Return 404 for invalid Object ID (#3627)

* Update activitypub.ts

* Update activitypub.ts

* Update featured.ts

* Update followers.ts

* Update following.ts

* Update outbox.ts

* Fix following, outbox

1 files changed, 8 insertions, 3 deletions

diff --git a/src/server/activitypub/featured.ts b/src/server/activitypub/featured.ts
index f400cc416f..12613b3ecf 100644
--- a/src/server/activitypub/featured.ts
+++ b/src/server/activitypub/featured.ts
@@ -1,4 +1,4 @@
-import * as mongo from 'mongodb';
+import { ObjectID } from 'mongodb';
 import * as Router from 'koa-router';
 import config from '../../config';
 import User from '../../models/user';
@@ -9,7 +9,12 @@ import Note from '../../models/note';
 import renderNote from '../../remote/activitypub/renderer/note';
 
 export default async (ctx: Router.IRouterContext) => {
-	const userId = new mongo.ObjectID(ctx.params.user);
+	if (!ObjectID.isValid(ctx.params.user)) {
+		ctx.status = 404;
+		return;
+	}
+
+	const userId = new ObjectID(ctx.params.user);
 
 	// Verify user
 	const user = await User.findOne({
@@ -24,7 +29,7 @@ export default async (ctx: Router.IRouterContext) => {
 
 	const pinnedNoteIds = user.pinnedNoteIds || [];
 
-	const pinnedNotes = await Promise.all(pinnedNoteIds.map(id => Note.findOne({ _id: id })));
+	const pinnedNotes = await Promise.all(pinnedNoteIds.filter(ObjectID.isValid).map(id => Note.findOne({ _id: id })));
 
 	const renderedNotes = await Promise.all(pinnedNotes.map(note => renderNote(note)));