From 6604ea8a2b8e816438015b76be2af4b035c0a973 Mon Sep 17 00:00:00 2001
From: silverpill <silverpill@firemail.cc>
Date: Fri, 31 Mar 2023 17:05:41 +0000
Subject: [PATCH] Limit number of mentions and links in remote posts

---
 CHANGELOG.md                                   |  4 ++++
 src/activitypub/handlers/create.rs             | 10 ++++++++++
 src/mastodon_api/statuses/microsyntax/links.rs |  3 ++-
 src/validators/posts.rs                        |  2 ++
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0d3636d..bca1981 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 
+### Changed
+
+- Limit number of mentions and links in remote posts.
+
 ## [1.19.0] - 2023-03-30
 
 ### Added
diff --git a/src/activitypub/handlers/create.rs b/src/activitypub/handlers/create.rs
index f7d1022..db7cda3 100644
--- a/src/activitypub/handlers/create.rs
+++ b/src/activitypub/handlers/create.rs
@@ -52,6 +52,8 @@ use crate::validators::{
         ATTACHMENTS_MAX_NUM,
         CONTENT_MAX_SIZE,
         EMOJIS_MAX_NUM,
+        LINKS_MAX_NUM,
+        MENTIONS_MAX_NUM,
     },
     tags::validate_hashtag,
 };
@@ -359,6 +361,10 @@ pub async fn get_object_tags(
                 };
             };
         } else if tag_type == MENTION {
+            if mentions.len() >= MENTIONS_MAX_NUM {
+                log::warn!("too many mentions");
+                continue;
+            };
             let tag: Tag = match serde_json::from_value(tag_value) {
                 Ok(tag) => tag,
                 Err(_) => {
@@ -436,6 +442,10 @@ pub async fn get_object_tags(
                 log::warn!("failed to parse mention {}", tag_name);
             };
         } else if tag_type == LINK {
+            if links.len() >= LINKS_MAX_NUM {
+                log::warn!("too many links");
+                continue;
+            };
             let tag: LinkTag = match serde_json::from_value(tag_value) {
                 Ok(tag) => tag,
                 Err(_) => {
diff --git a/src/mastodon_api/statuses/microsyntax/links.rs b/src/mastodon_api/statuses/microsyntax/links.rs
index e8e5a72..1b7fe35 100644
--- a/src/mastodon_api/statuses/microsyntax/links.rs
+++ b/src/mastodon_api/statuses/microsyntax/links.rs
@@ -8,6 +8,7 @@ use mitra_models::{
 };
 
 use crate::activitypub::fetcher::helpers::get_post_by_object_id;
+use crate::validators::posts::LINKS_MAX_NUM;
 
 // MediaWiki-like syntax: [[url|text]]
 const OBJECT_LINK_SEARCH_RE: &str = r"(?m)\[\[(?P<url>[^\s\|]+)(\|(?P<text>.+?))?\]\]";
@@ -48,7 +49,7 @@ pub async fn find_linked_posts(
     let mut link_map: HashMap<String, Post> = HashMap::new();
     let mut counter = 0;
     for url in links {
-        if counter > 10 {
+        if counter > LINKS_MAX_NUM {
             // Limit the number of queries
             break;
             // TODO: single database query
diff --git a/src/validators/posts.rs b/src/validators/posts.rs
index 9435820..494027e 100644
--- a/src/validators/posts.rs
+++ b/src/validators/posts.rs
@@ -3,6 +3,8 @@ use mitra_utils::html::clean_html_strict;
 use crate::errors::ValidationError;
 
 pub const ATTACHMENTS_MAX_NUM: usize = 15;
+pub const MENTIONS_MAX_NUM: usize = 50;
+pub const LINKS_MAX_NUM: usize = 10;
 pub const EMOJIS_MAX_NUM: usize = 20;
 
 pub const CONTENT_MAX_SIZE: usize = 100000;