Merge pull request 'Reject third-party remote reports' (#7896) from fix/reject-third-party-reports into develop

Reviewed-on: https://git.pleroma.social/pleroma/pleroma/pulls/7896
2026-05-13 05:57:34 +00:00 · 2026-05-13 05:57:34 +00:00 · e211b72924
commit e211b72924
parent d8e9affded 68e4bb53a2
3 changed files with 25 additions and 0 deletions
--- a/changelog.d/reject-third-party-reports.fix
+++ b/changelog.d/reject-third-party-reports.fix
@ -0,0 +1 @@
+Reject incoming reports when both the reporter and reported account are remote
--- a/lib/pleroma/web/activity_pub/transmogrifier.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier.ex
@ -430,6 +430,12 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
    end)
  end

+  defp reject_third_party_report(%User{local: false}, %User{local: false} = account) do
+    {:reject, "[Transmogrifier] third-party report: #{account.ap_id}"}
+  end
+
+  defp reject_third_party_report(_, _), do: :ok
+
  def handle_incoming(data, options \\ []) do
    data
    |> fix_recursive(&strip_internal_fields/1)
@ -448,6 +454,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
         %User{} = actor <- User.get_cached_by_ap_id(actor),
         # Reduce the object list to find the reported user.
         %User{} = account <- get_reported(objects),
+         :ok <- reject_third_party_report(actor, account),
         # Remove the reported user from the object list.
         statuses <- Enum.filter(objects, fn ap_id -> ap_id != account.ap_id end) do
      %{
--- a/test/pleroma/web/activity_pub/transmogrifier_test.exs
+++ b/test/pleroma/web/activity_pub/transmogrifier_test.exs
@ -86,6 +86,23 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
      assert activity.data["cc"] == [user.ap_id]
    end

+    test "it rejects Flag activities when both reporter and reported account are remote" do
+      reporter = insert(:user, local: false, domain: "mastodon.cat")
+      reported = insert(:user, local: false, domain: "nicecrew.digital")
+
+      message = %{
+        "@context" => "https://www.w3.org/ns/activitystreams",
+        "actor" => reporter.ap_id,
+        "content" => "blocked AND reported!!!",
+        "object" => [reported.ap_id, "https://nicecrew.digital/objects/report-status"],
+        "type" => "Flag"
+      }
+
+      assert {:reject, reason} = Transmogrifier.handle_incoming(message)
+      assert reason =~ "third-party report"
+      refute "Flag" |> Pleroma.Activity.Queries.by_type() |> Pleroma.Repo.one()
+    end
+
    test "it accepts Flag activities with just actor id as object" do
      user = insert(:user)
      other_user = insert(:user)
				`@ -0,0 +1 @@`
				`Reject incoming reports when both the reporter and reported account are remote`