wamo/gnu-social
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[ActivityPub] The protocol allows content to be null, GNU social doesn't, we'll reject silentiously

Browse Source 
Reported by kaniini
This commit is contained in:
Diogo Cordeiro 2019-10-11 19:09:08 +01:00 committed by Diogo Peralta Cordeiro
parent 4133874e59
commit 9088e58a64
6 changed files with 90 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
plugins/ActivityPub/ActivityPubPlugin.php
View File

@ -41,6 +41,10 @@ const ACTIVITYPUB_PUBLIC_TO = ['https://www.w3.org/ns/activitystreams#Public',
'Public', 'Public',
'as:Public' 'as:Public'
]; ];
const ACTIVITYPUB_HTTP_CLIENT_HEADERS = [
'Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
'User-Agent: GNUsocialBot ' . GNUSOCIAL_VERSION . ' - https://gnusocial.network'
];
/** /**
* @category Plugin * @category Plugin
@ -117,13 +121,13 @@ class ActivityPubPlugin extends Plugin
if ($grab_online) { if ($grab_online) {
/* Online Grabbing */ /* Online Grabbing */
$client = new HTTPClient(); $client = new HTTPClient();
$headers = []; $response = $client->get($url, ACTIVITYPUB_HTTP_CLIENT_HEADERS);
$headers[] = 'Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"';
$headers[] = 'User-Agent: GNUSocialBot ' . GNUSOCIAL_VERSION . ' - https://gnu.io/social';
$response = $client->get($url, $headers);
$object = json_decode($response->getBody(), true); $object = json_decode($response->getBody(), true);
Activitypub_notice::validate_note($object); if (Activitypub_notice::validate_note($object)) {
return Activitypub_notice::create_notice($object); return Activitypub_notice::create_notice($object);
} else {
throw new Exception("Valid ActivityPub Notice object but unsupported by GNU social.");
}
} }
common_debug('ActivityPubPlugin Notice Grabber: failed to find: '.$url); common_debug('ActivityPubPlugin Notice Grabber: failed to find: '.$url);

12
plugins/ActivityPub/lib/explorer.php
View File

@ -40,8 +40,6 @@ class Activitypub_explorer
{ {
private $discovered_actor_profiles = []; private $discovered_actor_profiles = [];
private $temp_res; // global variable to hold a temporary http response private $temp_res; // global variable to hold a temporary http response
private static $headers = ['Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
'User-Agent: GNUsocialBot ' . GNUSOCIAL_VERSION . ' - https://gnusocial.network'];
/** /**
* Shortcut function to get a single profile from its URL. * Shortcut function to get a single profile from its URL.
@ -130,7 +128,7 @@ class Activitypub_explorer
private function ensure_proper_remote_uri($url) private function ensure_proper_remote_uri($url)
{ {
$client = new HTTPClient(); $client = new HTTPClient();
$response = $client->get($url, self::$headers); $response = $client->get($url, ACTIVITYPUB_HTTP_CLIENT_HEADERS);
$res = json_decode($response->getBody(), true); $res = json_decode($response->getBody(), true);
if (self::validate_remote_response($res)) { if (self::validate_remote_response($res)) {
$this->temp_res = $res; $this->temp_res = $res;
@ -224,7 +222,7 @@ class Activitypub_explorer
common_debug('ActivityPub Explorer: Trying to grab a remote actor for ' . $url); common_debug('ActivityPub Explorer: Trying to grab a remote actor for ' . $url);
if (!isset($this->temp_res)) { if (!isset($this->temp_res)) {
$client = new HTTPClient(); $client = new HTTPClient();
$response = $client->get($url, self::$headers); $response = $client->get($url, ACTIVITYPUB_HTTP_CLIENT_HEADERS);
$res = json_decode($response->getBody(), true); $res = json_decode($response->getBody(), true);
} else { } else {
$res = $this->temp_res; $res = $this->temp_res;
@ -409,7 +407,7 @@ class Activitypub_explorer
public static function get_actor_inboxes_uri($url) public static function get_actor_inboxes_uri($url)
{ {
$client = new HTTPClient(); $client = new HTTPClient();
$response = $client->get($url, self::$headers); $response = $client->get($url, ACTIVITYPUB_HTTP_CLIENT_HEADERS);
if (!$response->isOk()) { if (!$response->isOk()) {
throw new Exception('Invalid Actor URL.'); throw new Exception('Invalid Actor URL.');
} }
@ -437,7 +435,7 @@ class Activitypub_explorer
private function travel_collection($url) private function travel_collection($url)
{ {
$client = new HTTPClient(); $client = new HTTPClient();
$response = $client->get($url, self::$headers); $response = $client->get($url, ACTIVITYPUB_HTTP_CLIENT_HEADERS);
$res = json_decode($response->getBody(), true); $res = json_decode($response->getBody(), true);
if (!isset($res['orderedItems'])) { if (!isset($res['orderedItems'])) {
@ -470,7 +468,7 @@ class Activitypub_explorer
public static function get_remote_user_activity($url) public static function get_remote_user_activity($url)
{ {
$client = new HTTPClient(); $client = new HTTPClient();
$response = $client->get($url, self::$headers); $response = $client->get($url, ACTIVITYPUB_HTTP_CLIENT_HEADERS);
$res = json_decode($response->getBody(), true); $res = json_decode($response->getBody(), true);
if (Activitypub_explorer::validate_remote_response($res)) { if (Activitypub_explorer::validate_remote_response($res)) {
common_debug('ActivityPub Explorer: Found a valid remote actor for ' . $url); common_debug('ActivityPub Explorer: Found a valid remote actor for ' . $url);

