activitypub: factor out AP object fetching to it's own function and add ID-based containment

2018-11-17 20:02:02 +00:00 · 2018-11-17 20:02:02 +00:00 · daa8ec3d62
commit daa8ec3d62
parent a960983815
2 changed files with 35 additions and 10 deletions
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@ -732,16 +732,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    else
      Logger.info("Fetching #{id} via AP")

-      with true <- String.starts_with?(id, "http"),
-           {:ok, %{body: body, status_code: code}} when code in 200..299 <-
-             @httpoison.get(
-               id,
-               [Accept: "application/activity+json"],
-               follow_redirect: true,
-               timeout: 10000,
-               recv_timeout: 20000
-             ),
-           {:ok, data} <- Jason.decode(body),
+      with {:ok, data} <- fetch_and_contain_remote_object_from_id(id),
           nil <- Object.normalize(data),
           params <- %{
             "type" => "Create",
@ -771,6 +762,27 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    end
  end

+  def fetch_and_contain_remote_object_from_id(id) do
+    Logger.info("Fetching #{id} via AP")
+
+    with true <- String.starts_with?(id, "http"),
+         {:ok, %{body: body, status_code: code}} when code in 200..299 <-
+           @httpoison.get(
+             id,
+             [Accept: "application/activity+json"],
+             follow_redirect: true,
+             timeout: 10000,
+             recv_timeout: 20000
+           ),
+         {:ok, data} <- Jason.decode(body),
+         :ok <- Transmogrifier.contain_origin_from_id(id, data) do
+      {:ok, data}
+    else
+      e ->
+        {:error, e}
+    end
+  end
+
  def is_public?(activity) do
    "https://www.w3.org/ns/activitystreams#Public" in (activity.data["to"] ++
                                                         (activity.data["cc"] || []))
--- a/lib/pleroma/web/activity_pub/transmogrifier.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier.ex
@ -50,6 +50,19 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
    end
  end

+  def contain_origin_from_id(id, %{"id" => nil}), do: :error
+
+  def contain_origin_from_id(id, %{"id" => other_id} = params) do
+    id_uri = URI.parse(id)
+    other_uri = URI.parse(other_id)
+
+    if id_uri.host == other_uri.host do
+      :ok
+    else
+      :error
+    end
+  end
+
  @doc """
  Modifies an incoming AP object (mastodon format) to our internal format.
  """