Sanitize invalid actor description

This commit is contained in:
Chocobozzz 2018-03-19 10:23:42 +01:00
parent f6aec1b0f6
commit f47776e265
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
2 changed files with 29 additions and 10 deletions

View File

@ -1,5 +1,6 @@
import * as validator from 'validator'
import { CONSTRAINTS_FIELDS } from '../../../initializers'
import { normalizeActor } from '../../../lib/activitypub'
import { exists } from '../misc'
import { isActivityPubUrlValid, isBaseActivityValid, setValidAttributedTo } from './misc'
@ -52,6 +53,7 @@ function isActorObjectValid (actor: any) {
isActorPublicKeyObjectValid(actor.publicKey) &&
isActorEndpointsObjectValid(actor.endpoints) &&
setValidAttributedTo(actor) &&
// If this is not an account, it should be attributed to an account
// In PeerTube we use this to attach a video channel to a specific account
(actor.type === 'Person' || actor.attributedTo.length !== 0)
@ -83,6 +85,8 @@ function isActorRejectActivityValid (activity: any) {
}
function isActorUpdateActivityValid (activity: any) {
normalizeActor(activity.object)
return isBaseActivityValid(activity, 'Update') &&
isActorObjectValid(activity.object)
}

View File

@ -12,12 +12,13 @@ import { logger } from '../../helpers/logger'
import { createPrivateAndPublicKeys } from '../../helpers/peertube-crypto'
import { doRequest, doRequestAndSaveToFile } from '../../helpers/requests'
import { getUrlFromWebfinger } from '../../helpers/webfinger'
import { IMAGE_MIMETYPE_EXT, CONFIG, sequelizeTypescript } from '../../initializers'
import { IMAGE_MIMETYPE_EXT, CONFIG, sequelizeTypescript, CONSTRAINTS_FIELDS } from '../../initializers'
import { AccountModel } from '../../models/account/account'
import { ActorModel } from '../../models/activitypub/actor'
import { AvatarModel } from '../../models/avatar/avatar'
import { ServerModel } from '../../models/server/server'
import { VideoChannelModel } from '../../models/video/video-channel'
import { truncate } from 'lodash'
// Set account keys, this could be long so process after the account creation and do not block the client
function setAsyncActorKeys (actor: ActorModel) {
@ -166,6 +167,24 @@ async function fetchAvatarIfExists (actorJSON: ActivityPubActor) {
return undefined
}
function normalizeActor (actor: any) {
if (!actor) return
if (!actor.url || typeof actor.url !== 'string') {
actor.url = actor.url.href || actor.url.url
}
if (actor.summary && typeof actor.summary === 'string') {
actor.summary = truncate(actor.summary, { length: CONSTRAINTS_FIELDS.USERS.DESCRIPTION.max })
if (actor.summary.length < CONSTRAINTS_FIELDS.USERS.DESCRIPTION.min) {
actor.summary = null
}
}
return
}
export {
getOrCreateActorAndServerAndModel,
buildActorInstance,
@ -173,7 +192,8 @@ export {
fetchActorTotalItems,
fetchAvatarIfExists,
updateActorInstance,
updateActorAvatarInstance
updateActorAvatarInstance,
normalizeActor
}
// ---------------------------------------------------------------------------
@ -255,7 +275,9 @@ async function fetchRemoteActor (actorUrl: string): Promise<FetchRemoteActorResu
logger.info('Fetching remote actor %s.', actorUrl)
const requestResult = await doRequest(options)
const actorJSON: ActivityPubActor = normalizeActor(requestResult.body)
normalizeActor(requestResult.body)
const actorJSON: ActivityPubActor = requestResult.body
if (isActorObjectValid(actorJSON) === false) {
logger.debug('Remote actor JSON is not valid.', { actorJSON: actorJSON })
@ -372,10 +394,3 @@ async function refreshActorIfNeeded (actor: ActorModel) {
return actor
}
}
function normalizeActor (actor: any) {
if (actor && actor.url && typeof actor.url === 'string') return actor
actor.url = actor.url.href || actor.url.url
return actor
}