[ActivityPub] The protocol allows content to be null, GNU social doesn't, we'll reject silentiously

Reported by kaniini
This commit is contained in:
Diogo Cordeiro 2019-10-11 19:09:08 +01:00
parent 6284b155b8
commit b434bead2c
6 changed files with 90 additions and 74 deletions

View File

@ -41,6 +41,10 @@ const ACTIVITYPUB_PUBLIC_TO = ['https://www.w3.org/ns/activitystreams#Public',
'Public', 'Public',
'as:Public' 'as:Public'
]; ];
const ACTIVITYPUB_HTTP_CLIENT_HEADERS = [
'Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
'User-Agent: GNUsocialBot ' . GNUSOCIAL_VERSION . ' - https://gnusocial.network'
];
/** /**
* @category Plugin * @category Plugin
@ -117,13 +121,13 @@ class ActivityPubPlugin extends Plugin
if ($grab_online) { if ($grab_online) {
/* Online Grabbing */ /* Online Grabbing */
$client = new HTTPClient(); $client = new HTTPClient();
$headers = []; $response = $client->get($url, ACTIVITYPUB_HTTP_CLIENT_HEADERS);
$headers[] = 'Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"';
$headers[] = 'User-Agent: GNUSocialBot ' . GNUSOCIAL_VERSION . ' - https://gnu.io/social';
$response = $client->get($url, $headers);
$object = json_decode($response->getBody(), true); $object = json_decode($response->getBody(), true);
Activitypub_notice::validate_note($object); if (Activitypub_notice::validate_note($object)) {
return Activitypub_notice::create_notice($object); return Activitypub_notice::create_notice($object);
} else {
throw new Exception("Valid ActivityPub Notice object but unsupported by GNU social.");
}
} }
common_debug('ActivityPubPlugin Notice Grabber: failed to find: '.$url); common_debug('ActivityPubPlugin Notice Grabber: failed to find: '.$url);

View File

@ -40,8 +40,6 @@ class Activitypub_explorer
{ {
private $discovered_actor_profiles = []; private $discovered_actor_profiles = [];
private $temp_res; // global variable to hold a temporary http response private $temp_res; // global variable to hold a temporary http response
private static $headers = ['Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
'User-Agent: GNUsocialBot ' . GNUSOCIAL_VERSION . ' - https://gnusocial.network'];
/** /**
* Shortcut function to get a single profile from its URL. * Shortcut function to get a single profile from its URL.
@ -130,7 +128,7 @@ class Activitypub_explorer
private function ensure_proper_remote_uri($url) private function ensure_proper_remote_uri($url)
{ {
$client = new HTTPClient(); $client = new HTTPClient();
$response = $client->get($url, self::$headers); $response = $client->get($url, ACTIVITYPUB_HTTP_CLIENT_HEADERS);
$res = json_decode($response->getBody(), true); $res = json_decode($response->getBody(), true);
if (self::validate_remote_response($res)) { if (self::validate_remote_response($res)) {
$this->temp_res = $res; $this->temp_res = $res;
@ -224,7 +222,7 @@ class Activitypub_explorer
common_debug('ActivityPub Explorer: Trying to grab a remote actor for ' . $url); common_debug('ActivityPub Explorer: Trying to grab a remote actor for ' . $url);
if (!isset($this->temp_res)) { if (!isset($this->temp_res)) {
$client = new HTTPClient(); $client = new HTTPClient();
$response = $client->get($url, self::$headers); $response = $client->get($url, ACTIVITYPUB_HTTP_CLIENT_HEADERS);
$res = json_decode($response->getBody(), true); $res = json_decode($response->getBody(), true);
} else { } else {
$res = $this->temp_res; $res = $this->temp_res;
@ -409,7 +407,7 @@ class Activitypub_explorer
public static function get_actor_inboxes_uri($url) public static function get_actor_inboxes_uri($url)
{ {
$client = new HTTPClient(); $client = new HTTPClient();
$response = $client->get($url, self::$headers); $response = $client->get($url, ACTIVITYPUB_HTTP_CLIENT_HEADERS);
if (!$response->isOk()) { if (!$response->isOk()) {
throw new Exception('Invalid Actor URL.'); throw new Exception('Invalid Actor URL.');
} }
@ -437,7 +435,7 @@ class Activitypub_explorer
private function travel_collection($url) private function travel_collection($url)
{ {
$client = new HTTPClient(); $client = new HTTPClient();
$response = $client->get($url, self::$headers); $response = $client->get($url, ACTIVITYPUB_HTTP_CLIENT_HEADERS);
$res = json_decode($response->getBody(), true); $res = json_decode($response->getBody(), true);
if (!isset($res['orderedItems'])) { if (!isset($res['orderedItems'])) {
@ -470,7 +468,7 @@ class Activitypub_explorer
public static function get_remote_user_activity($url) public static function get_remote_user_activity($url)
{ {
$client = new HTTPClient(); $client = new HTTPClient();
$response = $client->get($url, self::$headers); $response = $client->get($url, ACTIVITYPUB_HTTP_CLIENT_HEADERS);
$res = json_decode($response->getBody(), true); $res = json_decode($response->getBody(), true);
if (Activitypub_explorer::validate_remote_response($res)) { if (Activitypub_explorer::validate_remote_response($res)) {
common_debug('ActivityPub Explorer: Found a valid remote actor for ' . $url); common_debug('ActivityPub Explorer: Found a valid remote actor for ' . $url);

