kopia lustrzana https://github.com/snarfed/bridgy-fed
AP inbox delivery, Protocol.receive: error on blocklisted ids
fixes https://console.cloud.google.com/errors/detail/CN278MyjhZbtOQ;time=P30D?project=bridgy-federated , https://console.cloud.google.com/errors/detail/CLSnttKfy4v90wE;time=P30D?project=bridgy-federatedpull/905/head
rodzic
42b4541c8d
commit
8288390cfd
|
@ -879,6 +879,9 @@ def inbox(protocol=None, id=None):
|
|||
actor_id = actor.get('id')
|
||||
logger.info(f'Got {type} from {actor_id}: {json_dumps(activity, indent=2)}')
|
||||
|
||||
if ActivityPub.is_blocklisted(actor_id):
|
||||
error(f'Actor {actor_id} is blocklisted')
|
||||
|
||||
authed_as = ActivityPub.verify_signature(activity)
|
||||
|
||||
# check that this activity is public. only do this for creates, not likes,
|
||||
|
|
|
@ -134,7 +134,7 @@ class FollowCallback(indieauth.Callback):
|
|||
follow_obj = Object(id=follow_id, our_as1=follow_as1, source_protocol='ui',
|
||||
labels=['user'])
|
||||
|
||||
resp = Web.receive(follow_obj, authed_as=domain)
|
||||
resp = Web.receive(follow_obj, authed_as=domain, internal=True)
|
||||
logger.info(f'Web.receive returned {resp}')
|
||||
|
||||
follow_obj = follow_obj.key.get()
|
||||
|
@ -218,7 +218,7 @@ class UnfollowCallback(indieauth.Callback):
|
|||
# network etiquette.)
|
||||
follow_obj = Object(id=unfollow_id, users=[user.key], labels=['user'],
|
||||
source_protocol='ui', our_as1=unfollow_as1)
|
||||
resp = Web.receive(follow_obj, authed_as=domain)
|
||||
resp = Web.receive(follow_obj, authed_as=domain, internal=True)
|
||||
|
||||
follower.status = 'inactive'
|
||||
follower.put()
|
||||
|
|
|
@ -546,7 +546,7 @@ class Protocol:
|
|||
return outer_obj
|
||||
|
||||
@classmethod
|
||||
def receive(from_cls, obj, authed_as=None):
|
||||
def receive(from_cls, obj, authed_as=None, internal=False):
|
||||
"""Handles an incoming activity.
|
||||
|
||||
If ``obj``'s key is unset, ``obj.as1``'s id field is used. If both are
|
||||
|
@ -555,6 +555,7 @@ class Protocol:
|
|||
Args:
|
||||
obj (models.Object)
|
||||
authed_as (str): authenticated actor id who sent this activity
|
||||
internal (bool): whether to allow activity ids on internal domains
|
||||
|
||||
Returns:
|
||||
(str, int) tuple: (response body, HTTP status code) Flask response
|
||||
|
@ -580,6 +581,8 @@ class Protocol:
|
|||
|
||||
if not id:
|
||||
error('No id provided')
|
||||
elif from_cls.is_blocklisted(id) and not internal:
|
||||
error(f'Activity {id} is blocklisted')
|
||||
|
||||
# short circuit if we've already seen this activity id.
|
||||
# (don't do this for bare objects since we need to check further down
|
||||
|
|
|
@ -829,6 +829,19 @@ class ActivityPubTest(TestCase):
|
|||
self.assertIsNone(Object.get_by_id(not_public['id']))
|
||||
self.assertIsNone(Object.get_by_id(not_public['object']['id']))
|
||||
|
||||
def test_inbox_actor_blocklisted(self, mock_head, mock_get, mock_post):
|
||||
got = self.post('/ap/sharedInbox', json={
|
||||
'type': 'Delete',
|
||||
'id': 'http://inst/foo#delete',
|
||||
'actor': 'http://localhost:3000/foo',
|
||||
'object': 'http://inst/foo',
|
||||
})
|
||||
self.assertEqual(400, got.status_code, got.get_data(as_text=True))
|
||||
|
||||
self.assertIsNone(Object.get_by_id('http://localhost:3000/foo'))
|
||||
self.assertIsNone(Object.get_by_id('http://inst/foo#delete'))
|
||||
self.assertIsNone(Object.get_by_id('http://inst/foo'))
|
||||
|
||||
def test_inbox_like(self, mock_head, mock_get, mock_post):
|
||||
mock_head.return_value = requests_response(url='https://user.com/post')
|
||||
mock_get.side_effect = [
|
||||
|
|
|
@ -1601,6 +1601,16 @@ class ProtocolReceiveTest(TestCase):
|
|||
},
|
||||
})
|
||||
|
||||
def test_activity_id_blocklisted(self):
|
||||
with self.assertRaises(BadRequest):
|
||||
Fake.receive_as1({
|
||||
'objectType': 'activity',
|
||||
'verb': 'delete',
|
||||
'id': 'fake:blocklisted:delete',
|
||||
'actor': 'fake:user',
|
||||
'object': 'fake:foo',
|
||||
})
|
||||
|
||||
def test_resolve_ids_follow(self):
|
||||
follow = {
|
||||
'id': 'fake:follow',
|
||||
|
|
Ładowanie…
Reference in New Issue