mirror of
https://git.joinplu.me/Plume/Plume.git
synced 2024-11-22 19:41:03 +00:00
Validate spoofing of Create activity
This commit is contained in:
parent
350697f89a
commit
5cd8ae9106
1 changed files with 28 additions and 0 deletions
|
@ -164,6 +164,11 @@ where
|
|||
Some(x) => x,
|
||||
None => return Inbox::NotHandled(ctx, act, InboxError::InvalidActor(None)),
|
||||
};
|
||||
|
||||
if Self::is_spoofed_activity(&actor_id, &act) {
|
||||
return Inbox::NotHandled(ctx, act, InboxError::InvalidObject(None));
|
||||
}
|
||||
|
||||
// Transform this actor to a model (see FromId for details about the from_id function)
|
||||
let actor = match A::from_id(
|
||||
ctx,
|
||||
|
@ -222,6 +227,29 @@ where
|
|||
Inbox::Failed(err) => Err(err),
|
||||
}
|
||||
}
|
||||
|
||||
fn is_spoofed_activity(actor_id: &str, act: &serde_json::Value) -> bool {
|
||||
use serde_json::Value::{Array, Object, String};
|
||||
|
||||
if act["type"] != String("Create".to_string()) {
|
||||
return false;
|
||||
}
|
||||
let attributed_to = act["object"].get("attributedTo");
|
||||
if attributed_to.is_none() {
|
||||
return false;
|
||||
}
|
||||
let attributed_to = attributed_to.unwrap();
|
||||
match attributed_to {
|
||||
Array(v) => v.iter().all(|i| match i {
|
||||
String(s) => s != actor_id,
|
||||
Object(_) => false, // TODO: Validate recursively"
|
||||
_ => false,
|
||||
}),
|
||||
String(s) => s != actor_id,
|
||||
Object(_) => false, // TODO: Validate Recursively
|
||||
_ => false,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Get the ActivityPub ID of a JSON value.
|
||||
|
|
Loading…
Reference in a new issue