View File

@ -54,7 +54,9 @@ class Activitypub_inbox_handler
$this->object = $activity['object']; $this->object = $activity['object'];
// Validate Activity // Validate Activity
$this->validate_activity(); if (!$this->validate_activity()) {
return; // Just ignore
}
// Get Actor's Profile // Get Actor's Profile
if (!is_null($actor_profile)) { if (!is_null($actor_profile)) {
@ -70,10 +72,11 @@ class Activitypub_inbox_handler
/** /**
* Validates if a given Activity is valid. Throws exception if not. * Validates if a given Activity is valid. Throws exception if not.
* *
* @throws Exception * @throws Exception if invalid
* @return bool true if valid and acceptable, false if unsupported
* @author Diogo Cordeiro <diogo@fc.up.pt> * @author Diogo Cordeiro <diogo@fc.up.pt>
*/ */
private function validate_activity() private function validate_activity(): bool
{ {
// Activity validation // Activity validation
// Validate data // Validate data
@ -88,15 +91,16 @@ class Activitypub_inbox_handler
} }
// Object validation // Object validation
$valid = true;
switch ($this->activity['type']) { switch ($this->activity['type']) {
case 'Accept': case 'Accept':
Activitypub_accept::validate_object($this->object); $valid &= Activitypub_accept::validate_object($this->object);
break; break;
case 'Create': case 'Create':
Activitypub_create::validate_object($this->object); $valid &= Activitypub_create::validate_object($this->object);
break; break;
case 'Delete': case 'Delete':
Activitypub_delete::validate_object($this->object); $valid &= Activitypub_delete::validate_object($this->object);
break; break;
case 'Follow': case 'Follow':
case 'Like': case 'Like':
@ -106,11 +110,13 @@ class Activitypub_inbox_handler
} }
break; break;
case 'Undo': case 'Undo':
Activitypub_undo::validate_object($this->object); $valid &= Activitypub_undo::validate_object($this->object);
break; break;
default: default:
throw new Exception('Unknown Activity Type.'); throw new Exception('Unknown Activity Type.');
} }
return $valid;
} }
/** /**

