Check that nodeinfo request comes from a real website

daemon.py

@@ -365,6 +365,7 @@ from fitnessFunctions import fitness_performance
 from fitnessFunctions import fitness_thread
 from fitnessFunctions import sorted_watch_points
 from fitnessFunctions import html_watch_points_graph
+from siteactive import site_is_active
 import os
 
 
@@ -1131,12 +1132,26 @@ class PubServer(BaseHTTPRequestHandler):
                                   project_version, custom_emoji,
                                   show_node_info_accounts)
 
-    def _nodeinfo(self, ua_str: str, calling_domain: str) -> bool:
+    def _nodeinfo(self, ua_str: str, calling_domain: str,
+                  httpPrefix: str, calling_site_timeout: int,
+                  debug: bool) -> bool:
         if not self.path.startswith('/nodeinfo/2.0'):
             return False
         if calling_domain == self.server.domain_full:
             self._404()
             return True
+        if self.server.nodeinfo_is_active:
+            print('nodeinfo is busy')
+            self._404()
+            return True
+        self.server.nodeinfo_is_active = True
+        # is this a real website making the call ?
+        if not debug:
+            if not site_is_active(httpPrefix + '://' + calling_domain,
+                                  calling_site_timeout):
+                self._404()
+                self.server.nodeinfo_is_active = False
+                return True
         if self.server.debug:
             print('DEBUG: nodeinfo ' + self.path)
         self._update_known_crawlers(ua_str)
@@ -1179,8 +1194,10 @@ class PubServer(BaseHTTPRequestHandler):
                                   None, calling_domain, True)
             self._write(msg)
             print('nodeinfo sent to ' + calling_domain)
+            self.server.nodeinfo_is_active = False
             return True
         self._404()
+        self.server.nodeinfo_is_active = False
         return True
 
     def _webfinger(self, calling_domain: str) -> bool:
@@ -13510,7 +13527,8 @@ class PubServer(BaseHTTPRequestHandler):
         # Since fediverse crawlers are quite active,
         # make returning info to them high priority
         # get nodeinfo endpoint
-        if self._nodeinfo(ua_str, calling_domain):
+        if self._nodeinfo(ua_str, calling_domain,
+                          self.server.http_prefix, 5, self.server.debug):
             return
 
         fitness_performance(getreq_start_time, self.server.fitness,
@@ -18813,6 +18831,8 @@ def run_daemon(dyslexic_font: bool,
 
     httpd.post_to_nickname = None
 
+    httpd.nodeinfo_is_active = False
+
     httpd.dyslexic_font = dyslexic_font
 
     # license for content of the instance

posts.py

@@ -2427,7 +2427,8 @@ def send_post(signing_priv_key_pem: str, project_version: str,
             generate_json_signature(signed_post_json_object, private_key_pem)
             post_json_object = signed_post_json_object
         except Exception as ex:
-            print('WARN: failed to JSON-LD sign post, ' + str(ex))
+            print('WARN: send_post failed to JSON-LD sign post, ' + str(ex))
+            pprint(signed_post_json_object)
 
     # convert json to string so that there are no
     # subsequent conversions after creating message body digest
@@ -2806,7 +2807,9 @@ def send_signed_json(post_json_object: {}, session, base_dir: str,
             generate_json_signature(signed_post_json_object, private_key_pem)
             post_json_object = signed_post_json_object
         except BaseException as ex:
-            print('WARN: failed to JSON-LD sign post, ' + str(ex))
+            print('WARN: send_signed_json failed to JSON-LD sign post, ' +
+                  str(ex))
+            pprint(signed_post_json_object)
 
     # convert json to string so that there are no
     # subsequent conversions after creating message body digest