activitypub: fix possibility of spoofing by containing remote objects to the same domain as their actor

This commit is contained in:
William Pitcock 2018-09-01 23:20:02 +00:00
parent 2e2f458705
commit 0b2c051a04
2 changed files with 15 additions and 0 deletions

View file

@ -747,6 +747,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
"actor" => data["attributedTo"],
"object" => data
},
:ok <- Transmogrifier.contain_origin(id, params),
{:ok, activity} <- Transmogrifier.handle_incoming(params) do
{:ok, Object.normalize(activity.data["object"])}
else

View file

@ -30,6 +30,20 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
actor["id"]
end
@doc """
Checks that an imported AP object's actor matches the domain it came from.
"""
def contain_origin(id, %{"actor" => actor}) do
id_uri = URI.parse(id)
actor_uri = URI.parse(actor)
if id_uri.host == actor_uri.host do
:ok
else
:error
end
end
@doc """
Modifies an incoming AP object (mastodon format) to our internal format.
"""