View File

@ -39,11 +39,11 @@ class Activitypub_create
/** /**
* Generates an ActivityPub representation of a Create * Generates an ActivityPub representation of a Create
* *
* @author Diogo Cordeiro <diogo@fc.up.pt>
* @param string $actor * @param string $actor
* @param array $object * @param array $object
* @param bool $directMesssage whether it is a private Create activity or not * @param bool $directMessage whether it is a private Create activity or not
* @return array pretty array to be used in a response * @return array pretty array to be used in a response
* @author Diogo Cordeiro <diogo@fc.up.pt>
*/ */
public static function create_to_array(string $actor, array $object, bool $directMessage = false): array public static function create_to_array(string $actor, array $object, bool $directMessage = false): array
{ {
@ -63,11 +63,12 @@ class Activitypub_create
/** /**
* Verifies if a given object is acceptable for a Create Activity. * Verifies if a given object is acceptable for a Create Activity.
* *
* @author Diogo Cordeiro <diogo@fc.up.pt>
* @param array $object * @param array $object
* @throws Exception * @return bool True if acceptable, false if valid but unsupported
* @throws Exception if invalid
* @author Diogo Cordeiro <diogo@fc.up.pt>
*/ */
public static function validate_object($object) public static function validate_object($object): bool
{ {
if (!is_array($object)) { if (!is_array($object)) {
common_debug('ActivityPub Create Validator: Rejected because of invalid Object format.'); common_debug('ActivityPub Create Validator: Rejected because of invalid Object format.');
@ -84,11 +85,12 @@ class Activitypub_create
switch ($object['type']) { switch ($object['type']) {
case 'Note': case 'Note':
// Validate data // Validate data
Activitypub_notice::validate_note($object); return Activitypub_notice::validate_note($object);
break; break;
default: default:
throw new Exception('This is not a supported Object Type for Create Activity.'); throw new Exception('This is not a supported Object Type for Create Activity.');
} }
return true;
} }
/** /**
@ -100,7 +102,8 @@ class Activitypub_create
* @return bool true if note is private, false otherwise * @return bool true if note is private, false otherwise
* @author Bruno casteleiro <brunoccast@fc.up.pt> * @author Bruno casteleiro <brunoccast@fc.up.pt>
*/ */
public static function isPrivateNote(array $activity): bool { public static function isPrivateNote(array $activity): bool
{
if (isset($activity['directMessage'])) { if (isset($activity['directMessage'])) {
return $activity['directMessage']; return $activity['directMessage'];
} }

View File

@ -41,10 +41,10 @@ class Activitypub_mention_tag
* *
* @author Diogo Cordeiro <diogo@fc.up.pt> * @author Diogo Cordeiro <diogo@fc.up.pt>
* @param string $href Actor Uri * @param string $href Actor Uri
* @param array $name Mention name * @param string $name Mention name
* @return array pretty array to be used in a response * @return array pretty array to be used in a response
*/ */
public static function mention_tag_to_array_from_values($href, $name) public static function mention_tag_to_array_from_values(string $href, string $name): array
{ {
$res = [ $res = [
'@context' => 'https://www.w3.org/ns/activitystreams', '@context' => 'https://www.w3.org/ns/activitystreams',

