mirror of
https://git.pleroma.social/pleroma/pleroma.git
synced 2024-11-14 04:52:17 +00:00
Convert to an Plug called InboxGuard
This commit is contained in:
parent
06deacd58e
commit
16a9b34876
5 changed files with 91 additions and 28 deletions
|
@ -85,6 +85,18 @@ defmodule Pleroma.Constants do
|
|||
]
|
||||
)
|
||||
|
||||
const(allowed_activity_types_from_strangers,
|
||||
do: [
|
||||
"Block",
|
||||
"Create",
|
||||
"Flag",
|
||||
"Follow",
|
||||
"Like",
|
||||
"Move",
|
||||
"React"
|
||||
]
|
||||
)
|
||||
|
||||
# basic regex, just there to weed out potential mistakes
|
||||
# https://datatracker.ietf.org/doc/html/rfc2045#section-5.1
|
||||
const(mime_regex,
|
||||
|
|
|
@ -294,11 +294,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
|
|||
end
|
||||
|
||||
def inbox(%{assigns: %{valid_signature: false}} = conn, params) do
|
||||
case unknown_delete?(params) do
|
||||
true ->
|
||||
:ok
|
||||
|
||||
false ->
|
||||
Federator.incoming_ap_doc(%{
|
||||
method: conn.method,
|
||||
req_headers: conn.req_headers,
|
||||
|
@ -306,7 +301,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
|
|||
params: params,
|
||||
query_string: conn.query_string
|
||||
})
|
||||
end
|
||||
|
||||
json(conn, "ok")
|
||||
end
|
||||
|
@ -564,17 +558,4 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
|
|||
|> json(UserView.render("featured.json", %{user: user}))
|
||||
end
|
||||
end
|
||||
|
||||
defp unknown_delete?(
|
||||
%{
|
||||
"type" => "Delete"
|
||||
} = data
|
||||
) do
|
||||
case data |> Pleroma.Object.Containment.get_actor() |> User.get_cached_by_ap_id() do
|
||||
%User{} -> false
|
||||
_ -> true
|
||||
end
|
||||
end
|
||||
|
||||
defp unknown_delete?(_), do: false
|
||||
end
|
||||
|
|
66
lib/pleroma/web/plugs/inbox_guard_plug.ex
Normal file
66
lib/pleroma/web/plugs/inbox_guard_plug.ex
Normal file
|
@ -0,0 +1,66 @@
|
|||
# Pleroma: A lightweight social networking server
|
||||
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
defmodule Pleroma.Web.Plugs.InboxGuardPlug do
|
||||
import Plug.Conn
|
||||
import Pleroma.Constants, only: [allowed_activity_types_from_strangers: 0]
|
||||
|
||||
alias Pleroma.Config
|
||||
alias Pleroma.User
|
||||
|
||||
def init(options) do
|
||||
options
|
||||
end
|
||||
|
||||
def call(%{assigns: %{valid_signature: true}} = conn, _opts) do
|
||||
conn
|
||||
end
|
||||
|
||||
def call(conn, _opts) do
|
||||
with {_, true} <- {:federating, Config.get!([:instance, :federating])},
|
||||
true <- known_actor?(conn) do
|
||||
conn
|
||||
else
|
||||
{:federating, false} ->
|
||||
conn
|
||||
|> json(403, "Not federating")
|
||||
|
||||
_ ->
|
||||
conn
|
||||
|> filter_from_strangers()
|
||||
end
|
||||
end
|
||||
|
||||
# If signature failed but we know this actor we should
|
||||
# accept it as we may only need to refetch their public key
|
||||
# during processing
|
||||
defp known_actor?(%{body_params: data}) do
|
||||
case Pleroma.Object.Containment.get_actor(data) |> User.get_cached_by_ap_id() do
|
||||
%User{} -> true
|
||||
_ -> false
|
||||
end
|
||||
end
|
||||
|
||||
# Only permit a subset of activity types from strangers
|
||||
# or else it will add actors you've never interacted with
|
||||
# to the database
|
||||
defp filter_from_strangers(%{body_params: %{"type" => type}} = conn) do
|
||||
with true <- type in allowed_activity_types_from_strangers() do
|
||||
conn
|
||||
else
|
||||
_ ->
|
||||
conn
|
||||
|> json(400, "Invalid activity type for an unknown actor")
|
||||
end
|
||||
end
|
||||
|
||||
defp json(conn, status, resp) do
|
||||
json_resp = Jason.encode!(resp)
|
||||
|
||||
conn
|
||||
|> put_resp_content_type("application/json")
|
||||
|> resp(status, json_resp)
|
||||
|> halt()
|
||||
end
|
||||
end
|
|
@ -217,6 +217,10 @@ defmodule Pleroma.Web.Router do
|
|||
plug(Pleroma.Web.Plugs.MappedSignatureToIdentityPlug)
|
||||
end
|
||||
|
||||
pipeline :inbox_guard do
|
||||
plug(Pleroma.Web.Plugs.InboxGuardPlug)
|
||||
end
|
||||
|
||||
pipeline :static_fe do
|
||||
plug(Pleroma.Web.Plugs.StaticFEPlug)
|
||||
end
|
||||
|
@ -920,7 +924,7 @@ defmodule Pleroma.Web.Router do
|
|||
end
|
||||
|
||||
scope "/", Pleroma.Web.ActivityPub do
|
||||
pipe_through(:activitypub)
|
||||
pipe_through([:activitypub, :inbox_guard])
|
||||
post("/inbox", ActivityPubController, :inbox)
|
||||
post("/users/:nickname/inbox", ActivityPubController, :inbox)
|
||||
end
|
||||
|
|
|
@ -700,7 +700,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
|
|||
|> assign(:valid_signature, false)
|
||||
|> put_req_header("content-type", "application/activity+json")
|
||||
|> post("/inbox", params)
|
||||
|> json_response(200)
|
||||
|> json_response(400)
|
||||
|
||||
assert all_enqueued() == []
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue