security: IR-based generic object containment (!1417) · Merge requests · Pleroma / pleroma

kaniini requested to merge security/ir-generic-containment into develop Jul 14, 2019

It is more efficient to check for object containment violations at the IR level instead of in the protocol handlers. OStatus containment is especially a tricky situation, as the containment rules don't match those of IR and ActivityPub.

Accordingly, we just always do a final containment check at the IR level before the object is added to the IR object graph.

We also fix a couple of tests which now fail due to object containment violations.

security: IR-based generic object containment

Merge request reports