diff options
| author |  tobi <31960611+tsmethurst@users.noreply.github.com> | 2024-02-06 12:59:37 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2024-02-06 12:59:37 +0100 |
| commit | b6fe8e7a5b68c5d12b23056b6654157c739c7376 (patch) | |
| tree | 6a30d3e67ddba70608e5cb0d25bb759877a3bb1c /internal/federation/federatingdb/create.go | |
| parent | [feature] serdes for moved/also_known_as (#2600) (diff) | |
| download | gotosocial-b6fe8e7a5b68c5d12b23056b6654157c739c7376.tar.xz | |
[bugfix] Ensure activities sender always = activities actor (#2608)
Diffstat (limited to 'internal/federation/federatingdb/create.go')
| -rw-r--r-- | internal/federation/federatingdb/create.go | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/internal/federation/federatingdb/create.go b/internal/federation/federatingdb/create.go index 1008e5f7f..279d07c66 100644 --- a/internal/federation/federatingdb/create.go +++ b/internal/federation/federatingdb/create.go @@ -24,6 +24,7 @@ import ( "strings" "codeberg.org/gruf/go-logger/v2/level" + "github.com/miekg/dns" "github.com/superseriousbusiness/activity/streams/vocab" "github.com/superseriousbusiness/gotosocial/internal/ap" "github.com/superseriousbusiness/gotosocial/internal/config" @@ -103,6 +104,20 @@ func (f *federatingDB) activityBlock(ctx context.Context, asType vocab.Type, rec return fmt.Errorf("activityBlock: could not convert Block to gts model block") } + if block.AccountID != requestingAccount.ID { + return fmt.Errorf( + "activityBlock: requestingAccount %s is not Block actor account %s", + requestingAccount.URI, block.Account.URI, + ) + } + + if block.TargetAccountID != receiving.ID { + return fmt.Errorf( + "activityBlock: inbox account %s is not Block object account %s", + receiving.URI, block.TargetAccount.URI, + ) + } + block.ID = id.NewULID() if err := f.state.DB.PutBlock(ctx, block); err != nil { @@ -421,6 +436,20 @@ func (f *federatingDB) activityFollow(ctx context.Context, asType vocab.Type, re return fmt.Errorf("activityFollow: could not convert Follow to follow request: %s", err) } + if followRequest.AccountID != requestingAccount.ID { + return fmt.Errorf( + "activityFollow: requestingAccount %s is not Follow actor account %s", + requestingAccount.URI, followRequest.Account.URI, + ) + } + + if followRequest.TargetAccountID != receivingAccount.ID { + return fmt.Errorf( + "activityFollow: inbox account %s is not Follow object account %s", + receivingAccount.URI, followRequest.TargetAccount.URI, + ) + } + followRequest.ID = id.NewULID() if err := f.state.DB.PutFollowRequest(ctx, followRequest); err != nil { @@ -452,6 +481,13 @@ func (f *federatingDB) activityLike(ctx context.Context, asType vocab.Type, rece return fmt.Errorf("activityLike: could not convert Like to fave: %w", err) } + if fave.AccountID != requestingAccount.ID { + return fmt.Errorf( + "activityLike: requestingAccount %s is not Like actor account %s", + requestingAccount.URI, fave.Account.URI, + ) + } + fave.ID = id.NewULID() if err := f.state.DB.PutStatusFave(ctx, fave); err != nil { @@ -489,6 +525,26 @@ func (f *federatingDB) activityFlag(ctx context.Context, asType vocab.Type, rece return fmt.Errorf("activityFlag: could not convert Flag to report: %w", err) } + // Requesting account must have at + // least two domains from the right + // in common with reporting account. + if dns.CompareDomainName( + requestingAccount.Domain, + report.Account.Domain, + ) < 2 { + return fmt.Errorf( + "activityFlag: requesting account %s does not share a domain with Flag Actor account %s", + requestingAccount.URI, report.Account.URI, + ) + } + + if report.TargetAccountID != receivingAccount.ID { + return fmt.Errorf( + "activityFlag: inbox account %s is not Flag object account %s", + receivingAccount.URI, report.TargetAccount.URI, + ) + } + report.ID = id.NewULID() if err := f.state.DB.PutReport(ctx, report); err != nil { |