Validate spoofing of Create activity

2020-12-02 01:04:49 +09:00 · 2020-12-02 01:04:49 +09:00 · 5cd8ae9106
commit 5cd8ae9106
parent 350697f89a
1 changed files with 28 additions and 0 deletions
--- a/plume-common/src/activity_pub/inbox.rs
+++ b/plume-common/src/activity_pub/inbox.rs
@ -164,6 +164,11 @@ where
                    Some(x) => x,
                    None => return Inbox::NotHandled(ctx, act, InboxError::InvalidActor(None)),
                };
+
+                if Self::is_spoofed_activity(&actor_id, &act) {
+                    return Inbox::NotHandled(ctx, act, InboxError::InvalidObject(None));
+                }
+
                // Transform this actor to a model (see FromId for details about the from_id function)
                let actor = match A::from_id(
                    ctx,
@ -222,6 +227,29 @@ where
            Inbox::Failed(err) => Err(err),
        }
    }
+
+    fn is_spoofed_activity(actor_id: &str, act: &serde_json::Value) -> bool {
+        use serde_json::Value::{Array, Object, String};
+
+        if act["type"] != String("Create".to_string()) {
+            return false;
+        }
+        let attributed_to = act["object"].get("attributedTo");
+        if attributed_to.is_none() {
+            return false;
+        }
+        let attributed_to = attributed_to.unwrap();
+        match attributed_to {
+            Array(v) => v.iter().all(|i| match i {
+                String(s) => s != actor_id,
+                Object(_) => false, // TODO: Validate recursively"
+                _ => false,
+            }),
+            String(s) => s != actor_id,
+            Object(_) => false, // TODO: Validate Recursively
+            _ => false,
+        }
+    }
 }

 /// Get the ActivityPub ID of a JSON value.