nullobsi/FoundKey
1
0
Fork 0
forked from FoundKeyGang/FoundKey
Code Issues Pull requests Projects Releases Packages Wiki Activity

limit id length of all incoming activities

Browse source
This commit is contained in:
Johann150 2022-09-12 18:30:53 +02:00
parent 1120b6959d
commit 7ceb96b148
Signed by untrusted user: Johann150
GPG key ID: 9EE6577A2A06F8F1
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
packages/backend/src/queue/processors/inbox.ts
View file

@ -127,13 +127,18 @@ export default async (job: Bull.Job<InboxJobData>): Promise<string> => {
}
}
// activity.idがあればホストが署名者のホストであることを確認する
if (typeof activity.id === 'string') {
// Verify that activity and actor are from the same host.
const signerHost = extractDbHost(authUser.user.uri!);
const activityIdHost = extractDbHost(activity.id);
if (signerHost !== activityIdHost) {
return `skip: signerHost(${signerHost}) !== activity.id host(${activityIdHost}`;
}
// Verify that the id has a sane length
if (activity.id.length > 2048) {
return `skip: overly long id from ${signerHost}`;
}
}
// Update stats