From 42e8cc5989e7172818f77dce7d1726fd16ce0d3c Mon Sep 17 00:00:00 2001
From: Johann150 <johann.galle@protonmail.com>
Date: Thu, 21 Nov 2024 19:52:43 +0100
Subject: [PATCH] activitypub: prevent poll spoofing

---
 .../backend/src/remote/activitypub/kernel/update/index.ts     | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/packages/backend/src/remote/activitypub/kernel/update/index.ts b/packages/backend/src/remote/activitypub/kernel/update/index.ts
index 32952a3b6..c81333f92 100644
--- a/packages/backend/src/remote/activitypub/kernel/update/index.ts
+++ b/packages/backend/src/remote/activitypub/kernel/update/index.ts
@@ -29,6 +29,10 @@ export default async (actor: IRemoteUser, activity: IUpdate, resolver: Resolver)
 		await updatePerson(object, resolver);
 		return 'ok: Person updated';
 	} else if (getApType(object) === 'Question') {
+		if (actor.uri !== object.attributedTo) {
+			return 'skip: actor id !== question attributedTo';
+		}
+
 		await updateQuestion(object, resolver).catch(e => console.log(e));
 		return 'ok: Question updated';
 	} else if (isPost(object)) {