Verify ID of received apub objects against domain allowlist etc

This commit is contained in:
Felix Ableitner 2020-08-05 14:18:08 +02:00
parent 37b438a77f
commit 233aa34d54
5 changed files with 25 additions and 7 deletions

View file

@ -1,6 +1,7 @@
use crate::{ use crate::{
apub::{ apub::{
activities::{generate_activity_id, send_activity_to_community}, activities::{generate_activity_id, send_activity_to_community},
check_is_apub_id_valid,
create_apub_response, create_apub_response,
create_apub_tombstone_response, create_apub_tombstone_response,
create_tombstone, create_tombstone,
@ -166,6 +167,9 @@ impl FromApub for CommentForm {
None => None, None => None,
}; };
let ap_id = note.id_unchecked().unwrap().to_string();
check_is_apub_id_valid(&Url::parse(&ap_id)?)?;
Ok(CommentForm { Ok(CommentForm {
creator_id: creator.id, creator_id: creator.id,
post_id: post.id, post_id: post.id,
@ -181,7 +185,7 @@ impl FromApub for CommentForm {
published: note.published().map(|u| u.to_owned().naive_local()), published: note.published().map(|u| u.to_owned().naive_local()),
updated: note.updated().map(|u| u.to_owned().naive_local()), updated: note.updated().map(|u| u.to_owned().naive_local()),
deleted: None, deleted: None,
ap_id: note.id_unchecked().unwrap().to_string(), ap_id,
local: false, local: false,
}) })
} }

View file

@ -1,6 +1,7 @@
use crate::{ use crate::{
apub::{ apub::{
activities::{generate_activity_id, send_activity}, activities::{generate_activity_id, send_activity},
check_is_apub_id_valid,
create_apub_response, create_apub_response,
create_apub_tombstone_response, create_apub_tombstone_response,
create_tombstone, create_tombstone,
@ -334,6 +335,8 @@ impl FromApub for CommunityForm {
.unwrap(); .unwrap();
let creator = get_or_fetch_and_upsert_user(creator_uri, client, pool).await?; let creator = get_or_fetch_and_upsert_user(creator_uri, client, pool).await?;
let actor_id = group.inner.id_unchecked().unwrap().to_string();
check_is_apub_id_valid(&Url::parse(&actor_id)?)?;
Ok(CommunityForm { Ok(CommunityForm {
name: group name: group
@ -359,7 +362,7 @@ impl FromApub for CommunityForm {
updated: group.inner.updated().map(|u| u.to_owned().naive_local()), updated: group.inner.updated().map(|u| u.to_owned().naive_local()),
deleted: None, deleted: None,
nsfw: group.ext_one.sensitive, nsfw: group.ext_one.sensitive,
actor_id: group.inner.id_unchecked().unwrap().to_string(), actor_id,
local: false, local: false,
private_key: None, private_key: None,
public_key: Some(group.ext_two.to_owned().public_key.public_key_pem), public_key: Some(group.ext_two.to_owned().public_key.public_key_pem),

View file

@ -1,6 +1,7 @@
use crate::{ use crate::{
apub::{ apub::{
activities::{generate_activity_id, send_activity_to_community}, activities::{generate_activity_id, send_activity_to_community},
check_is_apub_id_valid,
create_apub_response, create_apub_response,
create_apub_tombstone_response, create_apub_tombstone_response,
create_tombstone, create_tombstone,
@ -203,6 +204,9 @@ impl FromApub for PostForm {
None => (None, None, None), None => (None, None, None),
}; };
let ap_id = page.inner.id_unchecked().unwrap().to_string();
check_is_apub_id_valid(&Url::parse(&ap_id)?)?;
let url = page let url = page
.inner .inner
.url() .url()
@ -245,7 +249,7 @@ impl FromApub for PostForm {
embed_description, embed_description,
embed_html, embed_html,
thumbnail_url, thumbnail_url,
ap_id: page.inner.id_unchecked().unwrap().to_string(), ap_id,
local: false, local: false,
}) })
} }

View file

@ -1,6 +1,7 @@
use crate::{ use crate::{
apub::{ apub::{
activities::{generate_activity_id, send_activity}, activities::{generate_activity_id, send_activity},
check_is_apub_id_valid,
create_tombstone, create_tombstone,
fetcher::get_or_fetch_and_upsert_user, fetcher::get_or_fetch_and_upsert_user,
insert_activity, insert_activity,
@ -84,10 +85,10 @@ impl FromApub for PrivateMessageForm {
.unwrap(); .unwrap();
let creator = get_or_fetch_and_upsert_user(&creator_actor_id, client, pool).await?; let creator = get_or_fetch_and_upsert_user(&creator_actor_id, client, pool).await?;
let recipient_actor_id = note.to().unwrap().clone().single_xsd_any_uri().unwrap(); let recipient_actor_id = note.to().unwrap().clone().single_xsd_any_uri().unwrap();
let recipient = get_or_fetch_and_upsert_user(&recipient_actor_id, client, pool).await?; let recipient = get_or_fetch_and_upsert_user(&recipient_actor_id, client, pool).await?;
let ap_id = note.id_unchecked().unwrap().to_string();
check_is_apub_id_valid(&Url::parse(&ap_id)?)?;
Ok(PrivateMessageForm { Ok(PrivateMessageForm {
creator_id: creator.id, creator_id: creator.id,
@ -102,7 +103,7 @@ impl FromApub for PrivateMessageForm {
updated: note.updated().map(|u| u.to_owned().naive_local()), updated: note.updated().map(|u| u.to_owned().naive_local()),
deleted: None, deleted: None,
read: None, read: None,
ap_id: note.id_unchecked().unwrap().to_string(), ap_id,
local: false, local: false,
}) })
} }

View file

@ -1,6 +1,7 @@
use crate::{ use crate::{
apub::{ apub::{
activities::{generate_activity_id, send_activity}, activities::{generate_activity_id, send_activity},
check_is_apub_id_valid,
create_apub_response, create_apub_response,
insert_activity, insert_activity,
ActorType, ActorType,
@ -217,6 +218,11 @@ impl FromApub for UserForm {
None => None, None => None,
}; };
// TODO: here and in community we could actually check against the exact domain where we fetched
// the actor from, if we can pass it in somehow
let actor_id = person.id_unchecked().unwrap().to_string();
check_is_apub_id_valid(&Url::parse(&actor_id)?)?;
Ok(UserForm { Ok(UserForm {
name: person name: person
.name() .name()
@ -241,7 +247,7 @@ impl FromApub for UserForm {
show_avatars: false, show_avatars: false,
send_notifications_to_email: false, send_notifications_to_email: false,
matrix_user_id: None, matrix_user_id: None,
actor_id: person.id_unchecked().unwrap().to_string(), actor_id,
bio: person bio: person
.inner .inner
.summary() .summary()