20
plugins/ActivityPub/lib/inbox_handler.php
View File

@ -54,7 +54,9 @@ class Activitypub_inbox_handler
$this->object = $activity['object']; $this->object = $activity['object'];
// Validate Activity // Validate Activity
$this->validate_activity(); if (!$this->validate_activity()) {
return; // Just ignore
}
// Get Actor's Profile // Get Actor's Profile
if (!is_null($actor_profile)) { if (!is_null($actor_profile)) {
@ -70,10 +72,11 @@ class Activitypub_inbox_handler
/** /**
* Validates if a given Activity is valid. Throws exception if not. * Validates if a given Activity is valid. Throws exception if not.
* *
* @throws Exception * @throws Exception if invalid
* @return bool true if valid and acceptable, false if unsupported
* @author Diogo Cordeiro <diogo@fc.up.pt> * @author Diogo Cordeiro <diogo@fc.up.pt>
*/ */
private function validate_activity() private function validate_activity(): bool
{ {
// Activity validation // Activity validation
// Validate data // Validate data
@ -88,15 +91,16 @@ class Activitypub_inbox_handler
} }
// Object validation // Object validation
$valid = true;
switch ($this->activity['type']) { switch ($this->activity['type']) {
case 'Accept': case 'Accept':
Activitypub_accept::validate_object($this->object); $valid &= Activitypub_accept::validate_object($this->object);
break; break;
case 'Create': case 'Create':
Activitypub_create::validate_object($this->object); $valid &= Activitypub_create::validate_object($this->object);
break; break;
case 'Delete': case 'Delete':
Activitypub_delete::validate_object($this->object); $valid &= Activitypub_delete::validate_object($this->object);
break; break;
case 'Follow': case 'Follow':
case 'Like': case 'Like':
@ -106,11 +110,13 @@ class Activitypub_inbox_handler
} }
break; break;
case 'Undo': case 'Undo':
Activitypub_undo::validate_object($this->object); $valid &= Activitypub_undo::validate_object($this->object);
break; break;
default: default:
throw new Exception('Unknown Activity Type.'); throw new Exception('Unknown Activity Type.');
} }
return $valid;
} }
/** /**

