allow autorejecting incoming ap activities by `id`, `@context`, and domain + autoject suspended domains & their subdomains

author: multiple creatures <dev@multiple-creature.party> 2019-07-22 20:04:15 -0500
committer: multiple creatures <dev@multiple-creature.party> 2019-07-22 20:14:29 -0500
commit: 86f29a68fbf5344291b21253f597a914cec18f02 (patch)
tree: aceda975c6666ae760e118ce0a2bb11c2f7fd1a7
parent: d82d7e0b2b7f03e17739f511b2f7dd21fac4342f (diff)
10 files changed, 42 insertions, 0 deletions
diff --git a/app/lib/activitypub/activity.rb b/app/lib/activitypub/activity.rb
index c73b2c4f5..d7a805ab3 100644
--- a/app/lib/activitypub/activity.rb
+++ b/app/lib/activitypub/activity.rb
@@ -185,4 +185,37 @@ class ActivityPub::Activity
     Rails.logger.info("Rejected #{@json['type']} activity #{@json['id']} from #{@account.uri}#{@options[:relayed_through_account] && "via #{@options[:relayed_through_account].uri}"}")
     nil
   end
+
+  def should_reject?
+    return unless @object
+
+    oid = @json['id']
+    return true if ENV.fetch('REJECT_IF_ID_STARTS_WITH', '').split.any? { |r| oid.start_with?(r) }
+    return true if ENV.fetch('REJECT_IF_ID_CONTAINS', '').split.any? { |r| r.in?(oid) }
+
+    url = object_uri.start_with?('http') ? object_uri : @object['url']
+    return if url.nil?
+
+    domain = url.scan(/[\w\-]+\.[\w\-]+(?:\.[\w\-]+)*/).first
+    blocks = DomainBlock.suspend
+    return true if blocks.where(domain: domain).or(blocks.where('domain LIKE ?', "%.#{domain}")).exists?
+
+    if @object['@context'].is_a?(Array)
+      inline_context = @object['@context'].find { |item| item.is_a?(Hash) }
+      if inline_context
+        keys = inline_context.keys
+        return true if ENV.fetch('REJECT_IF_CONTEXT_EQUALS', '').split.any? { |r| r.in?(keys) }
+        return true if ENV.fetch('REJECT_IF_CONTEXT_STARTS_WITH', '').split.any? { |r| keys.any? { |k| k.start_with?(r) } }
+        return true if ENV.fetch('REJECT_IF_CONTEXT_CONTAINS', '').split.any? { |r| keys.any? { |k| r.in?(k) } }
+      end
+    end
+  end
+
+  def autoreject?
+    if @options[:imported] || should_reject?
+      Rails.logger.info("Auto-rejected #{@json['type']} activity #{@json['id']}")
+      return true
+    end
+    false
+  end
 end
diff --git a/app/lib/activitypub/activity/accept.rb b/app/lib/activitypub/activity/accept.rb
index 348ee0d1c..525d4ffd6 100644
--- a/app/lib/activitypub/activity/accept.rb
+++ b/app/lib/activitypub/activity/accept.rb
@@ -11,6 +11,7 @@ class ActivityPub::Activity::Accept < ActivityPub::Activity
   private
 
   def accept_follow
+    return if autoreject?
     return accept_follow_for_relay if relay_follow?
 
     target_account = account_from_uri(target_uri)
diff --git a/app/lib/activitypub/activity/add.rb b/app/lib/activitypub/activity/add.rb
index 688ab00b3..d9ff9c5b9 100644
--- a/app/lib/activitypub/activity/add.rb
+++ b/app/lib/activitypub/activity/add.rb
@@ -2,6 +2,7 @@
 
 class ActivityPub::Activity::Add < ActivityPub::Activity
   def perform
+    return if autoreject?
     return unless @json['target'].present? && value_or_id(@json['target']) == @account.featured_collection_url
 
     status   = status_from_uri(object_uri)
diff --git a/app/lib/activitypub/activity/announce.rb b/app/lib/activitypub/activity/announce.rb
index 99807d963..ada46b378 100644
--- a/app/lib/activitypub/activity/announce.rb
+++ b/app/lib/activitypub/activity/announce.rb
@@ -2,6 +2,7 @@
 
 class ActivityPub::Activity::Announce < ActivityPub::Activity
   def perform
+    return if autoreject?
     return reject_payload! if !@options[:imported] && (delete_arrived_first?(@json['id']) || !related_to_local_activity?)
 
