mirror of
https://git.pleroma.social/pleroma/pleroma.git
synced 2025-01-25 16:38:15 +00:00
activitypub: fix possibility of spoofing by containing remote objects to the same domain as their actor
This commit is contained in:
parent
2e2f458705
commit
0b2c051a04
2 changed files with 15 additions and 0 deletions
|
@ -747,6 +747,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
|
||||||
"actor" => data["attributedTo"],
|
"actor" => data["attributedTo"],
|
||||||
"object" => data
|
"object" => data
|
||||||
},
|
},
|
||||||
|
:ok <- Transmogrifier.contain_origin(id, params),
|
||||||
{:ok, activity} <- Transmogrifier.handle_incoming(params) do
|
{:ok, activity} <- Transmogrifier.handle_incoming(params) do
|
||||||
{:ok, Object.normalize(activity.data["object"])}
|
{:ok, Object.normalize(activity.data["object"])}
|
||||||
else
|
else
|
||||||
|
|
|
@ -30,6 +30,20 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
|
||||||
actor["id"]
|
actor["id"]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@doc """
|
||||||
|
Checks that an imported AP object's actor matches the domain it came from.
|
||||||
|
"""
|
||||||
|
def contain_origin(id, %{"actor" => actor}) do
|
||||||
|
id_uri = URI.parse(id)
|
||||||
|
actor_uri = URI.parse(actor)
|
||||||
|
|
||||||
|
if id_uri.host == actor_uri.host do
|
||||||
|
:ok
|
||||||
|
else
|
||||||
|
:error
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
@doc """
|
@doc """
|
||||||
Modifies an incoming AP object (mastodon format) to our internal format.
|
Modifies an incoming AP object (mastodon format) to our internal format.
|
||||||
"""
|
"""
|
||||||
|
|
Loading…
Reference in a new issue