Improve federated ID validation (#8372)

* Fix URI not being sufficiently validated with prefetched JSON * Add additional id validation to OStatus documents, when possible
author: Eugen Rochko <eugen@zeonfederated.com> 2018-08-22 20:55:14 +0200
committer: GitHub <noreply@github.com> 2018-08-22 20:55:14 +0200
commit: 802cf6a4c53175c7da17ded39cf75679fa352385 (patch)
tree: ea3833a78c7282626f58475175d491254a64e0d8 /app/lib/ostatus
parent: ad41806e53e6b024aaca01d1d59fcc82d1c4b804 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/app/lib/ostatus/activity/creation.rb b/app/lib/ostatus/activity/creation.rb
index d3a303a0c..8f8c70052 100644
--- a/app/lib/ostatus/activity/creation.rb
+++ b/app/lib/ostatus/activity/creation.rb
@@ -7,7 +7,7 @@ class OStatus::Activity::Creation < OStatus::Activity::Base
       return [nil, false]
     end
 
-    return [nil, false] if @account.suspended?
+    return [nil, false] if @account.suspended? || invalid_origin?
 
     RedisLock.acquire(lock_options) do |lock|
       if lock.acquired?
@@ -204,6 +204,15 @@ class OStatus::Activity::Creation < OStatus::Activity::Base
     end
   end
 
+  def invalid_origin?
+    return false unless id.start_with?('http') # Legacy IDs cannot be checked
+
+    needle = Addressable::URI.parse(id).normalized_host
+
+    !(needle.casecmp(@account.domain).zero? ||
+      needle.casecmp(Addressable::URI.parse(@account.remote_url.presence || @account.uri).normalized_host).zero?)
+  end
+
   def lock_options
     { redis: Redis.current, key: "create:#{id}" }
   end
author	Eugen Rochko <eugen@zeonfederated.com>	2018-08-22 20:55:14 +0200
committer	GitHub <noreply@github.com>	2018-08-22 20:55:14 +0200
commit	802cf6a4c53175c7da17ded39cf75679fa352385 (patch)
tree	ea3833a78c7282626f58475175d491254a64e0d8 /app/lib/ostatus
parent	ad41806e53e6b024aaca01d1d59fcc82d1c4b804 (diff)