From bf657d3409dc8d004e9935a5817ae91749e8cd85 Mon Sep 17 00:00:00 2001
From: Ryan Barrett <git@ryanb.org>
Date: Thu, 20 Jun 2024 14:32:37 -0700
Subject: [PATCH] ActivityPub.inbox: return 400 on invalid activity id

fixes https://console.cloud.google.com/errors/detail/CLSnttKfy4v90wE;time=P7D?project=bridgy-federated
---
 activitypub.py            | 10 +++++++---
 tests/test_activitypub.py |  7 +++++++
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/activitypub.py b/activitypub.py
index 33d2ff3b..6b7915b8 100644
--- a/activitypub.py
+++ b/activitypub.py
@@ -1017,7 +1017,7 @@ def inbox(protocol=None, id=None):
     type = activity.get('type')
     actor = as1.get_object(activity, 'actor')
     actor_id = actor.get('id')
-    logger.info(f'Got {type} {activity.get("id")} from {actor_id}')
+    logger.info(f'Got {type} {id} from {actor_id}')
 
     if ActivityPub.is_blocklisted(actor_id):
         error(f'Actor {actor_id} is blocklisted')
@@ -1061,8 +1061,12 @@ def inbox(protocol=None, id=None):
 
     if not id:
         id = f'{actor_id}#{type}-{object.get("id", "")}-{util.now().isoformat()}'
-    obj = Object.get_or_create(id=id, as2=unwrap(activity), authed_as=authed_as,
-                               source_protocol=ActivityPub.LABEL)
+    try:
+        obj = Object.get_or_create(id=id, as2=unwrap(activity), authed_as=authed_as,
+                                   source_protocol=ActivityPub.LABEL)
+    except AssertionError as e:
+        error(f'Invalid activity, probably due to id: {e}', status=400)
+
     return create_task(queue='receive', obj=obj.key.urlsafe(), authed_as=authed_as)
 
 
diff --git a/tests/test_activitypub.py b/tests/test_activitypub.py
index 5e50bafe..5d7f16f1 100644
--- a/tests/test_activitypub.py
+++ b/tests/test_activitypub.py
@@ -567,6 +567,13 @@ class ActivityPubTest(TestCase):
                            as2=note, status='ignored', users=[user.key],
                            ignore=['our_as1'])
 
+    def test_inbox_bad_id(self, *_):
+        user = self.make_user(ACTOR['id'], cls=ActivityPub, obj_as2=ACTOR)
+        # mock_get.return_value = self.as2_resp(ACTOR)
+
+        resp = self.post('/ap/sharedInbox', json={**NOTE, 'id': 'abc123'})
+        self.assertEqual(400, resp.status_code)
+
     @patch('oauth_dropins.webutil.appengine_config.tasks_client.create_task')
     def test_inbox_create_receive_task(self, mock_create_task, *mocks):
         common.RUN_TASKS_INLINE = False