Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: update activitypubFilterList logic so that it is also checked on resolveInbox and ActivityPub.get methods, updated instances.isAllowed to no longer return a promise

Browse Source
This commit is contained in:
Julian Lam
2025-09-19 10:56:35 -04:00
parent 559155da63
commit be9212b59f
3 changed files with 29 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/activitypub/index.js
View File

@@ -152,7 +152,23 @@ ActivityPub.resolveInboxes = async (ids) => {
batch: 500, batch: 500,
}); });
return Array.from(inboxes); let inboxArr = Array.from(inboxes);
// Filter out blocked instances
const blocked = [];
inboxArr = inboxArr.filter((inbox) => {
const { hostname } = new URL(inbox);
const allowed = ActivityPub.instances.isAllowed(hostname);
if (!allowed) {
blocked.push(inbox);
}
return allowed;
});
if (blocked.length) {
ActivityPub.helpers.log(`[activitypub/resolveInboxes] Not delivering to blocked instances: ${blocked.join(', ')}`);
}
return inboxArr;
}; };
ActivityPub.getPublicKey = async (type, id) => { ActivityPub.getPublicKey = async (type, id) => {
@@ -305,6 +321,15 @@ ActivityPub.get = async (type, id, uri, options) => {
throw new Error('[[error:activitypub.not-enabled]]'); throw new Error('[[error:activitypub.not-enabled]]');
} }
const { hostname } = new URL(uri);
const allowed = ActivityPub.instances.isAllowed(hostname);
if (!allowed) {
ActivityPub.helpers.log(`[activitypub/get] Not retrieving ${uri}, domain is blocked.`);
const e = new Error(`[[error:activitypub.get-failed]]`);
e.code = `ap_get_domain_blocked`;
throw e;
}
options = { options = {
cache: true, cache: true,
...options, ...options,

2
src/activitypub/instances.js
View File

@@ -11,7 +11,7 @@ Instances.log = async (domain) => {
Instances.getCount = async () => db.sortedSetCard('instances:lastSeen'); Instances.getCount = async () => db.sortedSetCard('instances:lastSeen');
Instances.isAllowed = async (domain) => { Instances.isAllowed = (domain) => {
let { activitypubFilter: type, activitypubFilterList: list } = meta.config; let { activitypubFilter: type, activitypubFilterList: list } = meta.config;
list = new Set(String(list).split('\n')); list = new Set(String(list).split('\n'));
// eslint-disable-next-line no-bitwise // eslint-disable-next-line no-bitwise

4
src/middleware/activitypub.js
View File

@@ -93,12 +93,12 @@ middleware.assertPayload = helpers.try(async function (req, res, next) {
// Domain check // Domain check
const { hostname } = new URL(actor); const { hostname } = new URL(actor);
const allowed = await activitypub.instances.isAllowed(hostname); const allowed = activitypub.instances.isAllowed(hostname);
if (!allowed) { if (!allowed) {
activitypub.helpers.log(`[middleware/activitypub] Blocked incoming activity from ${hostname}.`); activitypub.helpers.log(`[middleware/activitypub] Blocked incoming activity from ${hostname}.`);
return res.sendStatus(403); return res.sendStatus(403);
} }
await activitypub.instances.log(hostname); activitypub.instances.log(hostname);
// Origin checking // Origin checking
if (typeof object !== 'string' && object.hasOwnProperty('id')) { if (typeof object !== 'string' && object.hasOwnProperty('id')) {