Do not fetch anything from blocked instances
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
This commit is contained in:
parent
a1515f9a60
commit
68894089e8
4 changed files with 33 additions and 3 deletions
|
@ -23,6 +23,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- Follow/Block/Mute imports now spin off into *n* tasks to avoid the oban timeout
|
- Follow/Block/Mute imports now spin off into *n* tasks to avoid the oban timeout
|
||||||
- Transient activities recieved from remote servers are no longer persisted in the database
|
- Transient activities recieved from remote servers are no longer persisted in the database
|
||||||
- Overhauled static-fe view for logged-out users
|
- Overhauled static-fe view for logged-out users
|
||||||
|
- Blocked instances will now not be sent _any_ requests, even fetch ones that would get rejected by MRF anyhow
|
||||||
|
|
||||||
## Removed
|
## Removed
|
||||||
- FollowBotPolicy
|
- FollowBotPolicy
|
||||||
|
|
|
@ -116,7 +116,11 @@ def refetch_object(%Object{data: %{"id" => id}} = object) do
|
||||||
|
|
||||||
# Note: will create a Create activity, which we need internally at the moment.
|
# Note: will create a Create activity, which we need internally at the moment.
|
||||||
def fetch_object_from_id(id, options \\ []) do
|
def fetch_object_from_id(id, options \\ []) do
|
||||||
with {_, nil} <- {:fetch_object, Object.get_cached_by_ap_id(id)},
|
with %URI{} = uri <- URI.parse(id),
|
||||||
|
# If we have instance restrictions, apply them here to prevent fetching from unwanted instances
|
||||||
|
{:ok, nil} <- Pleroma.Web.ActivityPub.MRF.SimplePolicy.check_reject(uri),
|
||||||
|
{:ok, _} <- Pleroma.Web.ActivityPub.MRF.SimplePolicy.check_accept(uri),
|
||||||
|
{_, nil} <- {:fetch_object, Object.get_cached_by_ap_id(id)},
|
||||||
{_, true} <- {:allowed_depth, Federator.allowed_thread_distance?(options[:depth])},
|
{_, true} <- {:allowed_depth, Federator.allowed_thread_distance?(options[:depth])},
|
||||||
{_, {:ok, data}} <- {:fetch, fetch_and_contain_remote_object_from_id(id)},
|
{_, {:ok, data}} <- {:fetch, fetch_and_contain_remote_object_from_id(id)},
|
||||||
{_, nil} <- {:normalize, Object.normalize(data, fetch: false)},
|
{_, nil} <- {:normalize, Object.normalize(data, fetch: false)},
|
||||||
|
@ -155,6 +159,9 @@ def fetch_object_from_id(id, options \\ []) do
|
||||||
{:fetch, {:error, error}} ->
|
{:fetch, {:error, error}} ->
|
||||||
{:error, error}
|
{:error, error}
|
||||||
|
|
||||||
|
{:reject, reason} ->
|
||||||
|
{:reject, reason}
|
||||||
|
|
||||||
e ->
|
e ->
|
||||||
e
|
e
|
||||||
end
|
end
|
||||||
|
|
|
@ -13,7 +13,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicy do
|
||||||
|
|
||||||
require Pleroma.Constants
|
require Pleroma.Constants
|
||||||
|
|
||||||
defp check_accept(%{host: actor_host} = _actor_info) do
|
def check_accept(%{host: actor_host} = _actor_info) do
|
||||||
accepts =
|
accepts =
|
||||||
instance_list(:accept)
|
instance_list(:accept)
|
||||||
|> MRF.subdomains_regex()
|
|> MRF.subdomains_regex()
|
||||||
|
@ -26,7 +26,7 @@ defp check_accept(%{host: actor_host} = _actor_info) do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
defp check_reject(%{host: actor_host} = _actor_info) do
|
def check_reject(%{host: actor_host} = _actor_info) do
|
||||||
rejects =
|
rejects =
|
||||||
instance_list(:reject)
|
instance_list(:reject)
|
||||||
|> MRF.subdomains_regex()
|
|> MRF.subdomains_regex()
|
||||||
|
|
|
@ -161,6 +161,28 @@ test "it does not fetch a spoofed object uploaded on an instance as an attachmen
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "does not fetch anything from a rejected instance" do
|
||||||
|
clear_config([:mrf_simple, :reject], [{"evil.example.org", "i said so"}])
|
||||||
|
|
||||||
|
assert {:reject, _} =
|
||||||
|
Fetcher.fetch_object_from_id("http://evil.example.org/@admin/99541947525187367")
|
||||||
|
end
|
||||||
|
|
||||||
|
test "does not fetch anything if mrf_simple accept is on" do
|
||||||
|
clear_config([:mrf_simple, :accept], [{"mastodon.example.org", "i said so"}])
|
||||||
|
clear_config([:mrf_simple, :reject], [])
|
||||||
|
|
||||||
|
assert {:reject, _} =
|
||||||
|
Fetcher.fetch_object_from_id(
|
||||||
|
"http://notlisted.example.org/@admin/99541947525187367"
|
||||||
|
)
|
||||||
|
|
||||||
|
assert {:ok, _object} =
|
||||||
|
Fetcher.fetch_object_from_id(
|
||||||
|
"http://mastodon.example.org/@admin/99541947525187367"
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
test "it resets instance reachability on successful fetch" do
|
test "it resets instance reachability on successful fetch" do
|
||||||
id = "http://mastodon.example.org/@admin/99541947525187367"
|
id = "http://mastodon.example.org/@admin/99541947525187367"
|
||||||
Instances.set_consistently_unreachable(id)
|
Instances.set_consistently_unreachable(id)
|
||||||
|
|
Loading…
Reference in a new issue