Do not try fetching keys of unknown accounts on a Delete from them (#10326)

author: ThibG <thib@sitedethib.com> 2019-03-20 17:20:16 +0100
committer: Eugen Rochko <eugen@zeonfederated.com> 2019-03-20 17:20:16 +0100
commit: 66d945209278c9344d503fe4e7a58d5c6f040e50 (patch)
tree: e6d83fb7c474e7542afb2ef54a9bfd8d1f6a6ea1
parent: 158c31b9df538691666e5b91f48a0afecd2985fe (diff)
2 files changed, 15 insertions, 5 deletions
diff --git a/app/controllers/activitypub/inboxes_controller.rb b/app/controllers/activitypub/inboxes_controller.rb
index 8f5e1887e..1501b914e 100644
--- a/app/controllers/activitypub/inboxes_controller.rb
+++ b/app/controllers/activitypub/inboxes_controller.rb
@@ -2,11 +2,14 @@
 
 class ActivityPub::InboxesController < Api::BaseController
   include SignatureVerification
+  include JsonLdHelper
 
   before_action :set_account
 
   def create
-    if signed_request_account
+    if unknown_deleted_account?
+      head 202
+    elsif signed_request_account
       upgrade_account
       process_payload
       head 202
@@ -17,12 +20,19 @@ class ActivityPub::InboxesController < Api::BaseController
 
   private
 
+  def unknown_deleted_account?
+    json = Oj.load(body, mode: :strict)
+    json['type'] == 'Delete' && json['actor'].present? && json['actor'] == value_or_id(json['object']) && !Account.where(uri: json['actor']).exists?
+  rescue Oj::ParseError
+    false
+  end
+
   def set_account
     @account = Account.find_local!(params[:account_username]) if params[:account_username]
   end
 
   def body
-    @body ||= request.body.read
+    @body ||= request.body.read.force_encoding('UTF-8')
   end
 
   def upgrade_account
@@ -36,6 +46,6 @@ class ActivityPub::InboxesController < Api::BaseController
   end
 
   def process_payload
-    ActivityPub::ProcessingWorker.perform_async(signed_request_account.id, body.force_encoding('UTF-8'), @account&.id)
+    ActivityPub::ProcessingWorker.perform_async(signed_request_account.id, body, @account&.id)
   end
 end
diff --git a/spec/controllers/activitypub/inboxes_controller_spec.rb b/spec/controllers/activitypub/inboxes_controller_spec.rb
index 4055d9342..eab4b8c3e 100644
--- a/spec/controllers/activitypub/inboxes_controller_spec.rb
+++ b/spec/controllers/activitypub/inboxes_controller_spec.rb
@@ -10,7 +10,7 @@ RSpec.describe ActivityPub::InboxesController, type: :controller do
           Fabricate(:account)
         end
 
-        post :create
+        post :create, body: '{}'
         expect(response).to have_http_status(202)
       end
     end
@@ -21,7 +21,7 @@ RSpec.describe ActivityPub::InboxesController, type: :controller do
           false
         end
 
-        post :create
+        post :create, body: '{}'
         expect(response).to have_http_status(401)
       end
     end
author	ThibG <thib@sitedethib.com>	2019-03-20 17:20:16 +0100
committer	Eugen Rochko <eugen@zeonfederated.com>	2019-03-20 17:20:16 +0100
commit	66d945209278c9344d503fe4e7a58d5c6f040e50 (patch)
tree	e6d83fb7c474e7542afb2ef54a9bfd8d1f6a6ea1
parent	158c31b9df538691666e5b91f48a0afecd2985fe (diff)