From 5811e65e67591b06238de66470c03744e0d83e2d Mon Sep 17 00:00:00 2001 From: lain Date: Wed, 26 Dec 2018 12:39:35 +0100 Subject: [PATCH] Add some hard limits on inserted activities. --- config/config.exs | 3 ++- docs/config.md | 1 + lib/pleroma/web/activity_pub/activity_pub.ex | 8 ++++++++ test/web/activity_pub/activity_pub_test.exs | 18 ++++++++++++++++++ 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/config/config.exs b/config/config.exs index 4b8762761..82e7d8121 100644 --- a/config/config.exs +++ b/config/config.exs @@ -98,7 +98,8 @@ config :pleroma, :instance, name: "Pleroma", email: "example@example.com", description: "A Pleroma instance, an alternative fediverse server", - limit: 5000, + limit: 5_000, + remote_limit: 10_000, upload_limit: 16_000_000, avatar_upload_limit: 2_000_000, background_upload_limit: 4_000_000, diff --git a/docs/config.md b/docs/config.md index 728916f82..0aeaf934e 100644 --- a/docs/config.md +++ b/docs/config.md @@ -63,6 +63,7 @@ config :pleroma, Pleroma.Mailer, * `email`: Email used to reach an Administrator/Moderator of the instance * `description`: The instance’s description, can be seen in nodeinfo and ``/api/v1/instance`` * `limit`: Posts character limit (CW/Subject included in the counter) +* `remote_limit`: Hard character limit beyond which remote posts will be dropped. * `upload_limit`: File size limit of uploads (except for avatar, background, banner) * `avatar_upload_limit`: File size limit of user’s profile avatars * `background_upload_limit`: File size limit of user’s profile backgrounds diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 188060780..8b2f764e4 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -56,10 +56,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do end end + defp check_remote_limit(%{"object" => %{"content" => content}}) do + limit = Pleroma.Config.get([:instance, :remote_limit]) + String.length(content) <= limit + end + + defp check_remote_limit(_), do: true + def insert(map, local \\ true) when is_map(map) do with nil <- Activity.normalize(map), map <- lazy_put_activity_defaults(map), :ok <- check_actor_is_active(map["actor"]), + {_, true} <- {:remote_limit_error, check_remote_limit(map)}, {:ok, map} <- MRF.filter(map), :ok <- insert_full_object(map) do {recipients, _, _} = get_recipients(map) diff --git a/test/web/activity_pub/activity_pub_test.exs b/test/web/activity_pub/activity_pub_test.exs index 4f6b7f058..f7c7c6242 100644 --- a/test/web/activity_pub/activity_pub_test.exs +++ b/test/web/activity_pub/activity_pub_test.exs @@ -31,6 +31,24 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do end describe "insertion" do + test "drops activities beyond a certain limit" do + limit = Pleroma.Config.get([:instance, :remote_limit]) + + random_text = + :crypto.strong_rand_bytes(limit + 1) + |> Base.encode64() + |> binary_part(0, limit + 1) + + data = %{ + "ok" => true, + "object" => %{ + "content" => random_text + } + } + + assert {:error, {:remote_limit_error, _}} = ActivityPub.insert(data) + end + test "returns the activity if one with the same id is already in" do activity = insert(:note_activity) {:ok, new_activity} = ActivityPub.insert(activity.data)