404 requests for root paths that aren't user domains

lots of these are fediverse tools sniffing for specific implentations, eg mastodon etc.  /siteinfo.json, /status.php, etc.

activitypub.py

@@ -71,6 +71,10 @@ class ActorHandler(common.Handler):
 
     @cache_response(CACHE_TIME)
     def get(self, domain):
+        tld = domain.split('.')[-1]
+        if tld in common.TLD_BLOCKLIST:
+            self.error('', status=404)
+
         mf2 = util.fetch_mf2('http://%s/' % domain, gateway=True,
                              headers=common.HEADERS)
         # logging.info('Parsed mf2 for %s: %s', resp.url, json_dumps(mf2, indent=2))

common.py

@@ -17,6 +17,8 @@ from models import Response
 
 DOMAIN_RE = r'([^/:]+\.[^/:]+)'
 ACCT_RE = r'(?:acct:)?([^@]+)@' + DOMAIN_RE
+TLD_BLOCKLIST = ('asp', 'aspx', 'gif', 'html', 'ico', 'jpg', 'jpeg', 'js',
+                 'json', 'php', 'png', 'txt', 'yaml', 'yml')
 HEADERS = {
     'User-Agent': 'Bridgy Fed (https://fed.brid.gy/)',
 }

tests/test_activitypub.py

@@ -194,6 +194,10 @@ class ActivityPubTest(testutil.TestCase):
         self.assertEqual(400, got.status_int)
         self.assertIn('representative h-card', got.body.decode())
 
+    def test_actor_blocked_tld(self, _, __, ___):
+        got = application.get_response('/foo.json')
+        self.assertEqual(404, got.status_int)
+
     def test_inbox_reply_object(self, *mocks):
         self._test_inbox_reply(REPLY_OBJECT, REPLY_OBJECT, *mocks)