From ea23f01df26f32201e96ab1554f922209a9b12c8 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 15 Feb 2021 10:06:49 +0000
Subject: [PATCH] Actor validation for arriving posts

---
 outbox.py | 18 ++++++++++++++++++
 utils.py  |  8 +++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/outbox.py b/outbox.py
index 2c3fda855..11d595c6e 100644
--- a/outbox.py
+++ b/outbox.py
@@ -14,6 +14,7 @@ from posts import outboxMessageCreateWrap
 from posts import savePostToBox
 from posts import sendToFollowersThread
 from posts import sendToNamedAddresses
+from utils import getLocalNetworkAddresses
 from utils import getFullDomain
 from utils import removeIdEnding
 from utils import getDomainFromActor
@@ -114,6 +115,23 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
                           'Create does not have the "to" parameter ' +
                           str(messageJson))
             return False
+
+        # actor should be a string
+        if not isinstance(messageJson['actor'], str):
+            return False
+
+        # actor should look like a url
+        if '://' not in messageJson['actor'] or \
+           '.' not in messageJson['actor']:
+            return False
+
+        # sent by an actor on a local network address?
+        if not allowLocalNetworkAccess:
+            localNetworkPatternList = getLocalNetworkAddresses()
+            for localNetworkPattern in localNetworkPatternList:
+                if localNetworkPattern in messageJson['actor']:
+                    return False
+
         testDomain, testPort = getDomainFromActor(messageJson['actor'])
         testDomain = getFullDomain(testDomain, testPort)
         if isBlockedDomain(baseDir, testDomain):
diff --git a/utils.py b/utils.py
index f1247e898..8f2348062 100644
--- a/utils.py
+++ b/utils.py
@@ -605,6 +605,12 @@ def urlPermitted(url: str, federationList: []):
     return False
 
 
+def getLocalNetworkAddresses() -> []:
+    """Returns patterns for local network address detection
+    """
+    return ('localhost', '127.0.', '192.168', '10.0.')
+
+
 def dangerousMarkup(content: str, allowLocalNetworkAccess: bool) -> bool:
     """Returns true if the given content contains dangerous html markup
     """
@@ -615,7 +621,7 @@ def dangerousMarkup(content: str, allowLocalNetworkAccess: bool) -> bool:
     contentSections = content.split('<')
     invalidPartials = ()
     if not allowLocalNetworkAccess:
-        invalidPartials = ('localhost', '127.0.', '192.168', '10.0.')
+        invalidPartials = getLocalNetworkAddresses()
     invalidStrings = ('script', 'canvas', 'style', 'abbr',
                       'frame', 'iframe', 'html', 'body',
                       'hr', 'allow-popups', 'allow-scripts')