Validate spoofing of Create activity
This commit is contained in:
parent
beaeaf743a
commit
5c8170a97d
@ -164,6 +164,11 @@ where
|
|||||||
Some(x) => x,
|
Some(x) => x,
|
||||||
None => return Inbox::NotHandled(ctx, act, InboxError::InvalidActor(None)),
|
None => return Inbox::NotHandled(ctx, act, InboxError::InvalidActor(None)),
|
||||||
};
|
};
|
||||||
|
|
||||||
|
if Self::is_spoofed_activity(&actor_id, &act) {
|
||||||
|
return Inbox::NotHandled(ctx, act, InboxError::InvalidObject(None));
|
||||||
|
}
|
||||||
|
|
||||||
// Transform this actor to a model (see FromId for details about the from_id function)
|
// Transform this actor to a model (see FromId for details about the from_id function)
|
||||||
let actor = match A::from_id(
|
let actor = match A::from_id(
|
||||||
ctx,
|
ctx,
|
||||||
@ -222,6 +227,29 @@ where
|
|||||||
Inbox::Failed(err) => Err(err),
|
Inbox::Failed(err) => Err(err),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn is_spoofed_activity(actor_id: &str, act: &serde_json::Value) -> bool {
|
||||||
|
use serde_json::Value::{Array, Object, String};
|
||||||
|
|
||||||
|
if act["type"] != String("Create".to_string()) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
let attributed_to = act["object"].get("attributedTo");
|
||||||
|
if attributed_to.is_none() {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
let attributed_to = attributed_to.unwrap();
|
||||||
|
match attributed_to {
|
||||||
|
Array(v) => v.iter().all(|i| match i {
|
||||||
|
String(s) => s != actor_id,
|
||||||
|
Object(_) => false, // TODO: Validate recursively"
|
||||||
|
_ => false,
|
||||||
|
}),
|
||||||
|
String(s) => s != actor_id,
|
||||||
|
Object(_) => false, // TODO: Validate Recursively
|
||||||
|
_ => false,
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Get the ActivityPub ID of a JSON value.
|
/// Get the ActivityPub ID of a JSON value.
|
||||||
|
Loading…
Reference in New Issue
Block a user