From 469da93678b3f738f65372d13dcd1ea7de390063 Mon Sep 17 00:00:00 2001 From: tobi <31960611+tsmethurst@users.noreply.github.com> Date: Mon, 23 May 2022 11:46:50 +0200 Subject: [security] Check all involved IRIs during block checking (#593) * tidy up context keys, add otherInvolvedIRIs * add ReplyToable interface * skip block check if we own the requesting domain * add block check for other involved IRIs * use cacheable status fetch * remove unused ContextActivity * remove unused ContextActivity * add helper for unique URIs * check through CCs and clean slice * add GetAccountIDForStatusURI * add GetAccountIDForAccountURI * check blocks on involved account * add statuses to tests * add some blocked tests * go fmt * extract Tos as well as CCs * test PostInboxRequestBodyHook * add some more testActivities * deduplicate involvedAccountIDs * go fmt * use cacheable db functions, remove new functions --- internal/ap/contextkey.go | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'internal/ap/contextkey.go') diff --git a/internal/ap/contextkey.go b/internal/ap/contextkey.go index e432a9199..2afdefe05 100644 --- a/internal/ap/contextkey.go +++ b/internal/ap/contextkey.go @@ -22,20 +22,16 @@ package ap type ContextKey string const ( - // ContextActivity can be used to set and retrieve the actual go-fed pub.Activity within a context. - ContextActivity ContextKey = "activity" // ContextReceivingAccount can be used the set and retrieve the account being interacted with / receiving an activity in their inbox. - ContextReceivingAccount ContextKey = "account" + ContextReceivingAccount ContextKey = "receivingAccount" // ContextRequestingAccount can be used to set and retrieve the account of an incoming federation request. // This will often be the actor of the instance that's posting the request. ContextRequestingAccount ContextKey = "requestingAccount" - // ContextRequestingActorIRI can be used to set and retrieve the actor of an incoming federation request. - // This will usually be the owner of whatever activity is being posted. - ContextRequestingActorIRI ContextKey = "requestingActorIRI" + // ContextOtherInvolvedIRIs can be used to set and retrieve a slice of all IRIs that are 'involved' in an Activity without being + // the receivingAccount or the requestingAccount. In other words, people or notes who are CC'ed or Replied To by an Activity. + ContextOtherInvolvedIRIs ContextKey = "otherInvolvedIRIs" // ContextRequestingPublicKeyVerifier can be used to set and retrieve the public key verifier of an incoming federation request. ContextRequestingPublicKeyVerifier ContextKey = "requestingPublicKeyVerifier" // ContextRequestingPublicKeySignature can be used to set and retrieve the value of the signature header of an incoming federation request. ContextRequestingPublicKeySignature ContextKey = "requestingPublicKeySignature" - // ContextFromFederatorChan can be used to pass a pointer to the fromFederator channel into the federator for use in callbacks. - ContextFromFederatorChan ContextKey = "fromFederatorChan" ) -- cgit v1.2.3