From 0ef420409a5900a098d284e4fb2bbd45b6f7eaf7 Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Thu, 30 Jul 2020 18:16:32 +0200 Subject: [PATCH] Prevent upserting local actor By comparing it's URI Signed-off-by: Thomas Citharel --- lib/federation/activity_pub/activity_pub.ex | 26 ++++++++++++--------- lib/federation/activity_pub/utils.ex | 6 ++--- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/lib/federation/activity_pub/activity_pub.ex b/lib/federation/activity_pub/activity_pub.ex index a3b8c2014..a9d2554b7 100644 --- a/lib/federation/activity_pub/activity_pub.ex +++ b/lib/federation/activity_pub/activity_pub.ex @@ -96,7 +96,7 @@ defmodule Mobilizon.Federation.ActivityPub do Logger.debug("Entity is already existing") entity = - if force_fetch and not compare_origins?(url, Endpoint.url()) do + if force_fetch and not are_same_origin?(url, Endpoint.url()) do Logger.debug("Entity is external and we want a force fetch") with {:ok, _activity, entity} <- Fetcher.fetch_and_update(url, options) do @@ -506,18 +506,22 @@ defmodule Mobilizon.Federation.ActivityPub do """ @spec make_actor_from_url(String.t(), boolean()) :: {:ok, %Actor{}} | {:error, any()} def make_actor_from_url(url, preload \\ false) do - case fetch_and_prepare_actor_from_url(url) do - {:ok, data} -> - Actors.upsert_actor(data, preload) + if are_same_origin?(url, Endpoint.url()) do + {:error, "Can't make a local actor from URL"} + else + case fetch_and_prepare_actor_from_url(url) do + {:ok, data} -> + Actors.upsert_actor(data, preload) - # Request returned 410 - {:error, :actor_deleted} -> - Logger.info("Actor was deleted") - {:error, :actor_deleted} + # Request returned 410 + {:error, :actor_deleted} -> + Logger.info("Actor was deleted") + {:error, :actor_deleted} - e -> - Logger.warn("Failed to make actor from url") - {:error, e} + e -> + Logger.warn("Failed to make actor from url") + {:error, e} + end end end diff --git a/lib/federation/activity_pub/utils.ex b/lib/federation/activity_pub/utils.ex index d59422e54..4e546067b 100644 --- a/lib/federation/activity_pub/utils.ex +++ b/lib/federation/activity_pub/utils.ex @@ -248,7 +248,7 @@ defmodule Mobilizon.Federation.ActivityPub.Utils do when not is_nil(actor) do actor = get_actor(params) Logger.debug("Performing origin check on #{id} and #{actor} URIs") - compare_origins?(id, actor) + are_same_origin?(id, actor) end def origin_check?(_id, %{"type" => type} = _params) when type in ["Actor", "Group"], do: true @@ -257,8 +257,8 @@ defmodule Mobilizon.Federation.ActivityPub.Utils do def origin_check?(_id, _args), do: false - @spec compare_origins?(String.t(), String.t()) :: boolean() - def compare_origins?(url_1, url_2) when is_binary(url_1) and is_binary(url_2) do + @spec are_same_origin?(String.t(), String.t()) :: boolean() + def are_same_origin?(url_1, url_2) when is_binary(url_1) and is_binary(url_2) do uri_1 = URI.parse(url_1) uri_2 = URI.parse(url_2)