security: activitypub: reject activities with bogus ids (!286) · Merge requests · Pleroma / pleroma

kaniini requested to merge kaniini/pleroma:security/activitypub-reject-bogus-ids into develop Aug 23, 2018

An attacker can damage Pleroma's object graph in some limited cases by sending activities with an invalid ID. This can lead to a denial of service (DoS) condition.

We mitigate this possibility by validating object IDs. Any objects with an invalid ID will be dropped due to the new guards placed on the Transmogrifier.handle_incoming routine.

Edited Aug 23, 2018 by kaniini

security: activitypub: reject activities with bogus ids

Merge request reports