[bugfix] add stricter checks during all stages of dereferencing remote AS objects (#2639)

* add stricter checks during all stages of dereferencing remote AS objects

* a comment

1 files changed, 22 insertions, 3 deletions

diff --git a/internal/federation/dereferencing/status.go b/internal/federation/dereferencing/status.go
index 23c6e98c8..6d3dd5691 100644
--- a/internal/federation/dereferencing/status.go
+++ b/internal/federation/dereferencing/status.go
@@ -413,7 +413,7 @@ func (d *Dereferencer) enrichStatus(
 	}
 
 	// Ensure we have the author account of the status dereferenced (+ up-to-date). If this is a new status
-	// (i.e. status.AccountID == "") then any error here is irrecoverable. AccountID must ALWAYS be set.
+	// (i.e. status.AccountID == "") then any error here is irrecoverable. status.AccountID must ALWAYS be set.
 	if _, _, err := d.getAccountByURI(ctx, requestUser, attributedTo); err != nil && status.AccountID == "" {
 		return nil, nil, gtserror.Newf("failed to dereference status author %s: %w", uri, err)
 	}
@@ -425,11 +425,30 @@ func (d *Dereferencer) enrichStatus(
 		return nil, nil, gtserror.Newf("error converting statusable to gts model for status %s: %w", uri, err)
 	}
 
+	// Ensure final status isn't attempting
+	// to claim being authored by local user.
+	if latestStatus.Account.IsLocal() {
+		return nil, nil, gtserror.Newf(
+			"dereferenced status %s claiming to be local",
+			latestStatus.URI,
+		)
+	}
+
+	// Ensure the final parsed status URI / URL matches
+	// the input URI we fetched (or received) it as.
+	if expect := uri.String(); latestStatus.URI != expect &&
+		latestStatus.URL != expect {
+		return nil, nil, gtserror.Newf(
+			"dereferenced status uri %s does not match %s",
+			latestStatus.URI, expect,
+		)
+	}
+
+	var isNew bool
+
 	// Based on the original provided
 	// status model, determine whether
 	// this is a new insert / update.
-	var isNew bool
-
 	if isNew = (status.ID == ""); isNew {
 
 		// Generate new status ID from the provided creation date.