Merge branch 'security/activitypub-spoofing' into 'develop'

security: activitypub spoofing See merge request pleroma/pleroma!321
2018-09-01 23:48:55 +00:00 · 2018-09-01 23:48:55 +00:00 · 3c7280934e
commit 3c7280934e
parent e4079abab8 03e92977cb
5 changed files with 58 additions and 0 deletions
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@ -747,6 +747,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
             "actor" => data["attributedTo"],
             "object" => data
           },
+           :ok <- Transmogrifier.contain_origin(id, params),
           {:ok, activity} <- Transmogrifier.handle_incoming(params) do
        {:ok, Object.normalize(activity.data["object"])}
      else
--- a/lib/pleroma/web/activity_pub/transmogrifier.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier.ex
@ -30,6 +30,20 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
    actor["id"]
  end

+  @doc """
+  Checks that an imported AP object's actor matches the domain it came from.
+  """
+  def contain_origin(id, %{"actor" => actor} = params) do
+    id_uri = URI.parse(id)
+    actor_uri = URI.parse(get_actor(params))
+
+    if id_uri.host == actor_uri.host do
+      :ok
+    else
+      :error
+    end
+  end
+
  @doc """
  Modifies an incoming AP object (mastodon format) to our internal format.
  """