From 48223c1c76f48ed59482c3e2a95564f18ff186ed Mon Sep 17 00:00:00 2001 From: mei23 Date: Thu, 30 Aug 2018 20:53:41 +0900 Subject: Validate host in activity --- src/queue/processors/http/process-inbox.ts | 55 ++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) (limited to 'src/queue/processors/http') diff --git a/src/queue/processors/http/process-inbox.ts b/src/queue/processors/http/process-inbox.ts index c9c2fa72cb..a30efe1a3a 100644 --- a/src/queue/processors/http/process-inbox.ts +++ b/src/queue/processors/http/process-inbox.ts @@ -6,6 +6,8 @@ import parseAcct from '../../../misc/acct/parse'; import User, { IRemoteUser } from '../../../models/user'; import perform from '../../../remote/activitypub/perform'; import { resolvePerson } from '../../../remote/activitypub/models/person'; +import { toUnicode } from 'punycode'; +import { URL } from 'url'; const log = debug('misskey:queue:inbox'); @@ -32,6 +34,15 @@ export default async (job: bq.Job, done: any): Promise => { return; } + // アクティビティ内のホストの検証 + try { + ValidateActivity(activity, host); + } catch (e) { + console.warn(e); + done(); + return; + } + user = await User.findOne({ usernameLower: username, host: host.toLowerCase() }) as IRemoteUser; // アクティビティを送信してきたユーザーがまだMisskeyサーバーに登録されていなかったら登録する @@ -39,6 +50,16 @@ export default async (job: bq.Job, done: any): Promise => { user = await resolvePerson(activity.actor) as IRemoteUser; } } else { + // アクティビティ内のホストの検証 + const host = toUnicode(new URL(signature.keyId).hostname.toLowerCase()); + try { + ValidateActivity(activity, host); + } catch (e) { + console.warn(e); + done(); + return; + } + user = await User.findOne({ host: { $ne: null }, 'publicKey.id': signature.keyId @@ -69,3 +90,37 @@ export default async (job: bq.Job, done: any): Promise => { done(e); } }; + +/** + * Validate host in activity + * @param activity Activity + * @param host Expect host + */ +function ValidateActivity(activity: any, host: string) { + // id (if exists) + if (typeof activity.id === 'string') { + const uriHost = toUnicode(new URL(activity.id).hostname.toLowerCase()); + if (host !== uriHost) throw new Error('activity.id has different host'); + } + + // actor (if exists) + if (typeof activity.actor === 'string') { + const uriHost = toUnicode(new URL(activity.actor).hostname.toLowerCase()); + if (host !== uriHost) throw new Error('activity.actor has different host'); + } + + // For Create activity + if (activity.type === 'Create' && activity.object) { + // object.id (if exists) + if (typeof activity.object.id === 'string') { + const uriHost = toUnicode(new URL(activity.object.id).hostname.toLowerCase()); + if (host !== uriHost) throw new Error('activity.object.id has different host'); + } + + // object.attributedTo (if exists) + if (typeof activity.object.attributedTo === 'string') { + const uriHost = toUnicode(new URL(activity.object.attributedTo).hostname.toLowerCase()); + if (host !== uriHost) throw new Error('activity.object.attributedTo has different host'); + } + } +} -- cgit v1.2.3-freya From 18b4f74cdb3f4a0c69855f1ab5b2f286984f1b13 Mon Sep 17 00:00:00 2001 From: mei23 Date: Fri, 31 Aug 2018 16:46:24 +0900 Subject: Improve validation error message --- src/queue/processors/http/process-inbox.ts | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'src/queue/processors/http') diff --git a/src/queue/processors/http/process-inbox.ts b/src/queue/processors/http/process-inbox.ts index a30efe1a3a..7e564dd32a 100644 --- a/src/queue/processors/http/process-inbox.ts +++ b/src/queue/processors/http/process-inbox.ts @@ -38,7 +38,7 @@ export default async (job: bq.Job, done: any): Promise => { try { ValidateActivity(activity, host); } catch (e) { - console.warn(e); + console.warn(e.message); done(); return; } @@ -55,7 +55,7 @@ export default async (job: bq.Job, done: any): Promise => { try { ValidateActivity(activity, host); } catch (e) { - console.warn(e); + console.warn(e.message); done(); return; } @@ -100,7 +100,10 @@ function ValidateActivity(activity: any, host: string) { // id (if exists) if (typeof activity.id === 'string') { const uriHost = toUnicode(new URL(activity.id).hostname.toLowerCase()); - if (host !