Fix: フレンドサーバー申請時、ドメインを偽装して無関係のInboxを指定できる脆弱性 (#933)

app/lib/activitypub/activity/follow.rb

@@ -60,19 +60,13 @@ class ActivityPub::Activity::Follow < ActivityPub::Activity
       already_accepted = friend.accepted?
       friend.update!(passive_state: :pending, active_state: :idle, passive_follow_activity_id: @json['id'])
     else
-      @friend = FriendDomain.new(domain: @account.domain, passive_state: :pending, passive_follow_activity_id: @json['id'])
-      @friend.inbox_url = @json['inboxUrl'].presence || @friend.default_inbox_url
-      @friend.save!
+      @friend = FriendDomain.create!(domain: @account.domain, passive_state: :pending, passive_follow_activity_id: @json['id'], inbox_url: @account.preferred_inbox_url)
     end
 
-    if already_accepted || Setting.unlocked_friend
-      friend.accept!
+    friend.accept! if already_accepted || Setting.unlocked_friend
 
-      # Notify for admin even if unlocked
-      notify_staff_about_pending_friend_server! unless already_accepted
-    else
-      notify_staff_about_pending_friend_server!
-    end
+    # Notify for admin
+    notify_staff_about_pending_friend_server! unless already_accepted
   end
 
   def friend

app/models/friend_domain.rb

@@ -116,6 +116,7 @@ class FriendDomain < ApplicationRecord
       object: ActivityPub::TagManager::COLLECTIONS[:public],
 
       # Cannot use inbox_url method because this model also has inbox_url column
+      # This is deprecated property. Newer version's kmyblue will ignore it.
       inboxUrl: "https://#{Rails.configuration.x.web_domain}/inbox",
     }
   end