Validate spoofing of Create activity

This commit is contained in:
Kitaiti Makoto 2020-12-02 01:04:49 +09:00
parent 350697f89a
commit 5cd8ae9106

View file

@ -164,6 +164,11 @@ where
Some(x) => x,
None => return Inbox::NotHandled(ctx, act, InboxError::InvalidActor(None)),
};
if Self::is_spoofed_activity(&actor_id, &act) {
return Inbox::NotHandled(ctx, act, InboxError::InvalidObject(None));
}
// Transform this actor to a model (see FromId for details about the from_id function)
let actor = match A::from_id(
ctx,
@ -222,6 +227,29 @@ where
Inbox::Failed(err) => Err(err),
}
}
fn is_spoofed_activity(actor_id: &str, act: &serde_json::Value) -> bool {
use serde_json::Value::{Array, Object, String};
if act["type"] != String("Create".to_string()) {
return false;
}
let attributed_to = act["object"].get("attributedTo");
if attributed_to.is_none() {
return false;
}
let attributed_to = attributed_to.unwrap();
match attributed_to {
Array(v) => v.iter().all(|i| match i {
String(s) => s != actor_id,
Object(_) => false, // TODO: Validate recursively"
_ => false,
}),
String(s) => s != actor_id,
Object(_) => false, // TODO: Validate Recursively
_ => false,
}
}
}
/// Get the ActivityPub ID of a JSON value.