Refactor transmogrifier Delete to avoid spoofed Delete being accepted

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel 2021-11-14 16:26:51 +01:00
parent 2e869c1ade
commit df2c184bc0
No known key found for this signature in database
GPG key ID: A061B9DDE0CA0773
2 changed files with 20 additions and 33 deletions

View file

@ -101,7 +101,8 @@ defmodule Mobilizon.Federation.ActivityPub.Permission do
false false
end end
else else
true # Object is not owned by a group
false
end end
end end

View file

@ -602,42 +602,28 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier do
) do ) do
Logger.info("Handle incoming to delete an object") Logger.info("Handle incoming to delete an object")
with actor_url <- Utils.get_actor(data), actor_url = Utils.get_actor(data)
{:actor, {:ok, %Actor{} = actor}} <- object_id = Utils.get_url(object)
{:actor, ActivityPubActor.get_or_fetch_actor_by_url(actor_url)},
object_id <- Utils.get_url(object),
{:ok, object} <- is_group_object_gone(object_id),
{:origin_check, true} <-
{:origin_check,
Utils.origin_check_from_id?(actor_url, object_id) ||
Permission.can_delete_group_object?(actor, object)},
{:ok, activity, object} <- Actions.Delete.delete(object, actor, false) do
{:ok, activity, object}
else
{:origin_check, false} ->
Logger.warn("Object origin check failed")
:error
{:actor, {:error, _err}} -> case ActivityPubActor.get_or_fetch_actor_by_url(actor_url) do
{:error, _err} ->
{:error, :unknown_actor} {:error, :unknown_actor}
{:error, e} -> {:ok, %Actor{} = actor} ->
Logger.debug(inspect(e)) case is_group_object_gone(object_id) do
{:ok, object} ->
# Sentry.capture_message("Error while handling a Delete activity", if Utils.origin_check_from_id?(actor_url, object_id) ||
# extra: %{data: data} Permission.can_delete_group_object?(actor, object) do
# ) Actions.Delete.delete(object, actor, false)
else
Logger.warn("Object origin check failed")
:error :error
end
e -> {:error, err} ->
Logger.error(inspect(e)) Logger.debug(inspect(err))
{:error, err}
# Sentry.capture_message("Error while handling a Delete activity", end
# extra: %{data: data}
# )
:error
end end
end end