From f10336cad0949c301a46c87b7d2b8010999b23bb Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Fri, 24 Nov 2017 14:36:28 +0100 Subject: [PATCH] Check signature is correct with the activity pub actor --- server/controllers/activitypub/inbox.ts | 2 +- server/lib/activitypub/process/process.ts | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/server/controllers/activitypub/inbox.ts b/server/controllers/activitypub/inbox.ts index 243ae7381..92bd20ddb 100644 --- a/server/controllers/activitypub/inbox.ts +++ b/server/controllers/activitypub/inbox.ts @@ -48,7 +48,7 @@ async function inboxController (req: express.Request, res: express.Response, nex activities = activities.filter(a => isActivityValid(a)) logger.debug('We keep %d activities.', activities.length, { activities }) - await processActivities(activities, res.locals.account) + await processActivities(activities, res.locals.signature.account, res.locals.account) res.status(204).end() } diff --git a/server/lib/activitypub/process/process.ts b/server/lib/activitypub/process/process.ts index 40f19c701..54981c289 100644 --- a/server/lib/activitypub/process/process.ts +++ b/server/lib/activitypub/process/process.ts @@ -23,8 +23,14 @@ const processActivity: { [ P in ActivityType ]: (activity: Activity, inboxAccoun Like: processLikeActivity } -async function processActivities (activities: Activity[], inboxAccount?: AccountInstance) { +async function processActivities (activities: Activity[], signatureAccount?: AccountInstance, inboxAccount?: AccountInstance) { for (const activity of activities) { + // When we fetch remote data, we don't have signature + if (signatureAccount && activity.actor !== signatureAccount.url) { + logger.warn('Signature mismatch between %s and %s.', activity.actor, signatureAccount.url) + continue + } + const activityProcessor = processActivity[activity.type] if (activityProcessor === undefined) { logger.warn('Unknown activity type %s.', activity.type, { activityId: activity.id })