View File

@ -44,6 +44,7 @@ class Activitypub_notice
* @throws EmptyPkeyValueException * @throws EmptyPkeyValueException
* @throws InvalidUrlException * @throws InvalidUrlException
* @throws ServerException * @throws ServerException
* @throws Exception
* @author Diogo Cordeiro <diogo@fc.up.pt> * @author Diogo Cordeiro <diogo@fc.up.pt>
*/ */
public static function notice_to_array($notice) public static function notice_to_array($notice)
@ -115,12 +116,12 @@ class Activitypub_notice
* Create a Notice via ActivityPub Note Object. * Create a Notice via ActivityPub Note Object.
* Returns created Notice. * Returns created Notice.
* *
* @author Diogo Cordeiro <diogo@fc.up.pt>
* @param array $object * @param array $object
* @param Profile $actor_profile * @param Profile $actor_profile
* @param bool $directMessage * @param bool $directMessage
* @return Notice * @return Notice
* @throws Exception * @throws Exception
* @author Diogo Cordeiro <diogo@fc.up.pt>
*/ */
public static function create_notice(array $object, Profile $actor_profile = null, bool $directMessage = false): Notice public static function create_notice(array $object, Profile $actor_profile = null, bool $directMessage = false): Notice
{ {
@ -234,8 +235,8 @@ class Activitypub_notice
* Validates a note. * Validates a note.
* *
* @param array $object * @param array $object
* @return bool * @return bool false if unacceptable for GS but valid ActivityPub object
* @throws Exception * @throws Exception if invalid ActivityPub object
* @author Diogo Cordeiro <diogo@fc.up.pt> * @author Diogo Cordeiro <diogo@fc.up.pt>
*/ */
public static function validate_note($object) public static function validate_note($object)
@ -251,10 +252,6 @@ class Activitypub_notice
common_debug('ActivityPub Notice Validator: Rejected because of Type.'); common_debug('ActivityPub Notice Validator: Rejected because of Type.');
throw new Exception('Invalid Object type.'); throw new Exception('Invalid Object type.');
} }
if (!isset($object['content'])) {
common_debug('ActivityPub Notice Validator: Rejected because Content was not specified (GNU social requires content in notes).');
throw new Exception('Object content was not specified.');
}
if (isset($object['url']) && !filter_var($object['url'], FILTER_VALIDATE_URL)) { if (isset($object['url']) && !filter_var($object['url'], FILTER_VALIDATE_URL)) {
common_debug('ActivityPub Notice Validator: Rejected because Object URL is invalid.'); common_debug('ActivityPub Notice Validator: Rejected because Object URL is invalid.');
throw new Exception('Invalid Object URL.'); throw new Exception('Invalid Object URL.');
@ -263,6 +260,10 @@ class Activitypub_notice
common_debug('ActivityPub Notice Validator: Rejected because either Object CC or TO wasn\'t specified.'); common_debug('ActivityPub Notice Validator: Rejected because either Object CC or TO wasn\'t specified.');
throw new Exception('Either Object CC or TO wasn\'t specified.'); throw new Exception('Either Object CC or TO wasn\'t specified.');
} }
if (!isset($object['content'])) {
common_debug('ActivityPub Notice Validator: Rejected because Content was not specified (GNU social requires content in notes).');
return false;
}
return true; return true;
} }
@ -271,9 +272,12 @@ class Activitypub_notice
* *
* @param Notice $notice notice from which to retrieve the URL * @param Notice $notice notice from which to retrieve the URL
* @return string URL * @return string URL
* @throws InvalidUrlException
* @throws Exception
* @author Bruno Casteleiro <brunoccast@fc.up.pt> * @author Bruno Casteleiro <brunoccast@fc.up.pt>
*/ */
public static function getUrl(Notice $notice): string { public static function getUrl(Notice $notice): string
{
if ($notice->isLocal()) { if ($notice->isLocal()) {
return common_local_url('apNotice', ['id' => $notice->getID()]); return common_local_url('apNotice', ['id' => $notice->getID()]);
} else { } else {
@ -289,7 +293,8 @@ class Activitypub_notice
* @return int Notice policy type * @return int Notice policy type
* @author Bruno Casteleiro <brunoccast@fc.up.pt> * @author Bruno Casteleiro <brunoccast@fc.up.pt>
*/ */
public static function getNotePolicyType(array $note, Profile $actor_profile): int { public static function getNotePolicyType(array $note, Profile $actor_profile): int
{
if (in_array('https://www.w3.org/ns/activitystreams#Public', $note['to'])) { if (in_array('https://www.w3.org/ns/activitystreams#Public', $note['to'])) {
return $actor_profile->isLocal() ? Notice::LOCAL_PUBLIC : Notice::REMOTE; return $actor_profile->isLocal() ? Notice::LOCAL_PUBLIC : Notice::REMOTE;
} else { } else {