From f47776e265a45859aaf8519d7de85c6f35fdf40a Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Mon, 19 Mar 2018 10:23:42 +0100
Subject: Sanitize invalid actor description

---
 server/lib/activitypub/actor.ts | 35 +++++++++++++++++++++++++----------
 1 file changed, 25 insertions(+), 10 deletions(-)

(limited to 'server/lib/activitypub')

diff --git a/server/lib/activitypub/actor.ts b/server/lib/activitypub/actor.ts
index 897acee85..b7114bbee 100644
--- a/server/lib/activitypub/actor.ts
+++ b/server/lib/activitypub/actor.ts
@@ -12,12 +12,13 @@ import { logger } from '../../helpers/logger'
 import { createPrivateAndPublicKeys } from '../../helpers/peertube-crypto'
 import { doRequest, doRequestAndSaveToFile } from '../../helpers/requests'
 import { getUrlFromWebfinger } from '../../helpers/webfinger'
-import { IMAGE_MIMETYPE_EXT, CONFIG, sequelizeTypescript } from '../../initializers'
+import { IMAGE_MIMETYPE_EXT, CONFIG, sequelizeTypescript, CONSTRAINTS_FIELDS } from '../../initializers'
 import { AccountModel } from '../../models/account/account'
 import { ActorModel } from '../../models/activitypub/actor'
 import { AvatarModel } from '../../models/avatar/avatar'
 import { ServerModel } from '../../models/server/server'
 import { VideoChannelModel } from '../../models/video/video-channel'
+import { truncate } from 'lodash'
 
 // Set account keys, this could be long so process after the account creation and do not block the client
 function setAsyncActorKeys (actor: ActorModel) {
@@ -166,6 +167,24 @@ async function fetchAvatarIfExists (actorJSON: ActivityPubActor) {
   return undefined
 }
 
+function normalizeActor (actor: any) {
+  if (!actor) return
+
+  if (!actor.url || typeof actor.url !== 'string') {
+    actor.url = actor.url.href || actor.url.url
+  }
+
+  if (actor.summary && typeof actor.summary === 'string') {
+    actor.summary = truncate(actor.summary, { length: CONSTRAINTS_FIELDS.USERS.DESCRIPTION.max })
+
+    if (actor.summary.length < CONSTRAINTS_FIELDS.USERS.DESCRIPTION.min) {
+      actor.summary = null
+    }
+  }
+
+  return
+}
+
 export {
   getOrCreateActorAndServerAndModel,
   buildActorInstance,
@@ -173,7 +192,8 @@ export {
   fetchActorTotalItems,
   fetchAvatarIfExists,
   updateActorInstance,
-  updateActorAvatarInstance
+  updateActorAvatarInstance,
+  normalizeActor
 }
 
 // ---------------------------------------------------------------------------
@@ -255,7 +275,9 @@ async function fetchRemoteActor (actorUrl: string): Promise<FetchRemoteActorResu
   logger.info('Fetching remote actor %s.', actorUrl)
 
   const requestResult = await doRequest(options)
-  const actorJSON: ActivityPubActor = normalizeActor(requestResult.body)
+  normalizeActor(requestResult.body)
+
+  const actorJSON: ActivityPubActor = requestResult.body
 
   if (isActorObjectValid(actorJSON) === false) {
     logger.debug('Remote actor JSON is not valid.', { actorJSON: actorJSON })
@@ -372,10 +394,3 @@ async function refreshActorIfNeeded (actor: ActorModel) {
     return actor
   }
 }
-
-function normalizeActor (actor: any) {
-  if (actor && actor.url && typeof actor.url === 'string') return actor
-
-  actor.url = actor.url.href || actor.url.url
-  return actor
-}
-- 
cgit v1.2.3