Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-12-22 00:10:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: cross-check remove(context) target prop against cid

Browse Source
This commit is contained in:
Julian Lam
2025-10-23 12:02:59 -04:00
parent e3c55f76c1
commit 194cedb4d7
1 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/activitypub/inbox.js
View File

@@ -80,7 +80,7 @@ inbox.add = async (req) => {
};
inbox.remove = async (req) => {
const { actor, object } = req.body;
const { actor, object, target } = req.body;
const isContext = activitypub._constants.acceptable.contextTypes.has(object.type);
if (!isContext) {
@@ -88,16 +88,17 @@ inbox.remove = async (req) => {
}
const mainPid = await activitypub.contexts.getItems(0, object.id, { returnRootId: true });
const fromCid = target || object.audience;
const exists = await posts.exists(mainPid);
if (!exists) {
if (!exists || !fromCid) {
return; // post not cached; do nothing.
}
// Ensure that cid is same-origin as the actor
const tid = await posts.getPostField(mainPid, 'tid');
const cid = await topics.getTopicField(tid, 'cid');
if (utils.isNumber(cid)) {
// remote removal of topic in local cid; what??
if (utils.isNumber(cid) || cid !== fromCid) {
// remote removal of topic in local cid, or resolved cid does not match
return;
}
const actorHostname = new URL(actor).hostname;