From 233aa34d54697c366a23a31a34990616e4231ec7 Mon Sep 17 00:00:00 2001
From: Felix Ableitner <me@nutomic.com>
Date: Wed, 5 Aug 2020 14:18:08 +0200
Subject: [PATCH] Verify ID of received apub objects against domain allowlist
 etc

---
 server/src/apub/comment.rs         | 6 +++++-
 server/src/apub/community.rs       | 5 ++++-
 server/src/apub/post.rs            | 6 +++++-
 server/src/apub/private_message.rs | 7 ++++---
 server/src/apub/user.rs            | 8 +++++++-
 5 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/server/src/apub/comment.rs b/server/src/apub/comment.rs
index 05b40dbe5..8bd79b799 100644
--- a/server/src/apub/comment.rs
+++ b/server/src/apub/comment.rs
@@ -1,6 +1,7 @@
 use crate::{
   apub::{
     activities::{generate_activity_id, send_activity_to_community},
+    check_is_apub_id_valid,
     create_apub_response,
     create_apub_tombstone_response,
     create_tombstone,
@@ -166,6 +167,9 @@ impl FromApub for CommentForm {
       None => None,
     };
 
+    let ap_id = note.id_unchecked().unwrap().to_string();
+    check_is_apub_id_valid(&Url::parse(&ap_id)?)?;
+
     Ok(CommentForm {
       creator_id: creator.id,
       post_id: post.id,
@@ -181,7 +185,7 @@ impl FromApub for CommentForm {
       published: note.published().map(|u| u.to_owned().naive_local()),
       updated: note.updated().map(|u| u.to_owned().naive_local()),
       deleted: None,
-      ap_id: note.id_unchecked().unwrap().to_string(),
+      ap_id,
       local: false,
     })
   }
diff --git a/server/src/apub/community.rs b/server/src/apub/community.rs
index 96f0f84c3..b35c47bbc 100644
--- a/server/src/apub/community.rs
+++ b/server/src/apub/community.rs
@@ -1,6 +1,7 @@
 use crate::{
   apub::{
     activities::{generate_activity_id, send_activity},
+    check_is_apub_id_valid,
     create_apub_response,
     create_apub_tombstone_response,
     create_tombstone,
@@ -334,6 +335,8 @@ impl FromApub for CommunityForm {
       .unwrap();
 
     let creator = get_or_fetch_and_upsert_user(creator_uri, client, pool).await?;
+    let actor_id = group.inner.id_unchecked().unwrap().to_string();
+    check_is_apub_id_valid(&Url::parse(&actor_id)?)?;
 
     Ok(CommunityForm {
       name: group
@@ -359,7 +362,7 @@ impl FromApub for CommunityForm {
       updated: group.inner.updated().map(|u| u.to_owned().naive_local()),
       deleted: None,
       nsfw: group.ext_one.sensitive,
-      actor_id: group.inner.id_unchecked().unwrap().to_string(),
+      actor_id,
       local: false,
       private_key: None,
       public_key: Some(group.ext_two.to_owned().public_key.public_key_pem),
diff --git a/server/src/apub/post.rs b/server/src/apub/post.rs
index 4b687b0ae..ed4dfe0f9 100644
--- a/server/src/apub/post.rs
+++ b/server/src/apub/post.rs
@@ -1,6 +1,7 @@
 use crate::{
   apub::{
     activities::{generate_activity_id, send_activity_to_community},
+    check_is_apub_id_valid,
     create_apub_response,
     create_apub_tombstone_response,
     create_tombstone,
@@ -203,6 +204,9 @@ impl FromApub for PostForm {
       None => (None, None, None),
     };
 
+    let ap_id = page.inner.id_unchecked().unwrap().to_string();
+    check_is_apub_id_valid(&Url::parse(&ap_id)?)?;
+
     let url = page
       .inner
       .url()
@@ -245,7 +249,7 @@ impl FromApub for PostForm {
       embed_description,
       embed_html,
       thumbnail_url,
-      ap_id: page.inner.id_unchecked().unwrap().to_string(),
+      ap_id,
       local: false,
     })
   }
diff --git a/server/src/apub/private_message.rs b/server/src/apub/private_message.rs
index 69f552d3b..af0f56107 100644
--- a/server/src/apub/private_message.rs
+++ b/server/src/apub/private_message.rs
@@ -1,6 +1,7 @@
 use crate::{
   apub::{
     activities::{generate_activity_id, send_activity},
+    check_is_apub_id_valid,
     create_tombstone,
     fetcher::get_or_fetch_and_upsert_user,
     insert_activity,
@@ -84,10 +85,10 @@ impl FromApub for PrivateMessageForm {
       .unwrap();
 
     let creator = get_or_fetch_and_upsert_user(&creator_actor_id, client, pool).await?;
-
     let recipient_actor_id = note.to().unwrap().clone().single_xsd_any_uri().unwrap();
-
     let recipient = get_or_fetch_and_upsert_user(&recipient_actor_id, client, pool).await?;
+    let ap_id = note.id_unchecked().unwrap().to_string();
+    check_is_apub_id_valid(&Url::parse(&ap_id)?)?;
 
     Ok(PrivateMessageForm {
       creator_id: creator.id,
@@ -102,7 +103,7 @@ impl FromApub for PrivateMessageForm {
       updated: note.updated().map(|u| u.to_owned().naive_local()),
       deleted: None,
       read: None,
-      ap_id: note.id_unchecked().unwrap().to_string(),
+      ap_id,
       local: false,
     })
   }
diff --git a/server/src/apub/user.rs b/server/src/apub/user.rs
index 2922006d5..80b91ddbb 100644
--- a/server/src/apub/user.rs
+++ b/server/src/apub/user.rs
@@ -1,6 +1,7 @@
 use crate::{
   apub::{
     activities::{generate_activity_id, send_activity},
+    check_is_apub_id_valid,
     create_apub_response,
     insert_activity,
     ActorType,
@@ -217,6 +218,11 @@ impl FromApub for UserForm {
       None => None,
     };
 
+    // TODO: here and in community we could actually check against the exact domain where we fetched
+    //       the actor from, if we can pass it in somehow
+    let actor_id = person.id_unchecked().unwrap().to_string();
+    check_is_apub_id_valid(&Url::parse(&actor_id)?)?;
+
     Ok(UserForm {
       name: person
         .name()
@@ -241,7 +247,7 @@ impl FromApub for UserForm {
       show_avatars: false,
       send_notifications_to_email: false,
       matrix_user_id: None,
-      actor_id: person.id_unchecked().unwrap().to_string(),
+      actor_id,
       bio: person
         .inner
         .summary()