31
plugins/ActivityPub/lib/models/Activitypub_create.php
View File

@ -39,23 +39,23 @@ class Activitypub_create
/** /**
* Generates an ActivityPub representation of a Create * Generates an ActivityPub representation of a Create
* *
* @author Diogo Cordeiro <diogo@fc.up.pt>
* @param string $actor * @param string $actor
* @param array $object * @param array $object
* @param bool $directMesssage whether it is a private Create activity or not * @param bool $directMessage whether it is a private Create activity or not
* @return array pretty array to be used in a response * @return array pretty array to be used in a response
* @author Diogo Cordeiro <diogo@fc.up.pt>
*/ */
public static function create_to_array(string $actor, array $object, bool $directMessage = false): array public static function create_to_array(string $actor, array $object, bool $directMessage = false): array
{ {
$res = [ $res = [
'@context' => 'https://www.w3.org/ns/activitystreams', '@context' => 'https://www.w3.org/ns/activitystreams',
'id' => $object['id'].'/create', 'id' => $object['id'] . '/create',
'type' => 'Create', 'type' => 'Create',
'directMessage' => $directMessage, 'directMessage' => $directMessage,
'to' => $object['to'], 'to' => $object['to'],
'cc' => $object['cc'], 'cc' => $object['cc'],
'actor' => $actor, 'actor' => $actor,
'object' => $object 'object' => $object
]; ];
return $res; return $res;
} }
@ -63,11 +63,12 @@ class Activitypub_create
/** /**
* Verifies if a given object is acceptable for a Create Activity. * Verifies if a given object is acceptable for a Create Activity.
* *
* @author Diogo Cordeiro <diogo@fc.up.pt>
* @param array $object * @param array $object
* @throws Exception * @return bool True if acceptable, false if valid but unsupported
* @throws Exception if invalid
* @author Diogo Cordeiro <diogo@fc.up.pt>
*/ */
public static function validate_object($object) public static function validate_object($object): bool
{ {
if (!is_array($object)) { if (!is_array($object)) {
common_debug('ActivityPub Create Validator: Rejected because of invalid Object format.'); common_debug('ActivityPub Create Validator: Rejected because of invalid Object format.');
@ -84,11 +85,12 @@ class Activitypub_create
switch ($object['type']) { switch ($object['type']) {
case 'Note': case 'Note':
// Validate data // Validate data
Activitypub_notice::validate_note($object); return Activitypub_notice::validate_note($object);
break; break;
default: default:
throw new Exception('This is not a supported Object Type for Create Activity.'); throw new Exception('This is not a supported Object Type for Create Activity.');
} }
return true;
} }
/** /**
@ -100,7 +102,8 @@ class Activitypub_create
* @return bool true if note is private, false otherwise * @return bool true if note is private, false otherwise
* @author Bruno casteleiro <brunoccast@fc.up.pt> * @author Bruno casteleiro <brunoccast@fc.up.pt>
*/ */
public static function isPrivateNote(array $activity): bool { public static function isPrivateNote(array $activity): bool
{
if (isset($activity['directMessage'])) { if (isset($activity['directMessage'])) {
return $activity['directMessage']; return $activity['directMessage'];
} }

4
plugins/ActivityPub/lib/models/Activitypub_mention_tag.php
View File

@ -41,10 +41,10 @@ class Activitypub_mention_tag
* *
* @author Diogo Cordeiro <diogo@fc.up.pt> * @author Diogo Cordeiro <diogo@fc.up.pt>
* @param string $href Actor Uri * @param string $href Actor Uri
* @param array $name Mention name * @param string $name Mention name
* @return array pretty array to be used in a response * @return array pretty array to be used in a response
*/ */
public static function mention_tag_to_array_from_values($href, $name) public static function mention_tag_to_array_from_values(string $href, string $name): array
{ {
$res = [ $res = [
'@context' => 'https://www.w3.org/ns/activitystreams', '@context' => 'https://www.w3.org/ns/activitystreams',

