From 4fbbfff145a4cfe308117cf7632ab4def1e66c65 Mon Sep 17 00:00:00 2001
From: Johann150 <johann.galle@protonmail.com>
Date: Sun, 16 Apr 2023 19:34:15 +0200
Subject: [PATCH] activitypub: also check incoming activity host for block

---
 packages/backend/src/queue/processors/inbox.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/backend/src/queue/processors/inbox.ts b/packages/backend/src/queue/processors/inbox.ts
index 2e06fc241..066e92ca3 100644
--- a/packages/backend/src/queue/processors/inbox.ts
+++ b/packages/backend/src/queue/processors/inbox.ts
@@ -107,9 +107,14 @@ export default async (job: Bull.Job<InboxJobData>): Promise<string> => {
 		}
 	}
 
+	// Verify that the actor's host is not blocked
+	const signerHost = extractDbHost(authUser.user.uri!);
+	if (await shouldBlockInstance(signerHost)) {
+		return `Blocked request: ${signerHost}`;
+	}
+
 	if (typeof activity.id === 'string') {
 		// Verify that activity and actor are from the same host.
-		const signerHost = extractDbHost(authUser.user.uri!);
 		const activityIdHost = extractDbHost(activity.id);
 		if (signerHost !== activityIdHost) {
 			return `skip: signerHost(${signerHost}) !== activity.id host(${activityIdHost}`;