diff options
Diffstat (limited to 'internal/federation/federatingdb/create.go')
| -rw-r--r-- | internal/federation/federatingdb/create.go | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/internal/federation/federatingdb/create.go b/internal/federation/federatingdb/create.go index 1008e5f7f..279d07c66 100644 --- a/internal/federation/federatingdb/create.go +++ b/internal/federation/federatingdb/create.go @@ -24,6 +24,7 @@ import ( "strings" "codeberg.org/gruf/go-logger/v2/level" + "github.com/miekg/dns" "github.com/superseriousbusiness/activity/streams/vocab" "github.com/superseriousbusiness/gotosocial/internal/ap" "github.com/superseriousbusiness/gotosocial/internal/config" @@ -103,6 +104,20 @@ func (f *federatingDB) activityBlock(ctx context.Context, asType vocab.Type, rec return fmt.Errorf("activityBlock: could not convert Block to gts model block") } + if block.AccountID != requestingAccount.ID { + return fmt.Errorf( + "activityBlock: requestingAccount %s is not Block actor account %s", + requestingAccount.URI, block.Account.URI, + ) + } + + if block.TargetAccountID != receiving.ID { + return fmt.Errorf( + "activityBlock: inbox account %s is not Block object account %s", + receiving.URI, block.TargetAccount.URI, + ) + } + block.ID = id.NewULID() if err := f.state.DB.PutBlock(ctx, block); err != nil { @@ -421,6 +436,20 @@ func (f *federatingDB) activityFollow(ctx context.Context, asType vocab.Type, re return fmt.Errorf("activityFollow: could not convert Follow to follow request: %s", err) } + if followRequest.AccountID != requestingAccount.ID { + return fmt.Errorf( + "activityFollow: requestingAccount %s is not Follow actor account %s", + requestingAccount.URI, followRequest.Account.URI, + ) + } + + if followRequest.TargetAccountID != receivingAccount.ID { + return fmt.Errorf( + "activityFollow: inbox account %s is not Follow object account %s", + receivingAccount.URI, followRequest.TargetAccount.URI, + ) + } + followRequest.ID = id.NewULID() if err := f.state.DB.PutFollowRequest(ctx, followRequest); err != nil { @@ -452,6 +481,13 @@ func (f *federatingDB) activityLike(ctx context.Context, asType vocab.Type, rece return fmt.Errorf("activityLike: could not convert Like to fave: %w", err) } + if fave.AccountID != requestingAccount.ID { + return fmt.Errorf( + "activityLike: requestingAccount %s is not Like actor account %s", + requestingAccount.URI, fave.Account.URI, + ) + } + fave.ID = id.NewULID() if err := f.state.DB.PutStatusFave(ctx, fave); err != nil { @@ -489,6 +525,26 @@ func (f *federatingDB) activityFlag(ctx context.Context, asType vocab.Type, rece return fmt.Errorf("activityFlag: could not convert Flag to report: %w", err) } + // Requesting account must have at + // least two domains from the right + // in common with reporting account. + if dns.CompareDomainName( + requestingAccount.Domain, + report.Account.Domain, + ) < 2 { + return fmt.Errorf( + "activityFlag: requesting account %s does not share a domain with Flag Actor account %s", + requestingAccount.URI, report.Account.URI, + ) + } + + if report.TargetAccountID != receivingAccount.ID { + return fmt.Errorf( + "activityFlag: inbox account %s is not Flag object account %s", + receivingAccount.URI, report.TargetAccount.URI, + ) + } + report.ID = id.NewULID() if err := f.state.DB.PutReport(ctx, report); err != nil { |