tarrien/Mastodon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve federated ID validation (#8372)

Browse Source 
* Fix URI not being sufficiently validated with prefetched JSON

* Add additional id validation to OStatus documents, when possible
This commit is contained in:
Eugen Rochko
2018-08-22 20:55:14 +02:00
committed by GitHub
parent ad41806e53
commit 802cf6a4c5
10 changed files with 122 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
app/lib/ostatus/activity/creation.rb
View File

@ -7,7 +7,7 @@ class OStatus::Activity::Creation < OStatus::Activity::Base
return [nil, false]
end
return [nil, false] if @account.suspended?
return [nil, false] if @account.suspended? || invalid_origin?
RedisLock.acquire(lock_options) do |lock|
if lock.acquired?
@ -204,6 +204,15 @@ class OStatus::Activity::Creation < OStatus::Activity::Base
end
end
def invalid_origin?
return false unless id.start_with?('http') # Legacy IDs cannot be checked
needle = Addressable::URI.parse(id).normalized_host
!(needle.casecmp(@account.domain).zero? ||
needle.casecmp(Addressable::URI.parse(@account.remote_url.presence || @account.uri).normalized_host).zero?)
end
def lock_options
{ redis: Redis.current, key: "create:#{id}" }
end