[ActivityPub] Fix handling of Delete Activity

inbox_handler: - Call stronger validation method for Delete Activity objects - Take into account mixed object in handle_delete Activitypub_delete: - Add validation method for Delete Activity objects
2019-08-08 17:21:56 +01:00 · 2019-08-08 17:21:56 +01:00 · b4b5d3e009
commit b4b5d3e009
parent 489cab0f87
2 changed files with 40 additions and 5 deletions
--- a/plugins/ActivityPub/classes/Activitypub_delete.php
+++ b/plugins/ActivityPub/classes/Activitypub_delete.php
@ -39,12 +39,12 @@ class Activitypub_delete extends Managed_DataObject
    /**
     * Generates an ActivityPub representation of a Delete
     *
-     * @param $actor
-     * @param array $object
+     * @param string $actor actor URI
+     * @param string $object object URI
     * @return array pretty array to be used in a response
     * @author Diogo Cordeiro <diogo@fc.up.pt>
     */
-    public static function delete_to_array($actor, $object)
+    public static function delete_to_array(string $actor, string $object): array
    {
        $res = [
            '@context' => 'https://www.w3.org/ns/activitystreams',
@ -55,4 +55,33 @@ class Activitypub_delete extends Managed_DataObject
        ];
        return $res;
    }
+
+    /**
+     * Verifies if a given object is acceptable for a Delete Activity.
+     *
+     * @param array|string $object
+     * @return bool
+     * @throws Exception
+     * @author Bruno Casteleiro <brunoccast@fc.up.pt>
+     */
+    public static function validate_object($object): bool
+    {
+        if (!is_array($object)) {
+            if (!filter_var($object, FILTER_VALIDATE_URL)) {
+                throw new Exception('Object is not a valid Object URI for Activity.');
+            }
+        } else {
+            if (!isset($object['type'])) {
+                throw new Exception('Object type was not specified for Delete Activity.');
+            } else if ($object['type'] !== "Tombstone") {
+                throw new Exception('Invalid Object type for Delete Activity.');
+            }
+
+            if (!isset($object['id'])) {
+                throw new Exception('Object id was not specified for Delete Activity.');
+            }
+        }
+
+        return true;
+    }
 }
--- a/plugins/ActivityPub/lib/inbox_handler.php
+++ b/plugins/ActivityPub/lib/inbox_handler.php
@ -96,6 +96,8 @@ class Activitypub_inbox_handler
                Activitypub_create::validate_object($this->object);
                break;
            case 'Delete':
+                Activitypub_delete::validate_object($this->object);
+                break;
            case 'Follow':
            case 'Like':
            case 'Announce':
@ -207,12 +209,16 @@ class Activitypub_inbox_handler
     * Handles a Delete Activity received by our inbox.
     *
     * @param Profile $actor Actor
-     * @param array $object Activity
+     * @param array|string $object Activity's object
     * @throws AuthorizationException
     * @author Diogo Cordeiro <diogo@fc.up.pt>
     */
-    private function handle_delete($actor, $object)
+    private function handle_delete(Profile $actor, $object)
    {
+        if (is_array($object)) {
+            $object = $object['id'];
+        }
+
        // some moderator could already have deleted the
        // notice, so we test it first
        try {