Fail closed on unresolved signed payloads

Reject unknown remote Update targets and invalidate signed payloads when their signer identity cannot be mapped, avoiding crashes and fail-open signature state.
2026-05-01 12:33:26 +04:00 · 2026-05-01 12:33:26 +04:00 · 4337e0eb1b
commit 4337e0eb1b
parent 7756f491d5
4 changed files with 35 additions and 2 deletions
--- a/lib/pleroma/web/activity_pub/object_validators/update_validator.ex
+++ b/lib/pleroma/web/activity_pub/object_validators/update_validator.ex
@ -101,6 +101,10 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
            |> add_error(:object, "Can't be updated by this actor")
          end

+        nil ->
+          cng
+          |> add_error(:object, "Can't be updated by this actor")
+
        true ->
          cng
          |> add_error(:object, "Update is neither for Object or Actor")
--- a/lib/pleroma/web/plugs/mapped_signature_to_identity_plug.ex
+++ b/lib/pleroma/web/plugs/mapped_signature_to_identity_plug.ex
@ -32,8 +32,8 @@ defmodule Pleroma.Web.Plugs.MappedSignatureToIdentityPlug do
      # remove me once testsuite uses mapped capabilities instead of what we do now
      {:user, nil} ->
        Logger.debug("Failed to map identity from signature (lookup failure)")
-        Logger.debug("key_id=#{inspect(key_id_from_conn(conn))}, actor=#{actor}")
-        conn
+        Logger.debug("key_id=#{inspect(key_id_from_conn(conn))}, actor=#{inspect(actor)}")
+        assign(conn, :valid_signature, false)
    end
  end