diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ace2d3..c3f37a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Changed - Increase maximum number of custom emojis per post to 50. +- Validate actor aliases before saving into database. ## [1.19.1] - 2023-03-31 diff --git a/src/activitypub/actors/helpers.rs b/src/activitypub/actors/helpers.rs index 41a93ba..5f9849f 100644 --- a/src/activitypub/actors/helpers.rs +++ b/src/activitypub/actors/helpers.rs @@ -18,6 +18,7 @@ use crate::activitypub::{ actors::types::Actor, fetcher::fetchers::fetch_file, handlers::create::handle_emoji, + identifiers::validate_object_id, receiver::{parse_array, HandlerError}, vocabulary::{EMOJI, HASHTAG}, }; @@ -92,7 +93,17 @@ fn parse_aliases(actor: &Actor) -> Vec { actor.also_known_as.as_ref() .and_then(|value| { match parse_array(value) { - Ok(array) => Some(array), + Ok(array) => { + let mut aliases = vec![]; + for actor_id in array { + if validate_object_id(&actor_id).is_err() { + log::warn!("invalid alias: {}", actor_id); + continue; + }; + aliases.push(actor_id); + }; + Some(aliases) + }, Err(_) => { log::warn!("invalid alias list: {}", value); None diff --git a/src/activitypub/identifiers.rs b/src/activitypub/identifiers.rs index 5b650a9..e9cdf55 100644 --- a/src/activitypub/identifiers.rs +++ b/src/activitypub/identifiers.rs @@ -5,6 +5,7 @@ use mitra_models::{ posts::types::Post, profiles::types::DbActorProfile, }; +use mitra_utils::urls::get_hostname; use crate::errors::ValidationError; @@ -81,6 +82,12 @@ pub fn local_tag_collection(instance_url: &str, tag_name: &str) -> String { format!("{}/collections/tags/{}", instance_url, tag_name) } +pub fn validate_object_id(object_id: &str) -> Result<(), ValidationError> { + get_hostname(object_id) + .map_err(|_| ValidationError("invalid object ID"))?; + Ok(()) +} + pub fn parse_local_actor_id( instance_url: &str, actor_id: &str,