From 285fe7c93072b2a8e6a9af6b7e8ffcdefcffbddf Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Fri, 23 Feb 2018 15:09:12 +0100
Subject: [PATCH] Detect posting request in our own inbox

---
 server/controllers/activitypub/inbox.ts               |  4 ++--
 server/lib/activitypub/fetch.ts                       |  9 +++++++++
 server/middlewares/validators/activitypub/activity.ts | 11 ++++++++++-
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/server/controllers/activitypub/inbox.ts b/server/controllers/activitypub/inbox.ts
index 8d65639f8..bd0d7a9c8 100644
--- a/server/controllers/activitypub/inbox.ts
+++ b/server/controllers/activitypub/inbox.ts
@@ -12,7 +12,7 @@ const inboxRouter = express.Router()
 inboxRouter.post('/inbox',
   signatureValidator,
   asyncMiddleware(checkSignature),
-  activityPubValidator,
+  asyncMiddleware(activityPubValidator),
   asyncMiddleware(inboxController)
 )
 
@@ -20,7 +20,7 @@ inboxRouter.post('/accounts/:name/inbox',
   signatureValidator,
   asyncMiddleware(checkSignature),
   localAccountValidator,
-  activityPubValidator,
+  asyncMiddleware(activityPubValidator),
   asyncMiddleware(inboxController)
 )
 
diff --git a/server/lib/activitypub/fetch.ts b/server/lib/activitypub/fetch.ts
index b1b370a1a..549791f14 100644
--- a/server/lib/activitypub/fetch.ts
+++ b/server/lib/activitypub/fetch.ts
@@ -1,7 +1,16 @@
+import { logger } from '../../helpers/logger'
+import { getServerActor } from '../../helpers/utils'
 import { ActorModel } from '../../models/activitypub/actor'
 import { JobQueue } from '../job-queue'
 
 async function addFetchOutboxJob (actor: ActorModel) {
+  // Don't fetch ourselves
+  const serverActor = await getServerActor()
+  if (serverActor.id === actor.id) {
+    logger.error('Cannot fetch our own outbox!')
+    return
+  }
+
   const payload = {
     uris: [ actor.outboxUrl ]
   }
diff --git a/server/middlewares/validators/activitypub/activity.ts b/server/middlewares/validators/activitypub/activity.ts
index 208e23f86..15e8bb079 100644
--- a/server/middlewares/validators/activitypub/activity.ts
+++ b/server/middlewares/validators/activitypub/activity.ts
@@ -2,16 +2,25 @@ import * as express from 'express'
 import { body } from 'express-validator/check'
 import { isRootActivityValid } from '../../../helpers/custom-validators/activitypub/activity'
 import { logger } from '../../../helpers/logger'
+import { getServerActor } from '../../../helpers/utils'
+import { ActorModel } from '../../../models/activitypub/actor'
 import { areValidationErrors } from '../utils'
 
 const activityPubValidator = [
   body('').custom((value, { req }) => isRootActivityValid(req.body)),
 
-  (req: express.Request, res: express.Response, next: express.NextFunction) => {
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
     logger.debug('Checking activity pub parameters')
 
     if (areValidationErrors(req, res)) return
 
+    const serverActor = await getServerActor()
+    const remoteActor = res.locals.signature.actor as ActorModel
+    if (serverActor.id === remoteActor.id) {
+      logger.error('Receiving request in INBOX by ourselves!', req.body)
+      return res.sendStatus(409)
+    }
+
     return next()
   }
 ]
-- 
2.25.1