From f7dddc74087412c8af4d792dcd3535ca8f7caf08 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Tue, 26 Oct 2021 17:06:22 +0100
Subject: [PATCH] Check for invalid local links in incoming posts

---
 content.py | 22 ++++++++++++++++++++++
 daemon.py  |  6 ++++++
 2 files changed, 28 insertions(+)

diff --git a/content.py b/content.py
index f824cc053..d6ad2b96e 100644
--- a/content.py
+++ b/content.py
@@ -1184,3 +1184,25 @@ def wordsSimilarity(content1: str, content2: str, minWords: int) -> int:
         else:
             diff += abs(histogram2[combinedWords] - histogram1[combinedWords])
     return 100 - int(diff * 100 / len(histogram1.items()))
+
+
+def containsInvalidLocalLinks(content: str) -> bool:
+    """Returns true if the given content has invalid links
+    """
+    invalidStrings = (
+        'mute', 'unmute', 'editeventpost', 'notifypost',
+        'delete', 'options', 'page', 'repeat',
+        'bm', 'tl', 'actor', 'unrepeat',
+        'unannounce', 'like', 'unlike', 'bookmark',
+        'unbookmark', 'likedBy', 'id', 'time',
+        'year', 'month', 'day', 'editnewpost',
+        'graph', 'showshare', 'category', 'showwanted',
+        'rmshare', 'rmwanted', 'repeatprivate',
+        'unrepeatprivate', 'replyto',
+        'replyfollowers', 'replydm', 'editblogpost',
+        'handle', 'blockdomain'
+    )
+    for invStr in invalidStrings:
+        if '/?' + invStr + '=' in content:
+            return True
+    return False
diff --git a/daemon.py b/daemon.py
index fcfb9172a..e95d82273 100644
--- a/daemon.py
+++ b/daemon.py
@@ -299,6 +299,7 @@ from utils import hasGroupType
 from manualapprove import manualDenyFollowRequestThread
 from manualapprove import manualApproveFollowRequestThread
 from announce import createAnnounce
+from content import containsInvalidLocalLinks
 from content import getPriceFromString
 from content import replaceEmojiFromTags
 from content import addHtmlTags
@@ -1489,6 +1490,11 @@ class PubServer(BaseHTTPRequestHandler):
         # save the json for later queue processing
         messageBytesDecoded = messageBytes.decode('utf-8')
 
+        if containsInvalidLocalLinks(messageBytesDecoded):
+            print('WARN: post contains invalid local links ' +
+                  str(originalMessageJson))
+            return 4
+
         self.server.blockedCacheLastUpdated = \
             updateBlockedCache(self.server.baseDir,
                                self.server.blockedCache,