Compact LD-signed activities against well-known context

This should defend against some spoofing attacks, see also https://nvd.nist.gov/vuln/detail/CVE-2022-24307 for Mastodon, https://iceshrimp.dev/iceshrimp/iceshrimp/commit/febb499fcb5fe3d56ca79025e4b5851464660c38 from Iceshrimp and https://firefish.dev/firefish/firefish/-/commit/e790d6be90dfd5dc6471b650a54520761bb9d745 for Firefish Thanks to @tesaguri@fedibird.com for reporting and providing the patch.
author: dakkar <dakkar@thenautilus.net> 2024-04-30 10:12:54 +0100
committer: dakkar <dakkar@thenautilus.net> 2024-04-30 10:16:57 +0100
commit: 6ae01e28aa717d54743f1ab44fd099853a969d3d (patch)
tree: 7ca8464e95d5a3005810097a6a64a4692cc2561d /packages/backend/src/queue/processors/InboxProcessorService.ts
parent: merge: hide images/videos in og cards, when under a CW - fixes #487 (!488) (diff)
download: sharkey-6ae01e28aa717d54743f1ab44fd099853a969d3d.tar.gz
sharkey-6ae01e28aa717d54743f1ab44fd099853a969d3d.tar.bz2
sharkey-6ae01e28aa717d54743f1ab44fd099853a969d3d.zip
1 files changed, 13 insertions, 1 deletions
diff --git a/packages/backend/src/queue/processors/InboxProcessorService.ts b/packages/backend/src/queue/processors/InboxProcessorService.ts
index ad1d9799a7..2b5b7c5619 100644
--- a/packages/backend/src/queue/processors/InboxProcessorService.ts
+++ b/packages/backend/src/queue/processors/InboxProcessorService.ts
@@ -15,6 +15,7 @@ import InstanceChart from '@/core/chart/charts/instance.js';
 import ApRequestChart from '@/core/chart/charts/ap-request.js';
 import FederationChart from '@/core/chart/charts/federation.js';
 import { getApId } from '@/core/activitypub/type.js';
+import type { IActivity } from '@/core/activitypub/type.js';
 import type { MiRemoteUser } from '@/models/User.js';
 import type { MiUserPublickey } from '@/models/UserPublickey.js';
 import { ApDbResolverService } from '@/core/activitypub/ApDbResolverService.js';
@@ -52,7 +53,7 @@ export class InboxProcessorService {
 	@bindThis
 	public async process(job: Bull.Job<InboxJobData>): Promise<string> {
 		const signature = job.data.signature;	// HTTP-signature
-		const activity = job.data.activity;
+		let activity = job.data.activity;
 
 		//#region Log
 		const info = Object.assign({}, activity);
@@ -150,6 +151,17 @@ export class InboxProcessorService {
 					throw new Bull.UnrecoverableError('skip: LD-Signatureの検証に失敗しました');
 				}
 
+				// アクティビティを正規化
+				delete activity.signature;
+				try {
+					activity = await ldSignature.compact(activity) as IActivity;
+				} catch (e) {
+					throw new Bull.UnrecoverableError(`skip: failed to compact activity: ${e}`);
+				}
+				// TODO: 元のアクティビティと非互換な形に正規化される場合は転送をスキップする
+				// https://github.com/mastodon/mastodon/blob/664b0ca/app/services/activitypub/process_collection_service.rb#L24-L29
+				activity.signature = ldSignature;
+
 				// もう一度actorチェック
 				if (authUser.user.uri !== activity.actor) {
 					throw new Bull.UnrecoverableError(`skip: LD-Signature user(${authUser.user.uri}) !== activity.actor(${activity.actor})`);
author	dakkar <dakkar@thenautilus.net>	2024-04-30 10:12:54 +0100
committer	dakkar <dakkar@thenautilus.net>	2024-04-30 10:16:57 +0100
commit	6ae01e28aa717d54743f1ab44fd099853a969d3d (patch)
tree	7ca8464e95d5a3005810097a6a64a4692cc2561d /packages/backend/src/queue/processors/InboxProcessorService.ts
parent	merge: hide images/videos in og cards, when under a CW - fixes #487 (!488) (diff)
download	sharkey-6ae01e28aa717d54743f1ab44fd099853a969d3d.tar.gz sharkey-6ae01e28aa717d54743f1ab44fd099853a969d3d.tar.bz2 sharkey-6ae01e28aa717d54743f1ab44fd099853a969d3d.zip