pleroma

commit: 5f1d70736711275ac9f0c95e5ada4cb2f1a96e11
parent bd50892c25ac2491c848a644304b323c9eec183f
Author: lain <lain@soykaf.club>
Date:   Fri, 22 Dec 2023 11:04:25 +0000

Merge branch 'bad_inbox_request' into 'develop'

Return a 400 from a bad delivery attempt to the inbox

Closes #2884

See merge request pleroma/pleroma!4009
Diffstat:
A
changelog.d/bad_inbox_request.change
1
+
M
lib/pleroma/web/activity_pub/activity_pub_controller.ex
9
+++++++--
M
test/pleroma/web/activity_pub/activity_pub_controller_test.exs
17
+++++++++++++++++

3 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/changelog.d/bad_inbox_request.change b/changelog.d/bad_inbox_request.change
@@ -0,0 +1 @@
+Invalid activities delivered to the inbox will be rejected with a 400 Bad Request
diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -273,12 +273,17 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
   end
 
   def inbox(%{assigns: %{valid_signature: true}} = conn, %{"nickname" => nickname} = params) do
-    with %User{} = recipient <- User.get_cached_by_nickname(nickname),
-         {:ok, %User{} = actor} <- User.get_or_fetch_by_ap_id(params["actor"]),
+    with %User{is_active: true} = recipient <- User.get_cached_by_nickname(nickname),
+         {:ok, %User{is_active: true} = actor} <- User.get_or_fetch_by_ap_id(params["actor"]),
          true <- Utils.recipient_in_message(recipient, actor, params),
          params <- Utils.maybe_splice_recipient(recipient.ap_id, params) do
       Federator.incoming_ap_doc(params)
       json(conn, "ok")
+    else
+      _ ->
+        conn
+        |> put_status(:bad_request)
+        |> json("Invalid request.")
     end
   end
 
diff --git a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
@@ -895,6 +895,23 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       assert Activity.get_by_ap_id(data["id"])
     end
 
+    test "it rejects an invalid incoming activity", %{conn: conn, data: data} do
+      user = insert(:user, is_active: false)
+
+      data =
+        data
+        |> Map.put("bcc", [user.ap_id])
+        |> Kernel.put_in(["object", "bcc"], [user.ap_id])
+
+      conn =
+        conn
+        |> assign(:valid_signature, true)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{user.nickname}/inbox", data)
+
+      assert "Invalid request." == json_response(conn, 400)
+    end
+
     test "it accepts messages with to as string instead of array", %{conn: conn, data: data} do
       user = insert(:user)