Re-fetch object if attributedTo value doesn't match actor of Create activity

This commit is contained in:
silverpill 2023-04-11 01:02:09 +00:00 committed by Rafael Caricio
parent 8daf566eb2
commit 55c0b1eb6b
Signed by: rafaelcaricio
GPG key ID: 3C86DBCE8E93C947
2 changed files with 11 additions and 2 deletions

View file

@ -8,13 +8,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
### Added ### Added
- Support Monero Wallet RPC authentication.
- Added `create-user` command. - Added `create-user` command.
### Changed ### Changed
- Added emoji count check to profile data validator. - Added emoji count check to profile data validator.
- Check mention and link counts when creating post. - Check mention and link counts when creating post.
- Re-fetch object if `attributedTo` value doesn't match `actor` of `Create` activity.
## [1.20.0] - 2023-03-07 ## [1.20.0] - 2023-03-07

View file

@ -680,7 +680,7 @@ pub async fn handle_create(
config: &Config, config: &Config,
db_client: &mut impl DatabaseClient, db_client: &mut impl DatabaseClient,
activity: JsonValue, activity: JsonValue,
is_authenticated: bool, mut is_authenticated: bool,
) -> HandlerResult { ) -> HandlerResult {
let object: Object = serde_json::from_value(activity["object"].to_owned()) let object: Object = serde_json::from_value(activity["object"].to_owned())
.map_err(|_| ValidationError("invalid object"))?; .map_err(|_| ValidationError("invalid object"))?;
@ -691,6 +691,15 @@ pub async fn handle_create(
return Ok(None); return Ok(None);
}; };
// Verify attribution
let actor_id = activity["actor"].as_str()
.ok_or(ValidationError("actor property is missing"))?;
let author_id = get_object_attributed_to(&object)?;
if actor_id != author_id {
log::warn!("attributedTo value doesn't match actor");
is_authenticated = false; // Object will be fetched
};
let object_id = object.id.clone(); let object_id = object.id.clone();
let object_received = if is_authenticated { let object_received = if is_authenticated {
Some(object) Some(object)