activitypub: fix possibility of spoofing by containing remote objects to the same domain as their actor

2018-09-01 23:20:02 +00:00 · 2018-09-01 23:20:02 +00:00 · 0b2c051a04
commit 0b2c051a04
parent 2e2f458705
2 changed files with 15 additions and 0 deletions
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@ -747,6 +747,7 @@ def fetch_object_from_id(id) do
             "actor" => data["attributedTo"],
             "object" => data
           },
+           :ok <- Transmogrifier.contain_origin(id, params),
           {:ok, activity} <- Transmogrifier.handle_incoming(params) do
        {:ok, Object.normalize(activity.data["object"])}
      else
--- a/lib/pleroma/web/activity_pub/transmogrifier.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier.ex
@ -30,6 +30,20 @@ def get_actor(%{"actor" => actor}) when is_map(actor) do
    actor["id"]
  end

+  @doc """
+  Checks that an imported AP object's actor matches the domain it came from.
+  """
+  def contain_origin(id, %{"actor" => actor}) do
+    id_uri = URI.parse(id)
+    actor_uri = URI.parse(actor)
+
+    if id_uri.host == actor_uri.host do
+      :ok
+    else
+      :error
+    end
+  end
+
  @doc """
  Modifies an incoming AP object (mastodon format) to our internal format.
  """