diff options
| author | Mark Felder <feld@feld.me> | 2023-12-19 13:53:10 -0500 |
|---|---|---|
| committer | Mark Felder <feld@feld.me> | 2023-12-19 13:56:17 -0500 |
| commit | f43f33e3078385084136295d2a3320efa6cb4134 (patch) | |
| tree | e943a2bc348691d9252c7e7316391e3953c0733a | |
| parent | 99b07c817e65d8855069a996777d41a9984f93bf (diff) | |
Return a 400 from a bad delivery attempt to the inboxbad_inbox_request
This stops the backend from generating 500 errors from these events.
| -rw-r--r-- | changelog.d/bad_inbox_request.change | 1 | ||||
| -rw-r--r-- | lib/pleroma/web/activity_pub/activity_pub_controller.ex | 9 | ||||
| -rw-r--r-- | test/pleroma/web/activity_pub/activity_pub_controller_test.exs | 17 |
3 files changed, 25 insertions, 2 deletions
diff --git a/changelog.d/bad_inbox_request.change b/changelog.d/bad_inbox_request.change new file mode 100644 index 000000000..b81f60638 --- /dev/null +++ b/changelog.d/bad_inbox_request.change @@ -0,0 +1 @@ +Invalid activities delivered to the inbox will be rejected with a 400 Bad Request diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex index 3b2193ca3..b1a118160 100644 --- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex +++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex @@ -273,12 +273,17 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do end def inbox(%{assigns: %{valid_signature: true}} = conn, %{"nickname" => nickname} = params) do - with %User{} = recipient <- User.get_cached_by_nickname(nickname), - {:ok, %User{} = actor} <- User.get_or_fetch_by_ap_id(params["actor"]), + with %User{is_active: true} = recipient <- User.get_cached_by_nickname(nickname), + {:ok, %User{is_active: true} = actor} <- User.get_or_fetch_by_ap_id(params["actor"]), true <- Utils.recipient_in_message(recipient, actor, params), params <- Utils.maybe_splice_recipient(recipient.ap_id, params) do Federator.incoming_ap_doc(params) json(conn, "ok") + else + _ -> + conn + |> put_status(:bad_request) + |> json("Invalid request.") end end diff --git a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs index 0dc61c2e5..069736925 100644 --- a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs +++ b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs @@ -895,6 +895,23 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do assert Activity.get_by_ap_id(data["id"]) end + test "it rejects an invalid incoming activity", %{conn: conn, data: data} do + user = insert(:user, is_active: false) + + data = + data + |> Map.put("bcc", [user.ap_id]) + |> Kernel.put_in(["object", "bcc"], [user.ap_id]) + + conn = + conn + |> assign(:valid_signature, true) + |> put_req_header("content-type", "application/activity+json") + |> post("/users/#{user.nickname}/inbox", data) + + assert "Invalid request." == json_response(conn, 400) + end + test "it accepts messages with to as string instead of array", %{conn: conn, data: data} do user = insert(:user) |