fedi privacy - reject incoming out-of-scope posts addressed to private/unresolvable accounts & not addressed to any local users

1 files changed, 11 insertions, 1 deletions

diff --git a/app/lib/activitypub/activity/create.rb b/app/lib/activitypub/activity/create.rb
index 37aac4d59..c95317646 100644
--- a/app/lib/activitypub/activity/create.rb
+++ b/app/lib/activitypub/activity/create.rb
@@ -52,12 +52,15 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
     @tags     = []
     @mentions = []
     @params   = {}
+    @potential_scope_leak = false
 
     process_status_params
     return reject_payload! if twitter_retweet? || recipient_rejects_replies?
     process_tags
     process_audience
 
+    return reject_payload! if potential_scope_leak?
+
     @params[:visibility] = :unlisted if @params[:visibility] == :public && @account.force_unlisted?
     @params[:sensitive] = true if @account.force_sensitive?
 
@@ -197,6 +200,10 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
     end
   end
 
+  def potential_scope_leak?
+    @potential_scope_leak && @mentions.blank?
+  end
+
   def process_hashtag(tag)
     return if tag['name'].blank?
 
@@ -222,7 +229,10 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
     account = account_from_uri(tag['href'])
     account = ::FetchRemoteAccountService.new.call(tag['href']) if account.nil?
 
-    return if account.nil?
+    if account.nil?
+      @potential_scope_leak = true
+      return
+    end
 
     @mentions << Mention.new(account: account, silent: false)
   end