81
plugins/ActivityPub/lib/models/Activitypub_notice.php
View File

@ -44,6 +44,7 @@ class Activitypub_notice
* @throws EmptyPkeyValueException * @throws EmptyPkeyValueException
* @throws InvalidUrlException * @throws InvalidUrlException
* @throws ServerException * @throws ServerException
* @throws Exception
* @author Diogo Cordeiro <diogo@fc.up.pt> * @author Diogo Cordeiro <diogo@fc.up.pt>
*/ */
public static function notice_to_array($notice) public static function notice_to_array($notice)
@ -74,24 +75,24 @@ class Activitypub_notice
} }
foreach ($notice->getAttentionProfiles() as $to_profile) { foreach ($notice->getAttentionProfiles() as $to_profile) {
$to[] = $href = $to_profile->getUri(); $to[] = $href = $to_profile->getUri();
$tags[] = Activitypub_mention_tag::mention_tag_to_array_from_values($href, $to_profile->getNickname().'@'.parse_url($href, PHP_URL_HOST)); $tags[] = Activitypub_mention_tag::mention_tag_to_array_from_values($href, $to_profile->getNickname() . '@' . parse_url($href, PHP_URL_HOST));
} }
$item = [ $item = [
'@context' => 'https://www.w3.org/ns/activitystreams', '@context' => 'https://www.w3.org/ns/activitystreams',
'id' => self::getUrl($notice), 'id' => self::getUrl($notice),
'type' => 'Note', 'type' => 'Note',
'published' => str_replace(' ', 'T', $notice->getCreated()).'Z', 'published' => str_replace(' ', 'T', $notice->getCreated()) . 'Z',
'url' => self::getUrl($notice), 'url' => self::getUrl($notice),
'attributedTo' => ActivityPubPlugin::actor_uri($profile), 'attributedTo' => ActivityPubPlugin::actor_uri($profile),
'to' => $to, 'to' => $to,
'cc' => $cc, 'cc' => $cc,
'conversation' => $notice->getConversationUrl(), 'conversation' => $notice->getConversationUrl(),
'content' => $notice->getRendered(), 'content' => $notice->getRendered(),
'isLocal' => $notice->isLocal(), 'isLocal' => $notice->isLocal(),
'attachment' => $attachments, 'attachment' => $attachments,
'tag' => $tags 'tag' => $tags
]; ];
// Is this a reply? // Is this a reply?
@ -102,7 +103,7 @@ class Activitypub_notice
// Do we have a location for this notice? // Do we have a location for this notice?
try { try {
$location = Notice_location::locFromStored($notice); $location = Notice_location::locFromStored($notice);
$item['latitude'] = $location->lat; $item['latitude'] = $location->lat;
$item['longitude'] = $location->lon; $item['longitude'] = $location->lon;
} catch (Exception $e) { } catch (Exception $e) {
// Apparently no. // Apparently no.
@ -115,17 +116,17 @@ class Activitypub_notice
* Create a Notice via ActivityPub Note Object. * Create a Notice via ActivityPub Note Object.
* Returns created Notice. * Returns created Notice.
* *
* @author Diogo Cordeiro <diogo@fc.up.pt>
* @param array $object * @param array $object
* @param Profile $actor_profile * @param Profile $actor_profile
* @param bool $directMessage * @param bool $directMessage
* @return Notice * @return Notice
* @throws Exception * @throws Exception
* @author Diogo Cordeiro <diogo@fc.up.pt>
*/ */
public static function create_notice(array $object, Profile $actor_profile = null, bool $directMessage = false): Notice public static function create_notice(array $object, Profile $actor_profile = null, bool $directMessage = false): Notice
{ {
$id = $object['id']; // int $id = $object['id']; // int
$url = isset($object['url']) ? $object['url'] : $id; // string $url = isset($object['url']) ? $object['url'] : $id; // string
$content = $object['content']; // string $content = $object['content']; // string
// possible keys: ['inReplyTo', 'latitude', 'longitude'] // possible keys: ['inReplyTo', 'latitude', 'longitude']
@ -134,7 +135,7 @@ class Activitypub_notice
$settings['inReplyTo'] = $object['inReplyTo']; $settings['inReplyTo'] = $object['inReplyTo'];
} }
if (isset($object['latitude'])) { if (isset($object['latitude'])) {
$settings['latitude'] = $object['latitude']; $settings['latitude'] = $object['latitude'];
} }
if (isset($object['longitude'])) { if (isset($object['longitude'])) {
$settings['longitude'] = $object['longitude']; $settings['longitude'] = $object['longitude'];
@ -156,10 +157,10 @@ class Activitypub_notice
$act->time = time(); $act->time = time();
$act->actor = $actor_profile->asActivityObject(); $act->actor = $actor_profile->asActivityObject();
$act->context = new ActivityContext(); $act->context = new ActivityContext();
$options = ['source' => 'ActivityPub', $options = ['source' => 'ActivityPub',
