Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-02-19 04:57:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: cross-check remove(context) target prop against cid

Browse Source
This commit is contained in:
Julian Lam
2025-10-23 12:02:59 -04:00
parent e3c55f76c1
commit 194cedb4d7
1 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/activitypub/inbox.js
View File

@@ -80,7 +80,7 @@ inbox.add = async (req) => {
}; };
inbox.remove = async (req) => { inbox.remove = async (req) => {
const { actor, object } = req.body; const { actor, object, target } = req.body;
const isContext = activitypub._constants.acceptable.contextTypes.has(object.type); const isContext = activitypub._constants.acceptable.contextTypes.has(object.type);
if (!isContext) { if (!isContext) {
@@ -88,16 +88,17 @@ inbox.remove = async (req) => {
} }
const mainPid = await activitypub.contexts.getItems(0, object.id, { returnRootId: true }); const mainPid = await activitypub.contexts.getItems(0, object.id, { returnRootId: true });
const fromCid = target || object.audience;
const exists = await posts.exists(mainPid); const exists = await posts.exists(mainPid);
if (!exists) { if (!exists || !fromCid) {
return; // post not cached; do nothing. return; // post not cached; do nothing.
} }
// Ensure that cid is same-origin as the actor // Ensure that cid is same-origin as the actor
const tid = await posts.getPostField(mainPid, 'tid'); const tid = await posts.getPostField(mainPid, 'tid');
const cid = await topics.getTopicField(tid, 'cid'); const cid = await topics.getTopicField(tid, 'cid');
if (utils.isNumber(cid)) { if (utils.isNumber(cid) || cid !== fromCid) {
// remote removal of topic in local cid; what?? // remote removal of topic in local cid, or resolved cid does not match
return; return;
} }
const actorHostname = new URL(actor).hostname; const actorHostname = new URL(actor).hostname;