Verify post/reaction author when processing Delete() and Undo() activities

Activity sender and the author must be the same.
2022-01-03 23:38:11 +00:00 · 2022-01-03 23:38:11 +00:00 · d045df4232
parent adb5a6c651
commit d045df4232
1 changed files with 12 additions and 1 deletions
--- a/src/activitypub/receiver.rs
+++ b/src/activitypub/receiver.rs
@ -398,7 +398,7 @@ pub async fn receive_activity(
            let object_received = if activity.actor == signer_id {
                Some(object)
            } else {
-                // Fetch forwarded note
+                // Fetch forwarded note, don't trust the sender
                None
            };
            process_note(config, db_client, object_id, object_received).await?;
@ -449,6 +449,10 @@ pub async fn receive_activity(
                Err(DatabaseError::NotFound(_)) => return Ok(()),
                Err(other_error) => return Err(other_error.into()),
            };
+            let actor_profile = get_profile_by_actor_id(db_client, &activity.actor).await?;
+            if post.author.id != actor_profile.id {
+                return Err(HttpError::ValidationError("actor is not an author".into()));
+            };
            let deletion_queue = delete_post(db_client, &post.id).await?;
            let config = config.clone();
            actix_rt::spawn(async move {
@ -535,10 +539,14 @@ pub async fn receive_activity(
        },
        (UNDO, _) => {
            require_actor_signature(&activity.actor, signer_id)?;
+            let actor_profile = get_profile_by_actor_id(db_client, &activity.actor).await?;
            let object_id = get_object_id(activity.object)?;
            match get_reaction_by_activity_id(db_client, &object_id).await {
                Ok(reaction) => {
                    // Undo(Like)
+                    if reaction.author_id != actor_profile.id {
+                        return Err(HttpError::ValidationError("actor is not an author".into()));
+                    };
                    delete_reaction(
                        db_client,
                        &reaction.author_id,
@ -554,6 +562,9 @@ pub async fn receive_activity(
                        Err(DatabaseError::NotFound(_)) => return Ok(()),
                        Err(other_error) => return Err(other_error.into()),
                    };
+                    if post.author.id != actor_profile.id {
+                        return Err(HttpError::ValidationError("actor is not an author".into()));
+                    };
                    match post.repost_of_id {
                        // Ignore returned data because reposts don't have attached files
                        Some(_) => delete_post(db_client, &post.id).await?,