== uriHost) throw new Error('activity.id has different host'); + if (host !== uriHost) { + const diag = activity.signature ? '. Has LD-Signature. Forwarded?' : ''; + throw new Error(`activity.id(${activity.id}) has different host(${host})${diag}`); + } } // actor (if exists) -- cgit v1.2.3-freya From 3efffbcf22f9292bfe4644df4b7627687a6748f5 Mon Sep 17 00:00:00 2001 From: mei23 Date: Sat, 1 Sep 2018 17:53:38 +0900 Subject: Receive Update activity --- src/queue/processors/http/process-inbox.ts | 28 +++++++++++++++++++--------- src/remote/activitypub/models/person.ts | 8 +++++--- 2 files changed, 24 insertions(+), 12 deletions(-) (limited to 'src/queue/processors/http') diff --git a/src/queue/processors/http/process-inbox.ts b/src/queue/processors/http/process-inbox.ts index 7e564dd32a..8e6b3769de 100644 --- a/src/queue/processors/http/process-inbox.ts +++ b/src/queue/processors/http/process-inbox.ts @@ -5,7 +5,7 @@ const httpSignature = require('http-signature'); import parseAcct from '../../../misc/acct/parse'; import User, { IRemoteUser } from '../../../models/user'; import perform from '../../../remote/activitypub/perform'; -import { resolvePerson } from '../../../remote/activitypub/models/person'; +import { resolvePerson, updatePerson } from '../../../remote/activitypub/models/person'; import { toUnicode } from 'punycode'; import { URL } from 'url'; @@ -44,11 +44,6 @@ export default async (job: bq.Job, done: any): Promise => { } user = await User.findOne({ usernameLower: username, host: host.toLowerCase() }) as IRemoteUser; - - // アクティビティを送信してきたユーザーがまだMisskeyサーバーに登録されていなかったら登録する - if (user === null) { - user = await resolvePerson(activity.actor) as IRemoteUser; - } } else { // アクティビティ内のホストの検証 const host = toUnicode(new URL(signature.keyId).hostname.toLowerCase()); @@ -64,11 +59,26 @@ export default async (job: bq.Job, done: any): Promise => { host: { $ne: null }, 'publicKey.id': signature.keyId }) as IRemoteUser; + } - // アクティビティを送信してきたユーザーがまだMisskeyサーバーに登録されていなかったら登録する - if (user === null) { - user = await resolvePerson(activity.actor) as IRemoteUser; + // Update activityの場合は、ここで署名検証/更新処理まで実施して終了 + if (activity.type === 'Update') { + if (activity.object && activity.object.type === 'Person') { + if (user == null) { + console.warn('Update activity received, but user not registed.'); + } else if (!httpSignature.verifySignature(signature, user.publicKey.publicKeyPem)) { + console.warn('Update activity received, but signature verification failed.'); + } else { + updatePerson(activity.actor, null, activity.object); + } } + done(); + return; + } + + // アクティビティを送信してきたユーザーがまだMisskeyサーバーに登録されていなかったら登録する + if (user === null) { + user = await resolvePerson(activity.actor) as IRemoteUser; } if (user === null) { diff --git a/src/remote/activitypub/models/person.ts b/src/remote/activitypub/models/person.ts index 9c770141a3..dff38f5460 100644 --- a/src/remote/activitypub/models/person.ts +++ b/src/remote/activitypub/models/person.ts @@ -216,10 +216,12 @@ export async function createPerson(uri: string, resolver?: Resolver): Promise { +export async function updatePerson(uri: string, resolver?: Resolver, hint?: object): Promise { if (typeof uri !