Detect posting request in our own inbox

author Chocobozzz <me@florianbigard.com>

Fri, 23 Feb 2018 14:09:12 +0000 (15:09 +0100)

committer Chocobozzz <me@florianbigard.com>

Fri, 23 Feb 2018 14:09:12 +0000 (15:09 +0100)
author Chocobozzz <me@florianbigard.com>
Fri, 23 Feb 2018 14:09:12 +0000 (15:09 +0100)
committer Chocobozzz <me@florianbigard.com>
Fri, 23 Feb 2018 14:09:12 +0000 (15:09 +0100)
diff --git a/server/controllers/activitypub/inbox.ts b/server/controllers/activitypub/inbox.ts

index 8d65639f8909a10eb0a5c6849f1343524956a899..bd0d7a9c8bb6ac4b0f27114664eaeba227afabc6 100644 (file)
--- a/server/controllers/activitypub/inbox.ts
+++ b/server/controllers/activitypub/inbox.ts
@@ -12,7 +12,7 @@ const inboxRouter = express.Router()
  inboxRouter.post('/inbox',
    signatureValidator,
    asyncMiddleware(checkSignature),
-  activityPubValidator,
+  asyncMiddleware(activityPubValidator),
    asyncMiddleware(inboxController)
  )
  
@@ -20,7 +20,7 @@ inboxRouter.post('/accounts/:name/inbox',
    signatureValidator,
    asyncMiddleware(checkSignature),
    localAccountValidator,
-  activityPubValidator,
+  asyncMiddleware(activityPubValidator),
    asyncMiddleware(inboxController)
  )
  
diff --git a/server/lib/activitypub/fetch.ts b/server/lib/activitypub/fetch.ts

index b1b370a1af99df4b1bb0ec3211108bb0f0a2923d..549791f14ca889e050bdba94786b01bebe7f20b7 100644 (file)
--- a/server/lib/activitypub/fetch.ts
+++ b/server/lib/activitypub/fetch.ts
@@ -1,7 +1,16 @@
+import { logger } from '../../helpers/logger'
+import { getServerActor } from '../../helpers/utils'
  import { ActorModel } from '../../models/activitypub/actor'
  import { JobQueue } from '../job-queue'
  
  async function addFetchOutboxJob (actor: ActorModel) {
+  // Don't fetch ourselves
+  const serverActor = await getServerActor()
+  if (serverActor.id === actor.id) {
+    logger.error('Cannot fetch our own outbox!')
+    return
+  }
+
    const payload = {
      uris: [ actor.outboxUrl ]
    }
diff --git a/server/middlewares/validators/activitypub/activity.ts b/server/middlewares/validators/activitypub/activity.ts

index 208e23f8692c1872640b7f9393ef5fba4ba39391..15e8bb07968557053b1645e992468e73b4290c6d 100644 (file)
--- a/server/middlewares/validators/activitypub/activity.ts
+++ b/server/middlewares/validators/activitypub/activity.ts
@@ -2,16 +2,25 @@ import * as express from 'express'
  import { body } from 'express-validator/check'
  import { isRootActivityValid } from '../../../helpers/custom-validators/activitypub/activity'
  import { logger } from '../../../helpers/logger'
+import { getServerActor } from '../../../helpers/utils'
+import { ActorModel } from '../../../models/activitypub/actor'
  import { areValidationErrors } from '../utils'
  
  const activityPubValidator = [
    body('').custom((value, { req }) => isRootActivityValid(req.body)),
  
-  (req: express.Request, res: express.Response, next: express.NextFunction) => {
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
      logger.debug('Checking activity pub parameters')
  
      if (areValidationErrors(req, res)) return
  
+    const serverActor = await getServerActor()
+    const remoteActor = res.locals.signature.actor as ActorModel
+    if (serverActor.id === remoteActor.id) {
+      logger.error('Receiving request in INBOX by ourselves!', req.body)
+      return res.sendStatus(409)
+    }
+
      return next()
    }
  ]
author	Chocobozzz <me@florianbigard.com>
	Fri, 23 Feb 2018 14:09:12 +0000 (15:09 +0100)
committer	Chocobozzz <me@florianbigard.com>
	Fri, 23 Feb 2018 14:09:12 +0000 (15:09 +0100)
server/controllers/activitypub/inbox.ts		patch \| blob \| history
server/lib/activitypub/fetch.ts		patch \| blob \| history
server/middlewares/validators/activitypub/activity.ts		patch \| blob \| history