From d3af00a9120f5254f533fa3106d08c5c01b3c8da Mon Sep 17 00:00:00 2001
From: Derek Schmidt <skeh@is.nota.live>
Date: Thu, 1 Dec 2022 00:46:05 -0500
Subject: [PATCH] server: Add recursion limit to resolver

Changelog: Security
---
 packages/backend/src/remote/activitypub/resolver.ts | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/packages/backend/src/remote/activitypub/resolver.ts b/packages/backend/src/remote/activitypub/resolver.ts
index 3cea4c44e..9937df43f 100644
--- a/packages/backend/src/remote/activitypub/resolver.ts
+++ b/packages/backend/src/remote/activitypub/resolver.ts
@@ -19,9 +19,11 @@ import { parseUri } from './db-resolver.js';
 export default class Resolver {
 	private history: Set<string>;
 	private user?: ILocalUser;
+	private recursionLimit?: number;
 
-	constructor() {
+	constructor(recursionLimit = 100) {
 		this.history = new Set();
+		this.recursionLimit = recursionLimit;
 	}
 
 	public getHistory(): string[] {
@@ -59,7 +61,9 @@ export default class Resolver {
 		if (this.history.has(value)) {
 			throw new Error('cannot resolve already resolved one');
 		}
-
+		if (this.recursionLimit && this.history.size > this.recursionLimit) {
+			throw new Error('hit recursion limit');
+		}
 		this.history.add(value);
 
 		const host = extractDbHost(value);