== 'string') throw 'uri is not string'; // URIがこのサーバーを指しているならスキップ @@ -237,7 +239,7 @@ export async function updatePerson(uri: string, resolver?: Resolver): Promise Date: Fri, 5 Oct 2018 01:58:41 +0900 Subject: ActivityPubのHTTPリクエストの強化 (#2820) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix error handling in AP deliver * Set timeout to resolver * Tune looks --- src/queue/processors/http/deliver.ts | 23 +++++++++++------------ src/remote/activitypub/request.ts | 12 +++++++++++- src/remote/activitypub/resolver.ts | 2 ++ 3 files changed, 24 insertions(+), 13 deletions(-) (limited to 'src/queue/processors/http') diff --git a/src/queue/processors/http/deliver.ts b/src/queue/processors/http/deliver.ts index e14a162105..621219fec6 100644 --- a/src/queue/processors/http/deliver.ts +++ b/src/queue/processors/http/deliver.ts @@ -7,19 +7,18 @@ export default async (job: bq.Job, done: any): Promise => { await request(job.data.user, job.data.to, job.data.content); done(); } catch (res) { - if (res == null || !res.hasOwnProperty('statusCode')) { - console.warn(`deliver failed (unknown): ${res}`); - return done(); - } - - if (res.statusCode == null) return done(); - if (res.statusCode >= 400 && res.statusCode < 500) { - // HTTPステータスコード4xxはクライアントエラーであり、それはつまり - // 何回再送しても成功することはないということなのでエラーにはしないでおく - done(); + if (res != null && res.hasOwnProperty('statusCode')) { + if (res.statusCode >= 400 && res.statusCode < 500) { + // HTTPステータスコード4xxはクライアントエラーであり、それはつまり + // 何回再送しても成功することはないということなのでエラーにはしないでおく + done(); + } else { + console.warn(`deliver failed: ${res.statusCode} ${res.statusMessage} to=${job.data.to}`); + done(res.statusMessage); + } } else { - console.warn(`deliver failed: ${res.statusMessage}`); - done(res.statusMessage); + console.warn(`deliver failed: ${res} to=${job.data.to}`); + done(); } } }; diff --git a/src/remote/activitypub/request.ts b/src/remote/activitypub/request.ts index 07f0ecca8b..177b6f458e 100644 --- a/src/remote/activitypub/request.ts +++ b/src/remote/activitypub/request.ts @@ -12,6 +12,8 @@ const log = debug('misskey:activitypub:deliver'); export default (user: ILocalUser, url: string, object: any) => new Promise((resolve, reject) => { log(`--> ${url}`); + const timeout = 10 * 1000; + const { protocol, hostname, port, pathname, search } = new URL(url); const data = JSON.stringify(object); @@ -26,6 +28,7 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso port, method: 'POST', path: pathname + search, + timeout, headers: { 'User-Agent': config.user_agent, 'Content-Type': 'application/activity+json', @@ -35,7 +38,7 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso log(`${url} --> ${res.statusCode}`); if (res.statusCode >= 400) { - reject(); + reject(res); } else { resolve(); } @@ -53,5 +56,12 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso sig = sig.replace(/^Signature /, ''); req.setHeader('Signature', sig); + req.on('timeout', () => req.abort()); + + req.on('error', e => { + if (req.aborted) reject('timeout'); + reject(e); + }); + req.end(data); }); diff --git a/src/remote/activitypub/resolver.ts b/src/remote/activitypub/resolver.ts index 215e5e8704..ff26971758 100644 --- a/src/remote/activitypub/resolver.ts +++ b/src/remote/activitypub/resolver.ts @@ -7,6 +7,7 @@ const log = debug('misskey:activitypub:resolver'); export default class Resolver { private history: Set; + private timeout = 10 * 1000; constructor() { this.history = new Set(); @@ -50,6 +51,7 @@ export default class Resolver { const object = await request({ url: value, + timeout: this.timeout, headers: { 'User-Agent': config.user_agent, Accept: 'application/activity+json, application/ld+json' -- cgit v1.2.3-freya