From 802cf6a4c53175c7da17ded39cf75679fa352385 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Wed, 22 Aug 2018 20:55:14 +0200 Subject: Improve federated ID validation (#8372) * Fix URI not being sufficiently validated with prefetched JSON * Add additional id validation to OStatus documents, when possible --- app/lib/ostatus/activity/creation.rb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'app/lib/ostatus') diff --git a/app/lib/ostatus/activity/creation.rb b/app/lib/ostatus/activity/creation.rb index d3a303a0c..8f8c70052 100644 --- a/app/lib/ostatus/activity/creation.rb +++ b/app/lib/ostatus/activity/creation.rb @@ -7,7 +7,7 @@ class OStatus::Activity::Creation < OStatus::Activity::Base return [nil, false] end - return [nil, false] if @account.suspended? + return [nil, false] if @account.suspended? || invalid_origin? RedisLock.acquire(lock_options) do |lock| if lock.acquired? @@ -204,6 +204,15 @@ class OStatus::Activity::Creation < OStatus::Activity::Base end end + def invalid_origin? + return false unless id.start_with?('http') # Legacy IDs cannot be checked + + needle = Addressable::URI.parse(id).normalized_host + + !(needle.casecmp(@account.domain).zero? || + needle.casecmp(Addressable::URI.parse(@account.remote_url.presence || @account.uri).normalized_host).zero?) + end + def lock_options { redis: Redis.current, key: "create:#{id}" } end -- cgit