Dereference object URIs in Create and Update messages (#14359)

* Dereference object URIs in Create and Update messages

Fixes #14353

Signed-off-by: Thibaut Girka <thib@sitedethib.com>

* Refactor, and perform origin check *before* attempting to fetch object

Co-authored-by: Fire Demon <firedemon@creature.cafe>
signup-info-prompt
ThibG 2020-07-22 11:43:17 +02:00 committed by GitHub
parent a8b6524b43
commit bcf85b5208
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 32 additions and 0 deletions

View File

@ -157,6 +157,34 @@ class ActivityPub::Activity
fetch_remote_original_status fetch_remote_original_status
end end
def dereference_object!
return unless @object.is_a?(String)
return if invalid_origin?(@object)
object = fetch_resource(@object, true, signed_fetch_account)
return unless object.present? && object.is_a?(Hash) && supported_context?(object)
@object = object
end
def signed_fetch_account
first_mentioned_local_account || first_local_follower
end
def first_mentioned_local_account
audience = (as_array(@json['to']) + as_array(@json['cc'])).uniq
local_usernames = audience.select { |uri| ActivityPub::TagManager.instance.local_uri?(uri) }
.map { |uri| ActivityPub::TagManager.instance.uri_to_local_id(uri, :username) }
return if local_usernames.empty?
Account.local.where(username: local_usernames).first
end
def first_local_follower
@account.followers.local.first
end
def follow_request_from_object def follow_request_from_object
@follow_request ||= FollowRequest.find_by(target_account: @account, uri: object_uri) unless object_uri.nil? @follow_request ||= FollowRequest.find_by(target_account: @account, uri: object_uri) unless object_uri.nil?
end end

View File

@ -2,6 +2,8 @@
class ActivityPub::Activity::Create < ActivityPub::Activity class ActivityPub::Activity::Create < ActivityPub::Activity
def perform def perform
dereference_object!
case @object['type'] case @object['type']
when 'EncryptedMessage' when 'EncryptedMessage'
create_encrypted_message create_encrypted_message

View File

@ -4,6 +4,8 @@ class ActivityPub::Activity::Update < ActivityPub::Activity
SUPPORTED_TYPES = %w(Application Group Organization Person Service).freeze SUPPORTED_TYPES = %w(Application Group Organization Person Service).freeze
def perform def perform
dereference_object!
if equals_or_includes_any?(@object['type'], SUPPORTED_TYPES) if equals_or_includes_any?(@object['type'], SUPPORTED_TYPES)
update_account update_account
elsif equals_or_includes_any?(@object['type'], %w(Question)) elsif equals_or_includes_any?(@object['type'], %w(Question))