add better origin checks for all activities
Ted Unangst tedu@tedunangst.com
Tue, 21 May 2019 13:56:15 -0400
3 files changed,
26 insertions(+),
17 deletions(-)
M
activity.go
→
activity.go
@@ -270,12 +270,6 @@
func savexonk(user *WhatAbout, x *Honk) { if x.What == "eradicate" { log.Printf("eradicating %s by %s", x.RID, x.Honker) - mh := re_unurl.FindStringSubmatch(x.Honker) - mr := re_unurl.FindStringSubmatch(x.RID) - if len(mh) < 2 || len(mr) < 2 || mh[1] != mr[1] { - log.Printf("not deleting owner mismatch") - return - } xonk := getxonk(user.ID, x.RID) if xonk != nil { stmtZonkDonks.Exec(xonk.ID)@@ -382,6 +376,7 @@ log.Printf("err: %s", err)
continue } t, _ := jsongetstring(j, "type") + origin := originate(f.XID) if t == "OrderedCollection" { items, _ := jsongetarray(j, "orderedItems") if items == nil {@@ -395,7 +390,7 @@ items, _ = jsongetarray(j, "orderedItems")
} for _, item := range items { - xonk := xonkxonk(user, item) + xonk := xonkxonk(user, item, origin) if xonk != nil { savexonk(user, xonk) }@@ -434,10 +429,10 @@ }
return a } -func xonkxonk(user *WhatAbout, item interface{}) *Honk { +func xonkxonk(user *WhatAbout, item interface{}, origin string) *Honk { depth := 0 maxdepth := 4 - var xonkxonkfn func(item interface{}) *Honk + var xonkxonkfn func(item interface{}, origin string) *Honk saveoneup := func(xid string) { log.Printf("getting oneup: %s", xid)@@ -451,14 +446,14 @@ log.Printf("error getting oneup: %s", err)
return } depth++ - xonk := xonkxonkfn(obj) + xonk := xonkxonkfn(obj, originate(xid)) if xonk != nil { savexonk(user, xonk) } depth-- } - xonkxonkfn = func(item interface{}) *Honk { + xonkxonkfn = func(item interface{}, origin string) *Honk { // id, _ := jsongetstring(item, "id") what, _ := jsongetstring(item, "type") dt, _ := jsongetstring(item, "published")@@ -484,6 +479,7 @@ obj, err = GetJunk(xid)
if err != nil { log.Printf("error regetting: %s", err) } + origin = originate(xid) what = "bonk" case "Create": obj, _ = jsongetmap(item, "object")@@ -579,6 +575,10 @@ }
} } } + if originate(xid) != origin { + log.Printf("original sin: %s <> %s", xid, origin) + return nil + } audience = append(audience, who) audience = oneofakind(audience)@@ -610,7 +610,7 @@ }
return nil } - return xonkxonkfn(item) + return xonkxonkfn(item, origin) } func rubadubdub(user *WhatAbout, req map[string]interface{}) {
M
fun.go
→
fun.go
@@ -252,6 +252,14 @@ }
var re_unurl = regexp.MustCompile("https://([^/]+).*/([^/]+)") +func originate(u string) string { + m := re_unurl.FindStringSubmatch(u) + if len(m) > 2 { + return m[1] + } + return "" +} + func honkerhandle(h string) string { m := re_unurl.FindStringSubmatch(h) if len(m) > 2 {@@ -427,14 +435,14 @@ }
return false } -func keymatch(keyname string, actor string, what string, userid int64) bool { +func keymatch(keyname string, actor string) string { hash := strings.IndexByte(keyname, '#') if hash == -1 { hash = len(keyname) } owner := keyname[0:hash] if owner == actor { - return true + return originate(actor) } - return false + return "" }
M
honk.go
→
honk.go
@@ -304,7 +304,8 @@ if what == "Like" {
return } who, _ := jsongetstring(j, "actor") - if !keymatch(keyname, who, what, user.ID) { + origin := keymatch(keyname, who) + if origin == "" { log.Printf("keyname actor mismatch: %s <> %s", keyname, who) return }@@ -357,7 +358,7 @@ log.Printf("unknown undo: %s", what)
} } default: - xonk := xonkxonk(user, j) + xonk := xonkxonk(user, j, origin) if xonk != nil { savexonk(user, xonk) }