mirror
/
bridgy-fed
kopia lustrzana https://github.com/snarfed/bridgy-fed
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

AP inbox delivery, Protocol.receive: error on blocklisted ids 

fixes https://console.cloud.google.com/errors/detail/CN278MyjhZbtOQ;time=P30D?project=bridgy-federated , https://console.cloud.google.com/errors/detail/CLSnttKfy4v90wE;time=P30D?project=bridgy-federated
pull/905/head
Ryan Barrett 2024-02-26 22:52:52 -08:00
rodzic 42b4541c8d
commit 8288390cfd
Nie znaleziono w bazie danych klucza dla tego podpisu
ID klucza GPG: 6BE31FDF4776E9D4
5 zmienionych plików z 32 dodań i 3 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

3
activitypub.py
Wyświetl plik

@ -879,6 +879,9 @@ def inbox(protocol=None, id=None):
actor_id = actor.get('id')
logger.info(f'Got {type} from {actor_id}: {json_dumps(activity, indent=2)}')
if ActivityPub.is_blocklisted(actor_id):
error(f'Actor {actor_id} is blocklisted')
authed_as = ActivityPub.verify_signature(activity)
# check that this activity is public. only do this for creates, not likes,

4
follow.py
Wyświetl plik

@ -134,7 +134,7 @@ class FollowCallback(indieauth.Callback):
follow_obj = Object(id=follow_id, our_as1=follow_as1, source_protocol='ui',
labels=['user'])
resp = Web.receive(follow_obj, authed_as=domain)
resp = Web.receive(follow_obj, authed_as=domain, internal=True)
logger.info(f'Web.receive returned {resp}')
follow_obj = follow_obj.key.get()
@ -218,7 +218,7 @@ class UnfollowCallback(indieauth.Callback):
# network etiquette.)
follow_obj = Object(id=unfollow_id, users=[user.key], labels=['user'],
source_protocol='ui', our_as1=unfollow_as1)
resp = Web.receive(follow_obj, authed_as=domain)
resp = Web.receive(follow_obj, authed_as=domain, internal=True)
follower.status = 'inactive'
follower.put()

5
protocol.py
Wyświetl plik

@ -546,7 +546,7 @@ class Protocol:
return outer_obj
@classmethod
def receive(from_cls, obj, authed_as=None):
def receive(from_cls, obj, authed_as=None, internal=False):
"""Handles an incoming activity.
If ``obj``'s key is unset, ``obj.as1``'s id field is used. If both are
@ -555,6 +555,7 @@ class Protocol:
Args:
obj (models.Object)
authed_as (str): authenticated actor id who sent this activity
internal (bool): whether to allow activity ids on internal domains
Returns:
(str, int) tuple: (response body, HTTP status code) Flask response
@ -580,6 +581,8 @@ class Protocol:
if not id:
error('No id provided')
elif from_cls.is_blocklisted(id) and not internal:
error(f'Activity {id} is blocklisted')
# short circuit if we've already seen this activity id.
# (don't do this for bare objects since we need to check further down

13
tests/test_activitypub.py
Wyświetl plik

@ -829,6 +829,19 @@ class ActivityPubTest(TestCase):
self.assertIsNone(Object.get_by_id(not_public['id']))
self.assertIsNone(Object.get_by_id(not_public['object']['id']))
def test_inbox_actor_blocklisted(self, mock_head, mock_get, mock_post):
got = self.post('/ap/sharedInbox', json={
'type': 'Delete',
'id': 'http://inst/foo#delete',
'actor': 'http://localhost:3000/foo',
'object': 'http://inst/foo',
})
self.assertEqual(400, got.status_code, got.get_data(as_text=True))
self.assertIsNone(Object.get_by_id('http://localhost:3000/foo'))
self.assertIsNone(Object.get_by_id('http://inst/foo#delete'))
self.assertIsNone(Object.get_by_id('http://inst/foo'))
def test_inbox_like(self, mock_head, mock_get, mock_post):
mock_head.return_value = requests_response(url='https://user.com/post')
mock_get.side_effect = [

10
tests/test_protocol.py
Wyświetl plik

@ -1601,6 +1601,16 @@ class ProtocolReceiveTest(TestCase):
},
})
def test_activity_id_blocklisted(self):
with self.assertRaises(BadRequest):
Fake.receive_as1({
'objectType': 'activity',
'verb': 'delete',
'id': 'fake:blocklisted:delete',
'actor': 'fake:user',
'object': 'fake:foo',
})
def test_resolve_ids_follow(self):
follow = {
'id': 'fake:follow',