Add check to make sure that inbox doesnt receive local activities (ref #1283) (#147)

Fixed comparison

Add check to make sure that inbox doesnt receive local activities (ref #1283)

Co-authored-by: Felix Ableitner <me@nutomic.com>
Reviewed-on: https://yerbamate.ml/LemmyNet/lemmy/pulls/147

diff --git a/lemmy_apub/src/inbox/community_inbox.rs b/lemmy_apub/src/inbox/community_inbox.rs
index 137f3fea49ba9f90a542b81dc8f353aad3cbdcdb..7c144a00d5a7decafd377977144c693c527ba25a 100644 (file)
--- a/lemmy_apub/src/inbox/community_inbox.rs
+++ b/lemmy_apub/src/inbox/community_inbox.rs
@@ -1,6 +1,7 @@
 use crate::{
   activities::receive::verify_activity_domains_valid,
   inbox::{
+    assert_activity_not_local,
     get_activity_id,
     get_activity_to_and_cc,
     inbox_verify_http_signature,
@@ -85,6 +86,7 @@ pub async fn community_inbox(
     return Err(anyhow!("Activity delivered to wrong community").into());
   }
 
+  assert_activity_not_local(&activity)?;
   insert_activity(&activity_id, activity.clone(), false, true, context.pool()).await?;
 
   info!(

diff --git a/lemmy_apub/src/inbox/mod.rs b/lemmy_apub/src/inbox/mod.rs
index 4fdbb7a535fd4beb6daca3d911ceff5a9f9bb7c2..ce6c7eded500cf8da924d935f091be6cf80c55b2 100644 (file)
--- a/lemmy_apub/src/inbox/mod.rs
+++ b/lemmy_apub/src/inbox/mod.rs
@@ -14,7 +14,7 @@ use actix_web::HttpRequest;
 use anyhow::{anyhow, Context};
 use lemmy_db::{activity::Activity, community::Community, user::User_, DbPool};
 use lemmy_structs::blocking;
-use lemmy_utils::{location_info, LemmyError};
+use lemmy_utils::{location_info, settings::Settings, LemmyError};
 use lemmy_websocket::LemmyContext;
 use serde::{export::fmt::Debug, Serialize};
 use url::Url;
@@ -151,3 +151,22 @@ pub(crate) async fn is_addressed_to_community_followers(
   }
   Ok(None)
 }
+
+pub(in crate::inbox) fn assert_activity_not_local<T, Kind>(activity: &T) -> Result<(), LemmyError>
+where
+  T: BaseExt<Kind> + Debug,
+{
+  let id = activity.id_unchecked().context(location_info!())?;
+  let activity_domain = id.domain().context(location_info!())?;
+
+  if activity_domain == Settings::get().hostname {
+    return Err(
+      anyhow!(
+        "Error: received activity which was sent by local instance: {:?}",
+        activity
+      )
+      .into(),
+    );
+  }
+  Ok(())
+}

diff --git a/lemmy_apub/src/inbox/shared_inbox.rs b/lemmy_apub/src/inbox/shared_inbox.rs
index dfd5836626634d53604c6c52ac16f5434e831585..2875696e250d66d914b9dab7ade19479dc67d62c 100644 (file)
--- a/lemmy_apub/src/inbox/shared_inbox.rs
+++ b/lemmy_apub/src/inbox/shared_inbox.rs
@@ -1,5 +1,6 @@
 use crate::{
   inbox::{
+    assert_activity_not_local,
     community_inbox::{community_receive_message, CommunityAcceptedActivities},
     get_activity_id,
     get_activity_to_and_cc,
@@ -58,6 +59,7 @@ pub async fn shared_inbox(
     return Ok(HttpResponse::Ok().finish());
   }
 
+  assert_activity_not_local(&activity)?;
   // Log the activity, so we avoid receiving and parsing it twice. Note that this could still happen
   // if we receive the same activity twice in very quick succession.
   insert_activity(&activity_id, activity.clone(), false, true, context.pool()).await?;

diff --git a/lemmy_apub/src/inbox/user_inbox.rs b/lemmy_apub/src/inbox/user_inbox.rs
index dfcb2d618f9e3f69a934723b7a5edd15a42639f6..2f847a5cd8c5643b5553227c83f54c77c25fec3b 100644 (file)
--- a/lemmy_apub/src/inbox/user_inbox.rs
+++ b/lemmy_apub/src/inbox/user_inbox.rs
@@ -19,6 +19,7 @@ use crate::{
   check_is_apub_id_valid,
   fetcher::get_or_fetch_and_upsert_community,
   inbox::{
+    assert_activity_not_local,
     get_activity_id,
     get_activity_to_and_cc,
     inbox_verify_http_signature,
@@ -106,6 +107,7 @@ pub async fn user_inbox(
     return Err(anyhow!("Activity delivered to wrong user").into());
   }
 
+  assert_activity_not_local(&activity)?;
   insert_activity(&activity_id, activity.clone(), false, true, context.pool()).await?;
 
   debug!(