Merge branch 'master' into develop

2026-02-15 02:57:51 +01:00 · 2025-05-25 19:04:33 -04:00
parent aeeda7c3be fd2ae7261e
commit e16420a4eb
3 changed files with 26 additions and 4 deletions
--- a/install/package.json
+++ b/install/package.json
@@ -98,7 +98,7 @@
        "nconf": "0.13.0",
        "nodebb-plugin-2factor": "7.5.10",
        "nodebb-plugin-composer-default": "10.2.50",
-        "nodebb-plugin-dbsearch": "6.2.18",
+        "nodebb-plugin-dbsearch": "6.2.19",
        "nodebb-plugin-emoji": "6.0.2",
        "nodebb-plugin-emoji-android": "4.1.1",
        "nodebb-plugin-markdown": "13.2.1",
@@ -161,8 +161,8 @@
        "@commitlint/config-angular": "19.8.1",
        "coveralls": "3.1.1",
        "@eslint/js": "9.27.0",
-        "@stylistic/eslint-plugin-js": "4.2.0",
-        "eslint-config-nodebb": "1.1.4",
+        "@stylistic/eslint-plugin-js": "4.4.0",
+        "eslint-config-nodebb": "1.1.5",
        "eslint-plugin-import": "2.31.0",
        "grunt": "1.6.1",
        "grunt-contrib-watch": "1.1.0",
--- a/src/activitypub/index.js
+++ b/src/activitypub/index.js
@@ -27,6 +27,9 @@ const probeCache = ttl({
 	max: 500,
 	ttl: 1000 * 60 * 60, // 1 hour
 });
+const probeRateLimit = ttl({
+	ttl: 1000 * 3, // 3 seconds
+});

 const ActivityPub = module.exports;

@@ -506,6 +509,13 @@ ActivityPub.probe = async ({ uid, url }) => {
 	 *   - Returns a relative path if already available, true if not, and false otherwise.
 	 */

+	// Disable on config setting; restrict lookups to HTTPS-enabled URLs only
+	const { activitypubProbe } = meta.config;
+	const { protocol } = new URL(url);
+	if (!activitypubProbe || protocol !== 'https:') {
+		return false;
+	}
+
 	// Known resources
 	const [isNote, isMessage, isActor, isActorUrl] = await Promise.all([
 		posts.exists(url),
@@ -541,6 +551,17 @@ ActivityPub.probe = async ({ uid, url }) => {
 		}
 	}

+	// Guests not allowed to use expensive logic path
+	if (!uid) {
+		return false;
+	}
+
+	// One request allowed every 3 seconds (configured at top)
+	const limited = probeRateLimit.get(uid);
+	if (limited) {
+		return false;
+	}
+
 	// Cached result
 	if (probeCache.has(url)) {
 		return probeCache.get(url);
@@ -572,6 +593,7 @@ ActivityPub.probe = async ({ uid, url }) => {
 		return false;
 	}
 	try {
+		probeRateLimit.set(uid, true);
 		return await checkHeader(meta.config.activitypubProbeTimeout || 2000);
 	} catch (e) {
 		if (e.name === 'TimeoutError') {
--- a/src/controllers/activitypub/index.js
+++ b/src/controllers/activitypub/index.js
@@ -31,7 +31,7 @@ Controller.fetch = async (req, res, next) => {
 		if (typeof result === 'string') {
 			return helpers.redirect(res, result);
 		} else if (result) {
-			const { id, type } = await activitypub.get('uid', req.uid || 0, url.href);
+			const { id, type } = await activitypub.get('uid', req.uid, url.href);
 			switch (true) {
 				case activitypub._constants.acceptedPostTypes.includes(type): {
 					return helpers.redirect(res, `/post/${encodeURIComponent(id)}`);