Merge pull request #329 from cloudflare/sven/limits

add more limits

backend/src/activitypub/actors/index.ts

@@ -43,32 +43,41 @@ export async function get(url: string | URL): Promise<Actor> {
 
 	const data = await res.json<any>()
 	const actor: Actor = { ...data }
-	actor.id = new URL(data.id)
+	actor.id = new URL(actor.id)
 
-	if (data.content) {
-		actor.content = await sanitizeContent(data.content)
+	if (actor.summary) {
+		actor.summary = await sanitizeContent(actor.summary)
+		if (actor.summary.length > 500) {
+			actor.summary = actor.summary.substring(0, 500)
 		}
-	if (data.name) {
-		actor.name = await getTextContent(data.name)
 	}
-	if (data.preferredUsername) {
-		actor.preferredUsername = await getTextContent(data.preferredUsername)
+	if (actor.name) {
+		actor.name = await getTextContent(actor.name)
+		if (actor.name.length > 30) {
+			actor.name = actor.name.substring(0, 30)
+		}
+	}
+	if (actor.preferredUsername) {
+		actor.preferredUsername = await getTextContent(actor.preferredUsername)
+		if (actor.preferredUsername.length > 30) {
+			actor.preferredUsername = actor.preferredUsername.substring(0, 30)
+		}
 	}
 
 	// This is mostly for testing where for convenience not all values
 	// are provided.
 	// TODO: eventually clean that to better match production.
-	if (data.inbox !== undefined) {
-		actor.inbox = new URL(data.inbox)
+	if (actor.inbox !== undefined) {
+		actor.inbox = new URL(actor.inbox)
 	}
-	if (data.following !== undefined) {
-		actor.following = new URL(data.following)
+	if (actor.following !== undefined) {
+		actor.following = new URL(actor.following)
 	}
-	if (data.followers !== undefined) {
-		actor.followers = new URL(data.followers)
+	if (actor.followers !== undefined) {
+		actor.followers = new URL(actor.followers)
 	}
-	if (data.outbox !== undefined) {
-		actor.outbox = new URL(data.outbox)
+	if (actor.outbox !== undefined) {
+		actor.outbox = new URL(actor.outbox)
 	}
 
 	return actor

backend/src/errors/index.ts

@@ -7,7 +7,7 @@ type ErrorResponse = {
 
 const headers = {
 	...cors(),
-	'content-type': 'application/json',
+	'content-type': 'application/json; charset=utf-8',
 } as const
 
 function generateErrorResponse(error: string, status: number, errorDescription?: string): Response {
@@ -57,3 +57,7 @@ export function exceededLimit(detail: string): Response {
 export function resourceNotFound(name: string, id: string): Response {
 	return generateErrorResponse('Resource not found', 404, `${name} "${id}" not found`)
 }
+
+export function validationError(detail: string): Response {
+	return generateErrorResponse('Validation failed', 422, detail)
+}

backend/test/activitypub.spec.ts

@@ -22,6 +22,7 @@ const vapidKeys = {} as JWK
 const domain = 'cloudflare.com'
 
 describe('ActivityPub', () => {
+	describe('Actors', () => {
 		test('fetch non-existant user by id', async () => {
 			const db = await makeDB()
 
@@ -61,6 +62,51 @@ describe('ActivityPub', () => {
 			assert.equal(data.publicKey.publicKeyPem, pubKey)
 		})
 
+		test('sanitize Actor properties', async () => {
+			globalThis.fetch = async (input: RequestInfo) => {
+				if (input === 'https://example.com/actor') {
+					return new Response(
+						JSON.stringify({
+							id: 'https://example.com/actor',
+							type: 'Person',
+							summary: "it's me, Mario. <script>alert(1)</script>",
+							name: 'hi<br />hey',
+							preferredUsername: 'sven <script>alert(1)</script>',
+						})
+					)
+				}
+				throw new Error(`unexpected request to "${input}"`)
+			}
+
+			const actor = await actors.get('https://example.com/actor')
+			assert.equal(actor.summary, "it's me, Mario. <p>alert(1)</p>")
+			assert.equal(actor.name, 'hi hey')
+			assert.equal(actor.preferredUsername, 'sven alert(1)')
+		})
+
+		test('Actor properties limits', async () => {
+			globalThis.fetch = async (input: RequestInfo) => {
+				if (input === 'https://example.com/actor') {
+					return new Response(
+						JSON.stringify({
+							id: 'https://example.com/actor',
+							type: 'Person',
+							summary: 'a'.repeat(612),
+							name: 'b'.repeat(50),
+							preferredUsername: 'c'.repeat(50),
+						})
+					)
+				}
+				throw new Error(`unexpected request to "${input}"`)
+			}
+
+			const actor = await actors.get('https://example.com/actor')
+			assert.equal(actor.summary, 'a'.repeat(500))
+			assert.equal(actor.name, 'b'.repeat(30))
+			assert.equal(actor.preferredUsername, 'c'.repeat(30))
+		})
+	})
+
 	describe('Outbox', () => {
 		test('return outbox', async () => {
 			const db = await makeDB()

backend/test/mastodon/statuses.spec.ts

@@ -1010,5 +1010,25 @@ describe('Mastodon APIs', () => {
 			assert.equal(results![0].object_id, note.id.toString())
 			assert.equal(results![1].object_id, note.id.toString())
 		})
+
+		test('reject statuses exceeding limits', async () => {
+			const db = await makeDB()
+			const queue = makeQueue()
+			const actor = await createPerson(domain, db, userKEK, 'sven@cloudflare.com')
+
+			const body = {
+				status: 'a'.repeat(501),
+				visibility: 'public',
+			}
+			const req = new Request('https://example.com', {
+				method: 'POST',
+				headers: { 'content-type': 'application/json' },
+				body: JSON.stringify(body),
+			})
+
+			const res = await statuses.handleRequest(req, db, actor, userKEK, queue, cache)
+			assert.equal(res.status, 422)
+			assertJSON(res)
+		})
 	})
 })

functions/api/v1/statuses.ts

@@ -74,6 +74,10 @@ export async function handleRequest(
 		return new Response('', { status: 400 })
 	}
 
+	if (body.status.length > 500) {
+		return errors.validationError('text character limit of 500 exceeded')
+	}
+
 	const mediaAttachments: Array<Document> = []
 	if (body.media_ids && body.media_ids.length > 0) {
 		if (body.media_ids.length > 4) {