From 68894089e845220e06d77401d15e399cb0d3882c Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Sat, 10 Dec 2022 00:09:45 +0000 Subject: [PATCH] Do not fetch anything from blocked instances --- CHANGELOG.md | 1 + lib/pleroma/object/fetcher.ex | 9 +++++++- .../web/activity_pub/mrf/simple_policy.ex | 4 ++-- test/pleroma/object/fetcher_test.exs | 22 +++++++++++++++++++ 4 files changed, 33 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eef3c53b8..e2737611c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Follow/Block/Mute imports now spin off into *n* tasks to avoid the oban timeout - Transient activities recieved from remote servers are no longer persisted in the database - Overhauled static-fe view for logged-out users +- Blocked instances will now not be sent _any_ requests, even fetch ones that would get rejected by MRF anyhow ## Removed - FollowBotPolicy diff --git a/lib/pleroma/object/fetcher.ex b/lib/pleroma/object/fetcher.ex index cde4e5039..8309ef64a 100644 --- a/lib/pleroma/object/fetcher.ex +++ b/lib/pleroma/object/fetcher.ex @@ -116,7 +116,11 @@ def refetch_object(%Object{data: %{"id" => id}} = object) do # Note: will create a Create activity, which we need internally at the moment. def fetch_object_from_id(id, options \\ []) do - with {_, nil} <- {:fetch_object, Object.get_cached_by_ap_id(id)}, + with %URI{} = uri <- URI.parse(id), + # If we have instance restrictions, apply them here to prevent fetching from unwanted instances + {:ok, nil} <- Pleroma.Web.ActivityPub.MRF.SimplePolicy.check_reject(uri), + {:ok, _} <- Pleroma.Web.ActivityPub.MRF.SimplePolicy.check_accept(uri), + {_, nil} <- {:fetch_object, Object.get_cached_by_ap_id(id)}, {_, true} <- {:allowed_depth, Federator.allowed_thread_distance?(options[:depth])}, {_, {:ok, data}} <- {:fetch, fetch_and_contain_remote_object_from_id(id)}, {_, nil} <- {:normalize, Object.normalize(data, fetch: false)}, @@ -155,6 +159,9 @@ def fetch_object_from_id(id, options \\ []) do {:fetch, {:error, error}} -> {:error, error} + {:reject, reason} -> + {:reject, reason} + e -> e end diff --git a/lib/pleroma/web/activity_pub/mrf/simple_policy.ex b/lib/pleroma/web/activity_pub/mrf/simple_policy.ex index f7eb0f159..ba54eb674 100644 --- a/lib/pleroma/web/activity_pub/mrf/simple_policy.ex +++ b/lib/pleroma/web/activity_pub/mrf/simple_policy.ex @@ -13,7 +13,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicy do require Pleroma.Constants - defp check_accept(%{host: actor_host} = _actor_info) do + def check_accept(%{host: actor_host} = _actor_info) do accepts = instance_list(:accept) |> MRF.subdomains_regex() @@ -26,7 +26,7 @@ defp check_accept(%{host: actor_host} = _actor_info) do end end - defp check_reject(%{host: actor_host} = _actor_info) do + def check_reject(%{host: actor_host} = _actor_info) do rejects = instance_list(:reject) |> MRF.subdomains_regex() diff --git a/test/pleroma/object/fetcher_test.exs b/test/pleroma/object/fetcher_test.exs index 22192d98f..c76a09fd7 100644 --- a/test/pleroma/object/fetcher_test.exs +++ b/test/pleroma/object/fetcher_test.exs @@ -161,6 +161,28 @@ test "it does not fetch a spoofed object uploaded on an instance as an attachmen ) end + test "does not fetch anything from a rejected instance" do + clear_config([:mrf_simple, :reject], [{"evil.example.org", "i said so"}]) + + assert {:reject, _} = + Fetcher.fetch_object_from_id("http://evil.example.org/@admin/99541947525187367") + end + + test "does not fetch anything if mrf_simple accept is on" do + clear_config([:mrf_simple, :accept], [{"mastodon.example.org", "i said so"}]) + clear_config([:mrf_simple, :reject], []) + + assert {:reject, _} = + Fetcher.fetch_object_from_id( + "http://notlisted.example.org/@admin/99541947525187367" + ) + + assert {:ok, _object} = + Fetcher.fetch_object_from_id( + "http://mastodon.example.org/@admin/99541947525187367" + ) + end + test "it resets instance reachability on successful fetch" do id = "http://mastodon.example.org/@admin/99541947525187367" Instances.set_consistently_unreachable(id)