'uri' => $id, 'uri' => $id,
'url' => $url, 'url' => $url,
'is_local' => self::getNotePolicyType($object, $actor_profile)]; 'is_local' => self::getNotePolicyType($object, $actor_profile)];
if ($directMessage) { if ($directMessage) {
$options['scope'] = Notice::MESSAGE_SCOPE; $options['scope'] = Notice::MESSAGE_SCOPE;
@ -169,7 +170,7 @@ class Activitypub_notice
if (isset($settings['inReplyTo'])) { if (isset($settings['inReplyTo'])) {
try { try {
$inReplyTo = ActivityPubPlugin::grab_notice_from_url($settings['inReplyTo']); $inReplyTo = ActivityPubPlugin::grab_notice_from_url($settings['inReplyTo']);
$act->context->replyToID = $inReplyTo->getUri(); $act->context->replyToID = $inReplyTo->getUri();
$act->context->replyToUrl = $inReplyTo->getUrl(); $act->context->replyToUrl = $inReplyTo->getUrl();
} catch (Exception $e) { } catch (Exception $e) {
// It failed to grab, maybe we got this note from another source // It failed to grab, maybe we got this note from another source
@ -234,8 +235,8 @@ class Activitypub_notice
* Validates a note. * Validates a note.
* *
* @param array $object * @param array $object
* @return bool * @return bool false if unacceptable for GS but valid ActivityPub object
* @throws Exception * @throws Exception if invalid ActivityPub object
* @author Diogo Cordeiro <diogo@fc.up.pt> * @author Diogo Cordeiro <diogo@fc.up.pt>
*/ */
public static function validate_note($object) public static function validate_note($object)
@ -251,10 +252,6 @@ class Activitypub_notice
common_debug('ActivityPub Notice Validator: Rejected because of Type.'); common_debug('ActivityPub Notice Validator: Rejected because of Type.');
throw new Exception('Invalid Object type.'); throw new Exception('Invalid Object type.');
} }
if (!isset($object['content'])) {
common_debug('ActivityPub Notice Validator: Rejected because Content was not specified (GNU social requires content in notes).');
throw new Exception('Object content was not specified.');
}
if (isset($object['url']) && !filter_var($object['url'], FILTER_VALIDATE_URL)) { if (isset($object['url']) && !filter_var($object['url'], FILTER_VALIDATE_URL)) {
common_debug('ActivityPub Notice Validator: Rejected because Object URL is invalid.'); common_debug('ActivityPub Notice Validator: Rejected because Object URL is invalid.');
throw new Exception('Invalid Object URL.'); throw new Exception('Invalid Object URL.');
@ -263,6 +260,10 @@ class Activitypub_notice
common_debug('ActivityPub Notice Validator: Rejected because either Object CC or TO wasn\'t specified.'); common_debug('ActivityPub Notice Validator: Rejected because either Object CC or TO wasn\'t specified.');
throw new Exception('Either Object CC or TO wasn\'t specified.'); throw new Exception('Either Object CC or TO wasn\'t specified.');
} }
if (!isset($object['content'])) {
common_debug('ActivityPub Notice Validator: Rejected because Content was not specified (GNU social requires content in notes).');
return false;
}
return true; return true;
} }
@ -271,14 +272,17 @@ class Activitypub_notice
* *
* @param Notice $notice notice from which to retrieve the URL * @param Notice $notice notice from which to retrieve the URL
* @return string URL * @return string URL
* @throws InvalidUrlException
* @throws Exception
* @author Bruno Casteleiro <brunoccast@fc.up.pt> * @author Bruno Casteleiro <brunoccast@fc.up.pt>
*/ */
public static function getUrl(Notice $notice): string { public static function getUrl(Notice $notice): string
if ($notice->isLocal()) { {
return common_local_url('apNotice', ['id' => $notice->getID()]); if ($notice->isLocal()) {
} else { return common_local_url('apNotice', ['id' => $notice->getID()]);
return $notice->getUrl(); } else {
} return $notice->getUrl();
}
} }
/** /**
@ -289,7 +293,8 @@ class Activitypub_notice
* @return int Notice policy type * @return int Notice policy type
* @author Bruno Casteleiro <brunoccast@fc.up.pt> * @author Bruno Casteleiro <brunoccast@fc.up.pt>
*/ */
public static function getNotePolicyType(array $note, Profile $actor_profile): int { public static function getNotePolicyType(array $note, Profile $actor_profile): int
{
if (in_array('https://www.w3.org/ns/activitystreams#Public', $note['to'])) { if (in_array('https://www.w3.org/ns/activitystreams#Public', $note['to'])) {
return $actor_profile->isLocal() ? Notice::LOCAL_PUBLIC : Notice::REMOTE; return $actor_profile->isLocal() ? Notice::LOCAL_PUBLIC : Notice::REMOTE;
} else { } else {