Additional validation prior to inbox queue

This allows AP bogons to be dropped before they hit the disk
2021-06-07 11:03:04 +01:00 · 2021-06-07 11:03:04 +01:00 · d7266136cc
parent f49509a9f1
commit d7266136cc
2 changed files with 45 additions and 1 deletions
--- a/daemon.py
+++ b/daemon.py
@ -1283,6 +1283,49 @@ class PubServer(BaseHTTPRequestHandler):
            self.server.POSTbusy = False
            return 3

+        # check that some additional fields are strings
+        stringFields = ('id', 'type', 'published')
+        for checkField in stringFields:
+            if not messageJson.get(checkField):
+                continue
+            if not isinstance(messageJson[checkField], str):
+                self._400()
+                self.server.POSTbusy = False
+                return 3
+
+        # check that to/cc fields are lists
+        listFields = ('to', 'cc')
+        for checkField in listFields:
+            if not messageJson.get(checkField):
+                continue
+            if not isinstance(messageJson[checkField], list):
+                self._400()
+                self.server.POSTbusy = False
+                return 3
+
+        if messageJson.get('object'):
+            if isinstance(messageJson['object'], dict):
+                stringFields = (
+                    'id', 'actor', 'type', 'content', 'published',
+                    'summary', 'url', 'attributedTo'
+                )
+                for checkField in stringFields:
+                    if not messageJson['object'].get(checkField):
+                        continue
+                    if not isinstance(messageJson['object'][checkField], str):
+                        self._400()
+                        self.server.POSTbusy = False
+                        return 3
+                # check that some fields are lists
+                listFields = ('to', 'cc', 'attachment')
+                for checkField in listFields:
+                    if not messageJson['object'].get(checkField):
+                        continue
+                    if not isinstance(messageJson['object'][checkField], list):
+                        self._400()
+                        self.server.POSTbusy = False
+                        return 3
+
        # actor should look like a url
        if '://' not in messageJson['actor'] or \
           '.' not in messageJson['actor']:
@ -1345,6 +1388,7 @@ class PubServer(BaseHTTPRequestHandler):

        originalMessageJson = messageJson.copy()

+        # whether to add a 'to' field to the message
        addToFieldTypes = ('Follow', 'Like', 'Add', 'Remove', 'Ignore')
        for addToType in addToFieldTypes:
            messageJson, toFieldExists = \
--- a/skills.py
+++ b/skills.py
@ -95,7 +95,7 @@ def setActorSkillLevel(actorJson: {},
        ]
    ocSkillsList = getOccupationSkills(actorJson)
    skillsDict = getSkillsFromList(ocSkillsList)
-    if not skillsDict.get(skill):        
+    if not skillsDict.get(skill):
        if len(skillsDict.items()) >= 32:
            print('WARN: Maximum number of skills reached for ' +
                  actorJson['id'])