From 3f9ede79edadfc80e732da4b80e71700a7c7509a Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Tue, 13 Oct 2020 18:06:26 +0200 Subject: [PATCH] Add domain checks for private message inbox --- lemmy_apub/src/inbox/user_inbox.rs | 50 ++++++++++++++++++++++++++++-- 1 file changed, 48 insertions(+), 2 deletions(-) diff --git a/lemmy_apub/src/inbox/user_inbox.rs b/lemmy_apub/src/inbox/user_inbox.rs index 779178509..7bc36a0ff 100644 --- a/lemmy_apub/src/inbox/user_inbox.rs +++ b/lemmy_apub/src/inbox/user_inbox.rs @@ -8,6 +8,7 @@ use crate::{ use activitystreams::{ activity::{Accept, ActorAndObject, Create, Delete, Undo, Update}, base::AnyBase, + error::DomainError, object::Note, prelude::*, }; @@ -130,7 +131,17 @@ async fn receive_create_private_message( )? .context(location_info!())?; - let domain = Some(create.id_unchecked().context(location_info!())?.to_owned()); + let actor = create + .actor()? + .to_owned() + .single_xsd_any_uri() + .context(location_info!())?; + let domain = Some( + create + .id(actor.domain().context(location_info!())?)? + .context(location_info!())? + .to_owned(), + ); let private_message = PrivateMessageForm::from_apub(¬e, context, domain).await?; let inserted_private_message = blocking(&context.pool(), move |conn| { @@ -171,7 +182,17 @@ async fn receive_update_private_message( )? .context(location_info!())?; - let domain = Some(update.id_unchecked().context(location_info!())?.to_owned()); + let actor = update + .actor()? + .to_owned() + .single_xsd_any_uri() + .context(location_info!())?; + let domain = Some( + update + .id(actor.domain().context(location_info!())?)? + .context(location_info!())? + .to_owned(), + ); let private_message_form = PrivateMessageForm::from_apub(¬e, context, domain).await?; let private_message_ap_id = private_message_form @@ -220,6 +241,18 @@ async fn receive_delete_private_message( .to_owned() .single_xsd_any_uri() .context(location_info!())?; + let actor = delete + .actor()? + .to_owned() + .single_xsd_any_uri() + .context(location_info!())?; + let delete_id = delete + .id(actor.domain().context(location_info!())?)? + .map(|i| i.domain()) + .flatten(); + if private_message_id.domain() != delete_id { + return Err(DomainError.into()); + } let private_message = blocking(context.pool(), move |conn| { PrivateMessage::read_from_apub_id(conn, private_message_id.as_str()) }) @@ -258,6 +291,19 @@ async fn receive_undo_delete_private_message( .to_owned() .single_xsd_any_uri() .context(location_info!())?; + let actor = undo + .actor()? + .to_owned() + .single_xsd_any_uri() + .context(location_info!())?; + let undo_id = undo + .id(actor.domain().context(location_info!())?)? + .map(|i| i.domain()) + .flatten(); + if private_message_id.domain() != undo_id { + return Err(DomainError.into()); + } + let private_message = blocking(context.pool(), move |conn| { PrivateMessage::read_from_apub_id(conn, private_message_id.as_str()) })