Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 08:36:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: update activitypubFilterList logic so that it is also checked on resolveInbox and ActivityPub.get methods, updated instances.isAllowed to no longer return a promise

Browse Source
This commit is contained in:
Julian Lam
2025-09-19 10:56:35 -04:00
parent 559155da63
commit be9212b59f
3 changed files with 29 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/activitypub/index.js
View File

@@ -152,7 +152,23 @@ ActivityPub.resolveInboxes = async (ids) => {
batch: 500,
});
return Array.from(inboxes);
let inboxArr = Array.from(inboxes);
// Filter out blocked instances
const blocked = [];
inboxArr = inboxArr.filter((inbox) => {
const { hostname } = new URL(inbox);
const allowed = ActivityPub.instances.isAllowed(hostname);
if (!allowed) {
blocked.push(inbox);
}
return allowed;
});
if (blocked.length) {
ActivityPub.helpers.log(`[activitypub/resolveInboxes] Not delivering to blocked instances: ${blocked.join(', ')}`);
}
return inboxArr;
};
ActivityPub.getPublicKey = async (type, id) => {
@@ -305,6 +321,15 @@ ActivityPub.get = async (type, id, uri, options) => {
throw new Error('[[error:activitypub.not-enabled]]');
}
const { hostname } = new URL(uri);
const allowed = ActivityPub.instances.isAllowed(hostname);
if (!allowed) {
ActivityPub.helpers.log(`[activitypub/get] Not retrieving ${uri}, domain is blocked.`);
const e = new Error(`[[error:activitypub.get-failed]]`);
e.code = `ap_get_domain_blocked`;
throw e;
}
options = {
cache: true,
...options,

2
src/activitypub/instances.js
View File

@@ -11,7 +11,7 @@ Instances.log = async (domain) => {
Instances.getCount = async () => db.sortedSetCard('instances:lastSeen');
Instances.isAllowed = async (domain) => {
Instances.isAllowed = (domain) => {
let { activitypubFilter: type, activitypubFilterList: list } = meta.config;
list = new Set(String(list).split('\n'));
// eslint-disable-next-line no-bitwise

4
src/middleware/activitypub.js
View File

@@ -93,12 +93,12 @@ middleware.assertPayload = helpers.try(async function (req, res, next) {
// Domain check
const { hostname } = new URL(actor);
const allowed = await activitypub.instances.isAllowed(hostname);
const allowed = activitypub.instances.isAllowed(hostname);
if (!allowed) {
activitypub.helpers.log(`[middleware/activitypub] Blocked incoming activity from ${hostname}.`);
return res.sendStatus(403);
}
await activitypub.instances.log(hostname);
activitypub.instances.log(hostname);
// Origin checking
if (typeof object !== 'string' && object.hasOwnProperty('id')) {