1,6 +1,7 @@ use crate::{ apub::{ activities::{generate_activity_id, send_activity_to_community}, + check_is_apub_id_valid, create_apub_response, create_apub_tombstone_response, create_tombstone, @@ -203,6 +204,9 @@ impl FromApub for PostForm { None => (None, None, None), }; + let ap_id = page.inner.id_unchecked().unwrap().to_string(); + check_is_apub_id_valid(&Url::parse(&ap_id)?)?; + let url = page .inner .url() @@ -245,7 +249,7 @@ impl FromApub for PostForm { embed_description, embed_html, thumbnail_url, - ap_id: page.inner.id_unchecked().unwrap().to_string(), + ap_id, local: false, }) } diff --git a/server/src/apub/private_message.rs b/server/src/apub/private_message.rs index 69f552d3..af0f5610 100644 --- a/server/src/apub/private_message.rs +++ b/server/src/apub/private_message.rs @@ -1,6 +1,7 @@ use crate::{ apub::{ activities::{generate_activity_id, send_activity}, + check_is_apub_id_valid, create_tombstone, fetcher::get_or_fetch_and_upsert_user, insert_activity, @@ -84,10 +85,10 @@ impl FromApub for PrivateMessageForm { .unwrap(); let creator = get_or_fetch_and_upsert_user(&creator_actor_id, client, pool).await?; - let recipient_actor_id = note.to().unwrap().clone().single_xsd_any_uri().unwrap(); - let recipient = get_or_fetch_and_upsert_user(&recipient_actor_id, client, pool).await?; + let ap_id = note.id_unchecked().unwrap().to_string(); + check_is_apub_id_valid(&Url::parse(&ap_id)?)?; Ok(PrivateMessageForm { creator_id: creator.id, @@ -102,7 +103,7 @@ impl FromApub for PrivateMessageForm { updated: note.updated().map(|u| u.to_owned().naive_local()), deleted: None, read: None, - ap_id: note.id_unchecked().unwrap().to_string(), + ap_id, local: false, }) } diff --git a/server/src/apub/user.rs b/server/src/apub/user.rs index 2922006d..80b91ddb 100644 --- a/server/src/apub/user.rs +++ b/server/src/apub/user.rs @@ -1,6 +1,7 @@ use crate::{ apub::{ activities::{generate_activity_id, send_activity}, + check_is_apub_id_valid, create_apub_response, insert_activity, ActorType, @@ -217,6 +218,11 @@ impl FromApub for UserForm { None => None, }; + // TODO: here and in community we could actually check against the exact domain where we fetched + // the actor from, if we can pass it in somehow + let actor_id = person.id_unchecked().unwrap().to_string(); + check_is_apub_id_valid(&Url::parse(&actor_id)?)?; + Ok(UserForm { name: person .name() @@ -241,7 +247,7 @@ impl FromApub for UserForm { show_avatars: false, send_notifications_to_email: false, matrix_user_id: None, - actor_id: person.id_unchecked().unwrap().to_string(), + actor_id, bio: person .inner .summary()