From 7ceb96b148fd3d93fbfc8bedb87aa5724805386e Mon Sep 17 00:00:00 2001
From: Johann150 <johann.galle@protonmail.com>
Date: Mon, 12 Sep 2022 18:30:53 +0200
Subject: [PATCH] limit id length of all incoming activities

---
 packages/backend/src/queue/processors/inbox.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/backend/src/queue/processors/inbox.ts b/packages/backend/src/queue/processors/inbox.ts
index bf25aca20..167e5bc6b 100644
--- a/packages/backend/src/queue/processors/inbox.ts
+++ b/packages/backend/src/queue/processors/inbox.ts
@@ -127,13 +127,18 @@ export default async (job: Bull.Job<InboxJobData>): Promise<string> => {
 		}
 	}
 
-	// activity.idがあればホストが署名者のホストであることを確認する
 	if (typeof activity.id === 'string') {
+		// Verify that activity and actor are from the same host.
 		const signerHost = extractDbHost(authUser.user.uri!);
 		const activityIdHost = extractDbHost(activity.id);
 		if (signerHost !== activityIdHost) {
 			return `skip: signerHost(${signerHost}) !== activity.id host(${activityIdHost}`;
 		}
+
+		// Verify that the id has a sane length
+		if (activity.id.length > 2048) {
+			return `skip: overly long id from ${signerHost}`;
+		}
 	}
 
 	// Update stats