Better validation for 'Update'
This commit is contained in:
parent
ea9d826a7c
commit
3212d809df
|
@ -241,10 +241,7 @@ exports.getModule = class ActivityPubWebHandler extends WebHandlerModule {
|
||||||
|
|
||||||
// Fetch and validate the signature of the remote Actor
|
// Fetch and validate the signature of the remote Actor
|
||||||
Actor.fromId(getActorId(activity), (err, remoteActor) => {
|
Actor.fromId(getActorId(activity), (err, remoteActor) => {
|
||||||
// if (err) {
|
// validate sig up front
|
||||||
// return this.webServer.internalServerError(resp, err);
|
|
||||||
// }
|
|
||||||
|
|
||||||
const httpSigValidated =
|
const httpSigValidated =
|
||||||
remoteActor && this._validateActorSignature(remoteActor, signature);
|
remoteActor && this._validateActorSignature(remoteActor, signature);
|
||||||
if (activity.type !== WellKnownActivity.Delete && !httpSigValidated) {
|
if (activity.type !== WellKnownActivity.Delete && !httpSigValidated) {
|
||||||
|
@ -264,7 +261,6 @@ exports.getModule = class ActivityPubWebHandler extends WebHandlerModule {
|
||||||
case WellKnownActivity.Delete:
|
case WellKnownActivity.Delete:
|
||||||
return this._inboxDeleteActivity(
|
return this._inboxDeleteActivity(
|
||||||
inboxType,
|
inboxType,
|
||||||
signature,
|
|
||||||
resp,
|
resp,
|
||||||
activity,
|
activity,
|
||||||
httpSigValidated
|
httpSigValidated
|
||||||
|
@ -276,12 +272,11 @@ exports.getModule = class ActivityPubWebHandler extends WebHandlerModule {
|
||||||
const type = _.get(activity, 'object.type');
|
const type = _.get(activity, 'object.type');
|
||||||
if ('Note' === type) {
|
if ('Note' === type) {
|
||||||
// :TODO: get rid of this extra indirection
|
// :TODO: get rid of this extra indirection
|
||||||
return this._inboxMutateExistingObject(
|
return this._inboxUpdateExistingObject(
|
||||||
inboxType,
|
inboxType,
|
||||||
signature,
|
|
||||||
resp,
|
resp,
|
||||||
activity,
|
activity,
|
||||||
this._inboxUpdateObjectMutator.bind(this)
|
httpSigValidated
|
||||||
);
|
);
|
||||||
} else {
|
} else {
|
||||||
this.log.warn(
|
this.log.warn(
|
||||||
|
@ -467,7 +462,7 @@ exports.getModule = class ActivityPubWebHandler extends WebHandlerModule {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
_inboxDeleteActivity(inboxType, signature, resp, activity, httpSigValidated) {
|
_inboxDeleteActivity(inboxType, resp, activity, httpSigValidated) {
|
||||||
const objectId = _.get(activity, 'object.id', activity.object);
|
const objectId = _.get(activity, 'object.id', activity.object);
|
||||||
|
|
||||||
this.log.info({ inboxType, objectId }, 'Incoming Delete request');
|
this.log.info({ inboxType, objectId }, 'Incoming Delete request');
|
||||||
|
@ -762,7 +757,7 @@ exports.getModule = class ActivityPubWebHandler extends WebHandlerModule {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
_inboxMutateExistingObject(inboxType, signature, resp, activity, mutator) {
|
_inboxUpdateExistingObject(inboxType, resp, activity, httpSigValidated) {
|
||||||
const targetObjectId = _.get(activity, 'object.id');
|
const targetObjectId = _.get(activity, 'object.id');
|
||||||
const objectType = _.get(activity, 'object.type');
|
const objectType = _.get(activity, 'object.type');
|
||||||
|
|
||||||
|
@ -779,37 +774,25 @@ exports.getModule = class ActivityPubWebHandler extends WebHandlerModule {
|
||||||
return this.webServer.resourceNotFound(resp);
|
return this.webServer.resourceNotFound(resp);
|
||||||
}
|
}
|
||||||
|
|
||||||
//
|
this._verifyObjectOwner(httpSigValidated, obj, activity, err => {
|
||||||
// Object exists; Validate we allow the action by origin
|
if (err) {
|
||||||
// comparing the request's keyId origin to the object's
|
|
||||||
//
|
|
||||||
try {
|
|
||||||
const updateTargetHost = new URL(obj.object.id).host;
|
|
||||||
const keyIdHost = new URL(signature.keyId).host;
|
|
||||||
|
|
||||||
if (updateTargetHost !== keyIdHost) {
|
|
||||||
this.log.warn(
|
this.log.warn(
|
||||||
{
|
{
|
||||||
targetObjectId,
|
error: err.message,
|
||||||
type: objectType,
|
inboxType,
|
||||||
updateTargetHost,
|
objectId: targetObjectId,
|
||||||
keyIdHost,
|
objectType,
|
||||||
activityType: activity.type,
|
|
||||||
},
|
},
|
||||||
`Attempt to ${activity.type} Object of non-matching origin`
|
'Will not Update object: Signature mismatch'
|
||||||
);
|
);
|
||||||
return this.webServer.accessDenied(resp);
|
return this.webServer.accessDenied(resp);
|
||||||
}
|
}
|
||||||
|
|
||||||
return mutator(inboxType, resp, objectType, targetObjectId, activity);
|
Collection.updateCollectionEntry(
|
||||||
} catch (e) {
|
inboxType,
|
||||||
return this.webServer.internalServerError(resp, e);
|
targetObjectId,
|
||||||
}
|
activity,
|
||||||
});
|
err => {
|
||||||
}
|
|
||||||
|
|
||||||
_inboxUpdateObjectMutator(inboxType, resp, objectType, targetObjectId, activity) {
|
|
||||||
Collection.updateCollectionEntry(inboxType, targetObjectId, activity, err => {
|
|
||||||
if (err) {
|
if (err) {
|
||||||
return this.webServer.internalServerError(resp, err);
|
return this.webServer.internalServerError(resp, err);
|
||||||
}
|
}
|
||||||
|
@ -826,6 +809,9 @@ exports.getModule = class ActivityPubWebHandler extends WebHandlerModule {
|
||||||
// :TODO: we need to UPDATE the existing stored Message object if this is a Note
|
// :TODO: we need to UPDATE the existing stored Message object if this is a Note
|
||||||
|
|
||||||
return this.webServer.accepted(resp);
|
return this.webServer.accepted(resp);
|
||||||
|
}
|
||||||
|
);
|
||||||
|
});
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue