Fix: フレンドサーバー申請時、ドメインを偽装して無関係のInboxを指定できる脆弱性 (#932)

2024-12-04 12:03:18 +09:00 · 2024-12-04 12:03:18 +09:00 · 43819a8c02
commit 43819a8c02
parent 4a3c2d7ed7
4 changed files with 20 additions and 19 deletions
--- a/app/lib/activitypub/activity/follow.rb
+++ b/app/lib/activitypub/activity/follow.rb
@ -60,19 +60,13 @@ class ActivityPub::Activity::Follow < ActivityPub::Activity
      already_accepted = friend.accepted?
      friend.update!(passive_state: :pending, active_state: :idle, passive_follow_activity_id: @json['id'])
    else
-      @friend = FriendDomain.new(domain: @account.domain, passive_state: :pending, passive_follow_activity_id: @json['id'])
-      @friend.inbox_url = @json['inboxUrl'].presence || @friend.default_inbox_url
-      @friend.save!
+      @friend = FriendDomain.create!(domain: @account.domain, passive_state: :pending, passive_follow_activity_id: @json['id'], inbox_url: @account.preferred_inbox_url)
    end

-    if already_accepted || Setting.unlocked_friend
-      friend.accept!
+    friend.accept! if already_accepted || Setting.unlocked_friend

-      # Notify for admin even if unlocked
-      notify_staff_about_pending_friend_server! unless already_accepted
-    else
-      notify_staff_about_pending_friend_server!
-    end
+    # Notify for admin
+    notify_staff_about_pending_friend_server! unless already_accepted
  end

  def friend