From 2b5c69d6789c51c528e6654101623bd0c368ad5c Mon Sep 17 00:00:00 2001 From: nutomic Date: Tue, 1 Dec 2020 18:30:15 +0000 Subject: [PATCH] Add check to make sure that inbox doesnt receive local activities (ref #1283) (#147) Fixed comparison Add check to make sure that inbox doesnt receive local activities (ref #1283) Co-authored-by: Felix Ableitner Reviewed-on: https://yerbamate.ml/LemmyNet/lemmy/pulls/147 --- lemmy_apub/src/inbox/community_inbox.rs | 2 ++ lemmy_apub/src/inbox/mod.rs | 21 ++++++++++++++++++++- lemmy_apub/src/inbox/shared_inbox.rs | 2 ++ lemmy_apub/src/inbox/user_inbox.rs | 2 ++ 4 files changed, 26 insertions(+), 1 deletion(-) diff --git a/lemmy_apub/src/inbox/community_inbox.rs b/lemmy_apub/src/inbox/community_inbox.rs index 137f3fea..7c144a00 100644 --- a/lemmy_apub/src/inbox/community_inbox.rs +++ b/lemmy_apub/src/inbox/community_inbox.rs @@ -1,6 +1,7 @@ use crate::{ activities::receive::verify_activity_domains_valid, inbox::{ + assert_activity_not_local, get_activity_id, get_activity_to_and_cc, inbox_verify_http_signature, @@ -85,6 +86,7 @@ pub async fn community_inbox( return Err(anyhow!("Activity delivered to wrong community").into()); } + assert_activity_not_local(&activity)?; insert_activity(&activity_id, activity.clone(), false, true, context.pool()).await?; info!( diff --git a/lemmy_apub/src/inbox/mod.rs b/lemmy_apub/src/inbox/mod.rs index 4fdbb7a5..ce6c7ede 100644 --- a/lemmy_apub/src/inbox/mod.rs +++ b/lemmy_apub/src/inbox/mod.rs @@ -14,7 +14,7 @@ use actix_web::HttpRequest; use anyhow::{anyhow, Context}; use lemmy_db::{activity::Activity, community::Community, user::User_, DbPool}; use lemmy_structs::blocking; -use lemmy_utils::{location_info, LemmyError}; +use lemmy_utils::{location_info, settings::Settings, LemmyError}; use lemmy_websocket::LemmyContext; use serde::{export::fmt::Debug, Serialize}; use url::Url; @@ -151,3 +151,22 @@ pub(crate) async fn is_addressed_to_community_followers( } Ok(None) } + +pub(in crate::inbox) fn assert_activity_not_local(activity: &T) -> Result<(), LemmyError> +where + T: BaseExt + Debug, +{ + let id = activity.id_unchecked().context(location_info!())?; + let activity_domain = id.domain().context(location_info!())?; + + if activity_domain == Settings::get().hostname { + return Err( + anyhow!( + "Error: received activity which was sent by local instance: {:?}", + activity + ) + .into(), + ); + } + Ok(()) +} diff --git a/lemmy_apub/src/inbox/shared_inbox.rs b/lemmy_apub/src/inbox/shared_inbox.rs index dfd58366..2875696e 100644 --- a/lemmy_apub/src/inbox/shared_inbox.rs +++ b/lemmy_apub/src/inbox/shared_inbox.rs @@ -1,5 +1,6 @@ use crate::{ inbox::{ + assert_activity_not_local, community_inbox::{community_receive_message, CommunityAcceptedActivities}, get_activity_id, get_activity_to_and_cc, @@ -58,6 +59,7 @@ pub async fn shared_inbox( return Ok(HttpResponse::Ok().finish()); } + assert_activity_not_local(&activity)?; // Log the activity, so we avoid receiving and parsing it twice. Note that this could still happen // if we receive the same activity twice in very quick succession. insert_activity(&activity_id, activity.clone(), false, true, context.pool()).await?; diff --git a/lemmy_apub/src/inbox/user_inbox.rs b/lemmy_apub/src/inbox/user_inbox.rs index dfcb2d61..2f847a5c 100644 --- a/lemmy_apub/src/inbox/user_inbox.rs +++ b/lemmy_apub/src/inbox/user_inbox.rs @@ -19,6 +19,7 @@ use crate::{ check_is_apub_id_valid, fetcher::get_or_fetch_and_upsert_community, inbox::{ + assert_activity_not_local, get_activity_id, get_activity_to_and_cc, inbox_verify_http_signature, @@ -106,6 +107,7 @@ pub async fn user_inbox( return Err(anyhow!("Activity delivered to wrong user").into()); } + assert_activity_not_local(&activity)?; insert_activity(&activity_id, activity.clone(), false, true, context.pool()).await?; debug!( -- 2.44.1