Verify follow request target when processing Accept(Follow)

Activity sender and the target must be the same.
2022-01-03 23:19:52 +00:00 · 2022-01-03 23:19:52 +00:00 · adb5a6c651
parent d4964878f2
commit adb5a6c651
2 changed files with 28 additions and 0 deletions
--- a/src/activitypub/receiver.rs
+++ b/src/activitypub/receiver.rs
@ -33,6 +33,7 @@ use crate::models::relationships::queries::{
    follow_request_accepted,
    follow_request_rejected,
    follow,
+    get_follow_request_by_id,
    unfollow,
 };
 use crate::models::users::queries::get_user_by_name;
@ -368,15 +369,25 @@ pub async fn receive_activity(
    let object_type = match (activity_type.as_str(), maybe_object_type) {
        (ACCEPT, FOLLOW) => {
            require_actor_signature(&activity.actor, signer_id)?;
+            let actor_profile = get_profile_by_actor_id(db_client, &activity.actor).await?;
            let object_id = get_object_id(activity.object)?;
            let follow_request_id = parse_object_id(&config.instance_url(), &object_id)?;
+            let follow_request = get_follow_request_by_id(db_client, &follow_request_id).await?;
+            if follow_request.target_id != actor_profile.id {
+                return Err(HttpError::ValidationError("actor is not a target".into()));
+            };
            follow_request_accepted(db_client, &follow_request_id).await?;
            FOLLOW
        },
        (REJECT, FOLLOW) => {
            require_actor_signature(&activity.actor, signer_id)?;
+            let actor_profile = get_profile_by_actor_id(db_client, &activity.actor).await?;
            let object_id = get_object_id(activity.object)?;
            let follow_request_id = parse_object_id(&config.instance_url(), &object_id)?;
+            let follow_request = get_follow_request_by_id(db_client, &follow_request_id).await?;
+            if follow_request.target_id != actor_profile.id {
+                return Err(HttpError::ValidationError("actor is not a target".into()));
+            };
            follow_request_rejected(db_client, &follow_request_id).await?;
            FOLLOW
        },
--- a/src/models/relationships/queries.rs
+++ b/src/models/relationships/queries.rs
@ -221,6 +221,23 @@ pub async fn delete_follow_request(
    Ok(is_success)
 }

+pub async fn get_follow_request_by_id(
+    db_client:  &impl GenericClient,
+    request_id: &Uuid,
+) -> Result<DbFollowRequest, DatabaseError> {
+    let maybe_row = db_client.query_opt(
+        "
+        SELECT follow_request
+        FROM follow_request
+        WHERE id = $1
+        ",
+        &[&request_id],
+    ).await?;
+    let row = maybe_row.ok_or(DatabaseError::NotFound("follow request"))?;
+    let request = row.try_get("follow_request")?;
+    Ok(request)
+}
+
 pub async fn get_follow_request_by_path(
    db_client: &impl GenericClient,
    source_id: &Uuid,