From 5c8170a97d45fa039f80c15ef0d4a1d56662b1cb Mon Sep 17 00:00:00 2001 From: Kitaiti Makoto Date: Wed, 2 Dec 2020 01:04:49 +0900 Subject: [PATCH] Validate spoofing of Create activity --- plume-common/src/activity_pub/inbox.rs | 28 ++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/plume-common/src/activity_pub/inbox.rs b/plume-common/src/activity_pub/inbox.rs index 9c714614..fdfec3e1 100644 --- a/plume-common/src/activity_pub/inbox.rs +++ b/plume-common/src/activity_pub/inbox.rs @@ -164,6 +164,11 @@ where Some(x) => x, None => return Inbox::NotHandled(ctx, act, InboxError::InvalidActor(None)), }; + + if Self::is_spoofed_activity(&actor_id, &act) { + return Inbox::NotHandled(ctx, act, InboxError::InvalidObject(None)); + } + // Transform this actor to a model (see FromId for details about the from_id function) let actor = match A::from_id( ctx, @@ -222,6 +227,29 @@ where Inbox::Failed(err) => Err(err), } } + + fn is_spoofed_activity(actor_id: &str, act: &serde_json::Value) -> bool { + use serde_json::Value::{Array, Object, String}; + + if act["type"] != String("Create".to_string()) { + return false; + } + let attributed_to = act["object"].get("attributedTo"); + if attributed_to.is_none() { + return false; + } + let attributed_to = attributed_to.unwrap(); + match attributed_to { + Array(v) => v.iter().all(|i| match i { + String(s) => s != actor_id, + Object(_) => false, // TODO: Validate recursively" + _ => false, + }), + String(s) => s != actor_id, + Object(_) => false, // TODO: Validate Recursively + _ => false, + } + } } /// Get the ActivityPub ID of a JSON value.