SuperSeriousBusiness/GoToSocial
1
1
Fork 0
mirror of https://github.com/superseriousbusiness/gotosocial synced 2025-06-05 21:59:39 +02:00
Code Issues Projects Releases Wiki Activity

[security] Check all involved IRIs during block checking (#593)

Browse Source 
* tidy up context keys, add otherInvolvedIRIs

* add ReplyToable interface

* skip block check if we own the requesting domain

* add block check for other involved IRIs

* use cacheable status fetch

* remove unused ContextActivity

* remove unused ContextActivity

* add helper for unique URIs

* check through CCs and clean slice

* add GetAccountIDForStatusURI

* add GetAccountIDForAccountURI

* check blocks on involved account

* add statuses to tests

* add some blocked tests

* go fmt

* extract Tos as well as CCs

* test PostInboxRequestBodyHook

* add some more testActivities

* deduplicate involvedAccountIDs

* go fmt

* use cacheable db functions, remove new functions
This commit is contained in:
tobi
2022-05-23 11:46:50 +02:00
committed by GitHub
parent d6abe105b3
commit 469da93678
9 changed files with 381 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
internal/ap/contextkey.go
View File

@@ -22,20 +22,16 @@ package ap
type ContextKey string
const (
// ContextActivity can be used to set and retrieve the actual go-fed pub.Activity within a context.
ContextActivity ContextKey = "activity"
// ContextReceivingAccount can be used the set and retrieve the account being interacted with / receiving an activity in their inbox.
ContextReceivingAccount ContextKey = "account"
ContextReceivingAccount ContextKey = "receivingAccount"
// ContextRequestingAccount can be used to set and retrieve the account of an incoming federation request.
// This will often be the actor of the instance that's posting the request.
ContextRequestingAccount ContextKey = "requestingAccount"
// ContextRequestingActorIRI can be used to set and retrieve the actor of an incoming federation request.
// This will usually be the owner of whatever activity is being posted.
ContextRequestingActorIRI ContextKey = "requestingActorIRI"
// ContextOtherInvolvedIRIs can be used to set and retrieve a slice of all IRIs that are 'involved' in an Activity without being
// the receivingAccount or the requestingAccount. In other words, people or notes who are CC'ed or Replied To by an Activity.
ContextOtherInvolvedIRIs ContextKey = "otherInvolvedIRIs"
// ContextRequestingPublicKeyVerifier can be used to set and retrieve the public key verifier of an incoming federation request.
ContextRequestingPublicKeyVerifier ContextKey = "requestingPublicKeyVerifier"
// ContextRequestingPublicKeySignature can be used to set and retrieve the value of the signature header of an incoming federation request.
ContextRequestingPublicKeySignature ContextKey = "requestingPublicKeySignature"
// ContextFromFederatorChan can be used to pass a pointer to the fromFederator channel into the federator for use in callbacks.
ContextFromFederatorChan ContextKey = "fromFederatorChan"
)