Improve federated ID validation (#8372)

* Fix URI not being sufficiently validated with prefetched JSON * Add additional id validation to OStatus documents, when possible
2018-08-22 20:55:14 +02:00
parent ad41806e53
commit 802cf6a4c5
10 changed files with 122 additions and 9 deletions
--- a/app/services/activitypub/fetch_remote_account_service.rb
+++ b/app/services/activitypub/fetch_remote_account_service.rb
@ -11,7 +11,7 @@ class ActivityPub::FetchRemoteAccountService < BaseService
    @json = if prefetched_body.nil?
              fetch_resource(uri, id)
            else
-              body_to_json(prefetched_body)
+              body_to_json(prefetched_body, compare_id: id ? uri : nil)
            end

    return if !supported_context? || !expected_type? || (break_on_redirect && @json['movedTo'].present?)
--- a/app/services/activitypub/fetch_remote_key_service.rb
+++ b/app/services/activitypub/fetch_remote_key_service.rb
@ -17,7 +17,7 @@ class ActivityPub::FetchRemoteKeyService < BaseService
        @json = fetch_resource(uri, id)
      end
    else
-      @json = body_to_json(prefetched_body)
+      @json = body_to_json(prefetched_body, compare_id: id ? uri : nil)
    end

    return unless supported_context?(@json) && expected_type?
--- a/app/services/activitypub/fetch_remote_status_service.rb
+++ b/app/services/activitypub/fetch_remote_status_service.rb
@ -8,7 +8,7 @@ class ActivityPub::FetchRemoteStatusService < BaseService
    @json = if prefetched_body.nil?
              fetch_resource(uri, id, on_behalf_of)
            else
-              body_to_json(prefetched_body)
+              body_to_json(prefetched_body, compare_id: id ? uri : nil)
            end

    return unless supported_context? && expected_type?
--- a/app/services/fetch_remote_account_service.rb
+++ b/app/services/fetch_remote_account_service.rb
@ -27,7 +27,7 @@ class FetchRemoteAccountService < BaseService

    account = author_from_xml(xml.at_xpath('/xmlns:feed', xmlns: OStatus::TagManager::XMLNS), false)

-    UpdateRemoteProfileService.new.call(xml, account) unless account.nil?
+    UpdateRemoteProfileService.new.call(xml, account) if account.present? && trusted_domain?(url, account)

    account
  rescue TypeError
@ -37,4 +37,9 @@ class FetchRemoteAccountService < BaseService
    Rails.logger.debug 'Invalid XML or missing namespace'
    nil
  end
+
+  def trusted_domain?(url, account)
+    domain = Addressable::URI.parse(url).normalized_host
+    domain.casecmp(account.domain).zero? || domain.casecmp(Addressable::URI.parse(account.remote_url.presence || account.uri).normalized_host).zero?
+  end
 end