     original_status = status_from_object
diff --git a/app/lib/activitypub/activity/create.rb b/app/lib/activitypub/activity/create.rb
index beef93e5a..94cde4bd6 100644
--- a/app/lib/activitypub/activity/create.rb
+++ b/app/lib/activitypub/activity/create.rb
@@ -2,6 +2,7 @@
 
 class ActivityPub::Activity::Create < ActivityPub::Activity
   def perform
+    return if autoreject?
     return reject_payload! if unsupported_object_type? || !@options[:imported] && (invalid_origin?(@object['id']) || Tombstone.exists?(uri: @object['id']) || !related_to_local_activity?)
 
     RedisLock.acquire(lock_options) do |lock|
diff --git a/app/lib/activitypub/activity/flag.rb b/app/lib/activitypub/activity/flag.rb
index f73b93058..7fb6e3422 100644
--- a/app/lib/activitypub/activity/flag.rb
+++ b/app/lib/activitypub/activity/flag.rb
@@ -2,6 +2,7 @@
 
 class ActivityPub::Activity::Flag < ActivityPub::Activity
   def perform
+    return if autoreject?
     return if skip_reports?
 
     target_accounts            = object_uris.map { |uri| account_from_uri(uri) }.compact.select(&:local?)
diff --git a/app/lib/activitypub/activity/follow.rb b/app/lib/activitypub/activity/follow.rb
index 1e805c0d1..84041ec8d 100644
--- a/app/lib/activitypub/activity/follow.rb
+++ b/app/lib/activitypub/activity/follow.rb
@@ -2,6 +2,7 @@
 
 class ActivityPub::Activity::Follow < ActivityPub::Activity
   def perform
+    return if autoreject?
     target_account = account_from_uri(object_uri)
 
     return if target_account.nil? || !target_account.local? || delete_arrived_first?(@json['id']) || @account.requested?(target_account)
diff --git a/app/lib/activitypub/activity/like.rb b/app/lib/activitypub/activity/like.rb
index 674d5fe47..2c4a9d805 100644
--- a/app/lib/activitypub/activity/like.rb
+++ b/app/lib/activitypub/activity/like.rb
@@ -2,6 +2,7 @@
 
 class ActivityPub::Activity::Like < ActivityPub::Activity
   def perform
+    return if autoreject?
     original_status = status_from_uri(object_uri)
 
     return if original_status.nil? || !original_status.account.local? || delete_arrived_first?(@json['id']) || @account.favourited?(original_status)
diff --git a/app/lib/activitypub/activity/move.rb b/app/lib/activitypub/activity/move.rb
index d7a5f595c..b1c986551 100644
--- a/app/lib/activitypub/activity/move.rb
+++ b/app/lib/activitypub/activity/move.rb
@@ -4,6 +4,7 @@ class ActivityPub::Activity::Move < ActivityPub::Activity
   PROCESSING_COOLDOWN = 7.days.seconds
 
   def perform
+    return if autoreject?
     return if origin_account.uri != object_uri || processed?
 
     mark_as_processing!
diff --git a/app/lib/activitypub/activity/update.rb b/app/lib/activitypub/activity/update.rb
index 70035325b..8fb48e073 100644
--- a/app/lib/activitypub/activity/update.rb
+++ b/app/lib/activitypub/activity/update.rb
@@ -4,6 +4,7 @@ class ActivityPub::Activity::Update < ActivityPub::Activity
   SUPPORTED_TYPES = %w(Application Group Organization Person Service).freeze
 
   def perform
+    return if autoreject?
     if equals_or_includes_any?(@object['type'], SUPPORTED_TYPES)
       update_account
     elsif equals_or_includes_any?(@object['type'], %w(Question))
author	multiple creatures <dev@multiple-creature.party>	2019-07-22 20:04:15 -0500
committer	multiple creatures <dev@multiple-creature.party>	2019-07-22 20:14:29 -0500
commit	86f29a68fbf5344291b21253f597a914cec18f02 (patch)
tree	aceda975c6666ae760e118ce0a2bb11c2f7fd1a7
parent	d82d7e0b2b7f03e17739f511b2f7dd21fac4342f (diff)