Check activities host

author: Chocobozzz <me@florianbigard.com> 2018-11-14 15:01:28 +0100
committer: Chocobozzz <me@florianbigard.com> 2018-11-14 16:32:27 +0100
commit: 5c6d985faeef1d6793d3f44ca6374f1a9b722806 (patch)
tree: 567e31a84e721bf762189582f92ac2ec5c402bcc /server/lib/activitypub/actor.ts
parent: df66d81583e07ce049daeeef1edc6a87b57b3684 (diff)
download: PeerTube-5c6d985faeef1d6793d3f44ca6374f1a9b722806.tar.gz
PeerTube-5c6d985faeef1d6793d3f44ca6374f1a9b722806.tar.zst
PeerTube-5c6d985faeef1d6793d3f44ca6374f1a9b722806.zip
1 files changed, 10 insertions, 3 deletions
diff --git a/server/lib/activitypub/actor.ts b/server/lib/activitypub/actor.ts
index 45dd4443d..b16a00669 100644
--- a/server/lib/activitypub/actor.ts
+++ b/server/lib/activitypub/actor.ts
@@ -5,7 +5,7 @@ import * as url from 'url'
 import * as uuidv4 from 'uuid/v4'
 import { ActivityPubActor, ActivityPubActorType } from '../../../shared/models/activitypub'
 import { ActivityPubAttributedTo } from '../../../shared/models/activitypub/objects'
-import { getActorUrl } from '../../helpers/activitypub'
+import { checkUrlsSameHost, getActorUrl } from '../../helpers/activitypub'
 import { isActorObjectValid, normalizeActor } from '../../helpers/custom-validators/activitypub/actor'
 import { isActivityPubUrlValid } from '../../helpers/custom-validators/activitypub/misc'
 import { retryTransactionWrapper, updateInstanceWithAnother } from '../../helpers/database-utils'
@@ -65,8 +65,12 @@ async function getOrCreateActorAndServerAndModel (
      const accountAttributedTo = result.attributedTo.find(a => a.type === 'Person')
      if (!accountAttributedTo) throw new Error('Cannot find account attributed to video channel ' + actor.url)
+      if (checkUrlsSameHost(accountAttributedTo.id, actorUrl) !== true) {
+        throw new Error(`Account attributed to ${accountAttributedTo.id} does not have the same host than actor url ${actorUrl}`)
+      }
      try {
-        // Assert we don't recurse another time
+        // Don't recurse another time
        ownerActor = await getOrCreateActorAndServerAndModel(accountAttributedTo.id, 'all', false)
      } catch (err) {
        logger.error('Cannot get or create account attributed to video channel ' + actor.url)
@@ -297,12 +301,15 @@ async function fetchRemoteActor (actorUrl: string): Promise<{ statusCode?: numbe
  normalizeActor(requestResult.body)
  const actorJSON: ActivityPubActor = requestResult.body
  if (isActorObjectValid(actorJSON) === false) {
    logger.debug('Remote actor JSON is not valid.', { actorJSON: actorJSON })
    return { result: undefined, statusCode: requestResult.response.statusCode }
  }
+  if (checkUrlsSameHost(actorJSON.id, actorUrl) !== true) {
+    throw new Error('Actor url ' + actorUrl + ' has not the same host than its AP id ' + actorJSON.id)
+  }
  const followersCount = await fetchActorTotalItems(actorJSON.followers)
  const followingCount = await fetchActorTotalItems(actorJSON.following)
author	Chocobozzz <me@florianbigard.com>	2018-11-14 15:01:28 +0100
committer	Chocobozzz <me@florianbigard.com>	2018-11-14 16:32:27 +0100
commit	5c6d985faeef1d6793d3f44ca6374f1a9b722806 (patch)
tree	567e31a84e721bf762189582f92ac2ec5c402bcc /server/lib/activitypub/actor.ts
parent	df66d81583e07ce049daeeef1edc6a87b57b3684 (diff)
download	PeerTube-5c6d985faeef1d6793d3f44ca6374f1a9b722806.tar.gz PeerTube-5c6d985faeef1d6793d3f44ca6374f1a9b722806.tar.zst PeerTube-5c6d985faeef1d6793d3f44ca6374f1a9b722806.zip