Commit 0b2c051a authored by kaniini's avatar kaniini

activitypub: fix possibility of spoofing by containing remote objects to the...

activitypub: fix possibility of spoofing by containing remote objects to the same domain as their actor
parent 2e2f4587
......@@ -747,6 +747,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
"actor" => data["attributedTo"],
"object" => data
},
:ok <- Transmogrifier.contain_origin(id, params),
{:ok, activity} <- Transmogrifier.handle_incoming(params) do
{:ok, Object.normalize(activity.data["object"])}
else
......
......@@ -30,6 +30,20 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
actor["id"]
end
@doc """
Checks that an imported AP object's actor matches the domain it came from.
"""
def contain_origin(id, %{"actor" => actor}) do
id_uri = URI.parse(id)
actor_uri = URI.parse(actor)
if id_uri.host == actor_uri.host do
:ok
else
:error
end
end
@doc """
Modifies an incoming AP object (mastodon format) to our internal format.
"""
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment