mirror of
				https://github.com/NodeBB/NodeBB.git
				synced 2025-10-26 16:46:12 +01:00 
			
		
		
		
	fix: update activitypubFilterList logic so that it is also checked on resolveInbox and ActivityPub.get methods, updated instances.isAllowed to no longer return a promise
This commit is contained in:
		| @@ -152,7 +152,23 @@ ActivityPub.resolveInboxes = async (ids) => { | ||||
| 		batch: 500, | ||||
| 	}); | ||||
|  | ||||
| 	return Array.from(inboxes); | ||||
| 	let inboxArr = Array.from(inboxes); | ||||
|  | ||||
| 	// Filter out blocked instances | ||||
| 	const blocked = []; | ||||
| 	inboxArr = inboxArr.filter((inbox) => { | ||||
| 		const { hostname } = new URL(inbox); | ||||
| 		const allowed = ActivityPub.instances.isAllowed(hostname); | ||||
| 		if (!allowed) { | ||||
| 			blocked.push(inbox); | ||||
| 		} | ||||
| 		return allowed; | ||||
| 	}); | ||||
| 	if (blocked.length) { | ||||
| 		ActivityPub.helpers.log(`[activitypub/resolveInboxes] Not delivering to blocked instances: ${blocked.join(', ')}`); | ||||
| 	} | ||||
|  | ||||
| 	return inboxArr; | ||||
| }; | ||||
|  | ||||
| ActivityPub.getPublicKey = async (type, id) => { | ||||
| @@ -305,6 +321,15 @@ ActivityPub.get = async (type, id, uri, options) => { | ||||
| 		throw new Error('[[error:activitypub.not-enabled]]'); | ||||
| 	} | ||||
|  | ||||
| 	const { hostname } = new URL(uri); | ||||
| 	const allowed = ActivityPub.instances.isAllowed(hostname); | ||||
| 	if (!allowed) { | ||||
| 		ActivityPub.helpers.log(`[activitypub/get] Not retrieving ${uri}, domain is blocked.`); | ||||
| 		const e = new Error(`[[error:activitypub.get-failed]]`); | ||||
| 		e.code = `ap_get_domain_blocked`; | ||||
| 		throw e; | ||||
| 	} | ||||
|  | ||||
| 	options = { | ||||
| 		cache: true, | ||||
| 		...options, | ||||
|   | ||||
| @@ -11,7 +11,7 @@ Instances.log = async (domain) => { | ||||
|  | ||||
| Instances.getCount = async () => db.sortedSetCard('instances:lastSeen'); | ||||
|  | ||||
| Instances.isAllowed = async (domain) => { | ||||
| Instances.isAllowed = (domain) => { | ||||
| 	let { activitypubFilter: type, activitypubFilterList: list } = meta.config; | ||||
| 	list = new Set(String(list).split('\n')); | ||||
| 	// eslint-disable-next-line no-bitwise | ||||
|   | ||||
| @@ -93,12 +93,12 @@ middleware.assertPayload = helpers.try(async function (req, res, next) { | ||||
|  | ||||
| 	// Domain check | ||||
| 	const { hostname } = new URL(actor); | ||||
| 	const allowed = await activitypub.instances.isAllowed(hostname); | ||||
| 	const allowed = activitypub.instances.isAllowed(hostname); | ||||
| 	if (!allowed) { | ||||
| 		activitypub.helpers.log(`[middleware/activitypub] Blocked incoming activity from ${hostname}.`); | ||||
| 		return res.sendStatus(403); | ||||
| 	} | ||||
| 	await activitypub.instances.log(hostname); | ||||
| 	activitypub.instances.log(hostname); | ||||
|  | ||||
| 	// Origin checking | ||||
| 	if (typeof object !== 'string' && object.hasOwnProperty('id')) { | ||||
|   | ||||
		Reference in New Issue
	
	Block a user