aitzol/Plume
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Validate spoofing of Create activity

Browse Source
This commit is contained in:
Kitaiti Makoto 2020-12-02 01:04:49 +09:00 committed by Gitea
parent beaeaf743a
commit 5c8170a97d
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
plume-common/src/activity_pub/inbox.rs
View File

@ -164,6 +164,11 @@ where
Some(x) => x, Some(x) => x,
None => return Inbox::NotHandled(ctx, act, InboxError::InvalidActor(None)), None => return Inbox::NotHandled(ctx, act, InboxError::InvalidActor(None)),
}; };
if Self::is_spoofed_activity(&actor_id, &act) {
return Inbox::NotHandled(ctx, act, InboxError::InvalidObject(None));
}
// Transform this actor to a model (see FromId for details about the from_id function) // Transform this actor to a model (see FromId for details about the from_id function)
let actor = match A::from_id( let actor = match A::from_id(
ctx, ctx,
@ -222,6 +227,29 @@ where
Inbox::Failed(err) => Err(err), Inbox::Failed(err) => Err(err),
} }
} }
fn is_spoofed_activity(actor_id: &str, act: &serde_json::Value) -> bool {
use serde_json::Value::{Array, Object, String};
if act["type"] != String("Create".to_string()) {
return false;
}
let attributed_to = act["object"].get("attributedTo");
if attributed_to.is_none() {
return false;
}
let attributed_to = attributed_to.unwrap();
match attributed_to {
Array(v) => v.iter().all(|i| match i {
String(s) => s != actor_id,
Object(_) => false, // TODO: Validate recursively"
_ => false,
}),
String(s) => s != actor_id,
Object(_) => false, // TODO: Validate Recursively
_ => false,
}
}
} }
/// Get the ActivityPub ID of a JSON value. /// Get the ActivityPub ID of a JSON value.