.

2022-12-26 12:54:07 +00:00 · 2022-12-26 12:54:07 +00:00 · e2e418a842
parent 2956c8a20c b9e8f83d72
commit e2e418a842
18 changed files with 1477 additions and 1903 deletions
--- a/architecture/epicyon_groups_ActivityPub.png
+++ b/architecture/epicyon_groups_ActivityPub.png
--- a/architecture/epicyon_groups_ActivityPub_Core.png
+++ b/architecture/epicyon_groups_ActivityPub_Core.png
--- a/architecture/epicyon_groups_ActivityPub_Security.png
+++ b/architecture/epicyon_groups_ActivityPub_Security.png
--- a/architecture/epicyon_groups_Commandline-Interface_ActivityPub.png
+++ b/architecture/epicyon_groups_Commandline-Interface_ActivityPub.png
--- a/architecture/epicyon_groups_Commandline-Interface_Core.png
+++ b/architecture/epicyon_groups_Commandline-Interface_Core.png
--- a/architecture/epicyon_groups_Core.png
+++ b/architecture/epicyon_groups_Core.png
--- a/architecture/epicyon_groups_Core_Accessibility.png
+++ b/architecture/epicyon_groups_Core_Accessibility.png
--- a/architecture/epicyon_groups_Core_Security.png
+++ b/architecture/epicyon_groups_Core_Security.png
--- a/architecture/epicyon_groups_Timeline_Core.png
+++ b/architecture/epicyon_groups_Timeline_Core.png
--- a/architecture/epicyon_groups_Timeline_Security.png
+++ b/architecture/epicyon_groups_Timeline_Security.png
--- a/architecture/epicyon_groups_Web-Interface-Columns_Core.png
+++ b/architecture/epicyon_groups_Web-Interface-Columns_Core.png
--- a/architecture/epicyon_groups_Web-Interface_Accessibility.png
+++ b/architecture/epicyon_groups_Web-Interface_Accessibility.png
--- a/architecture/epicyon_groups_Web-Interface_Core.png
+++ b/architecture/epicyon_groups_Web-Interface_Core.png
--- a/inbox.py
+++ b/inbox.py
@ -18,6 +18,7 @@ from languages import understood_post_language
 from like import update_likes_collection
 from reaction import update_reaction_collection
 from reaction import valid_emoji_content
+from utils import contains_invalid_actor_url_chars
 from utils import is_quote_toot
 from utils import acct_handle_dir
 from utils import is_account_dir
@ -2756,13 +2757,16 @@ def _receive_announce(recent_posts_cache: {},
        # so that their avatar can be shown
        lookup_actor = None
        if post_json_object.get('attributedTo'):
-            if isinstance(post_json_object['attributedTo'], str):
-                lookup_actor = post_json_object['attributedTo']
+            attrib = post_json_object['attributedTo']
+            if isinstance(attrib, str):
+                if not contains_invalid_actor_url_chars(attrib):
+                    lookup_actor = attrib
        else:
            if has_object_dict(post_json_object):
                if post_json_object['object'].get('attributedTo'):
                    attrib = post_json_object['object']['attributedTo']
                    if isinstance(attrib, str):
+                        if not contains_invalid_actor_url_chars(attrib):
                            lookup_actor = attrib
        if lookup_actor:
            if has_users_path(lookup_actor):
--- a/outbox.py
+++ b/outbox.py
@ -15,6 +15,7 @@ from posts import outbox_message_create_wrap
 from posts import save_post_to_box
 from posts import send_to_followers_thread
 from posts import send_to_named_addresses_thread
+from utils import contains_invalid_actor_url_chars
 from utils import get_attachment_property_value
 from utils import get_account_timezone
 from utils import has_object_string_type
@ -321,6 +322,9 @@ def post_message_to_outbox(session, translate: {},
           '.' not in message_json['actor']:
            return False

+        if contains_invalid_actor_url_chars(message_json['actor']):
+            return False
+
        # sent by an actor on a local network address?
        if not allow_local_network_access:
            local_network_pattern_list = get_local_network_addresses()
--- a/person.py
+++ b/person.py
@ -44,6 +44,7 @@ from utils import get_attachment_property_value
 from utils import get_nickname_from_actor
 from utils import remove_html
 from utils import contains_invalid_chars
+from utils import contains_invalid_actor_url_chars
 from utils import replace_users_with_at
 from utils import remove_eol
 from utils import remove_domain_port
@ -1776,6 +1777,12 @@ def valid_sending_actor(session, base_dir: str,
    # who sent this post?
    sending_actor = post_json_object['actor']

+    if not isinstance(sending_actor, str):
+        return False
+
+    if contains_invalid_actor_url_chars(sending_actor):
+        return False
+
    # If you are following them then allow their posts
    if is_following_actor(base_dir, nickname, domain, sending_actor):
        return True
@ -1802,6 +1809,7 @@ def valid_sending_actor(session, base_dir: str,
        print('REJECT: no preferredUsername within actor ' + str(actor_json))
        return False

+    # is this a known spam actor?
    actor_spam_filter_filename = \
        acct_dir(base_dir, nickname, domain) + '/.reject_spam_actors'
    if not os.path.isfile(actor_spam_filter_filename):
--- a/sbom.json
+++ b/sbom.json
--- a/utils.py
+++ b/utils.py
@ -39,6 +39,12 @@ INVALID_CHARACTERS = (
    '卐', '卍', '࿕', '࿖', '࿗', '࿘', 'ϟϟ', '🏳️‍🌈🚫', '⚡⚡'
 )

+INVALID_ACTOR_URL_CHARACTERS = (
+    ' ', '', '<', '>', '%', '{', '}', '|', '\\', '^', '`',
+    '?', '#', '[', ']', '@', '!', '$', '&', "'", '(', ')',
+    '*', '+', ',', ';', '='
+)
+

 def _standardize_text_range(text: str,
                            range_start: int, range_end: int,
@ -971,6 +977,16 @@ def contains_invalid_chars(json_str: str) -> bool:
    return False


+def contains_invalid_actor_url_chars(url: str) -> bool:
+    """Does the given actor url contain invalid characters?
+    """
+    for is_invalid in INVALID_ACTOR_URL_CHARACTERS:
+        if is_invalid in url:
+            return True
+
+    return contains_invalid_chars(url)
+
+
 def remove_invalid_chars(text: str) -> str:
    """Removes any invalid characters from a string
    """