Merge branch 'tusooa/3331-fix-incoming-block' into 'develop'

Fix incoming Blocks being rejected Closes #3331 See merge request pleroma/pleroma!4282
2024-10-11 20:22:21 +00:00 · 2024-10-11 20:22:21 +00:00 · dd7f699d4a
commit dd7f699d4a
parent 3f3f8bc57a f758b6e37c
4 changed files with 39 additions and 0 deletions
--- a/changelog.d/incoming-blocks.fix
+++ b/changelog.d/incoming-blocks.fix
@ -0,0 +1 @@
+Fix incoming Block activities being rejected
--- a/lib/pleroma/constants.ex
+++ b/lib/pleroma/constants.ex
@ -87,6 +87,7 @@ defmodule Pleroma.Constants do

  const(activity_types,
    do: [
+      "Block",
      "Create",
      "Update",
      "Delete",
@ -115,6 +116,10 @@ defmodule Pleroma.Constants do
    ]
  )

+  const(object_types,
+    do: ~w[Event Question Answer Audio Video Image Article Note Page ChatMessage]
+  )
+
  # basic regex, just there to weed out potential mistakes
  # https://datatracker.ietf.org/doc/html/rfc2045#section-5.1
  const(mime_regex,
--- a/lib/pleroma/web/activity_pub/object_validator.ex
+++ b/lib/pleroma/web/activity_pub/object_validator.ex
@ -11,6 +11,8 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidator do

  @behaviour Pleroma.Web.ActivityPub.ObjectValidator.Validating

+  import Pleroma.Constants, only: [activity_types: 0, object_types: 0]
+
  alias Pleroma.Activity
  alias Pleroma.EctoType.ActivityPub.ObjectValidators
  alias Pleroma.Object
@ -38,6 +40,16 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidator do
  @impl true
  def validate(object, meta)

+  # This overload works together with the InboxGuardPlug
+  # and ensures that we are not accepting any activity type
+  # that cannot pass InboxGuardPlug.
+  # If we want to support any more activity types, make sure to
+  # add it in Pleroma.Constants's activity_types or object_types,
+  # and, if applicable, allowed_activity_types_from_strangers.
+  def validate(%{"type" => type}, _meta)
+      when type not in activity_types() and type not in object_types(),
+      do: {:error, :not_allowed_object_type}
+
  def validate(%{"type" => "Block"} = block_activity, meta) do
    with {:ok, block_activity} <-
           block_activity
--- a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
@ -1320,6 +1320,27 @@ test "forwarded report from mastodon", %{conn: conn} do
        html_body: ~r/#{note.data["object"]}/i
      )
    end
+
+    test "it accepts an incoming Block", %{conn: conn, data: data} do
+      user = insert(:user)
+
+      data =
+        data
+        |> Map.put("type", "Block")
+        |> Map.put("to", [user.ap_id])
+        |> Map.put("cc", [])
+        |> Map.put("object", user.ap_id)
+
+      conn =
+        conn
+        |> assign(:valid_signature, true)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{user.nickname}/inbox", data)
+
+      assert "ok" == json_response(conn, 200)
+      ObanHelpers.perform(all_enqueued(worker: ReceiverWorker))
+      assert Activity.get_by_ap_id(data["id"])
+    end
  end

  describe "GET /users/:nickname/outbox" do
				`@ -0,0 +1 @@`
				`Fix incoming Block activities being rejected`