Make sure remote Update activities can't affect local actors other than

Groups Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-04-20 11:33:13 +02:00
parent 4b869a6015
commit 00f4c0b02c
5 changed files with 54 additions and 18 deletions
--- a/lib/federation/activity_pub/actions/update.ex
+++ b/lib/federation/activity_pub/actions/update.ex
@@ -28,7 +28,7 @@ defmodule Mobilizon.Federation.ActivityPub.Actions.Update do
    Logger.debug("updating an activity")
    Logger.debug(inspect(args))

-    case Managable.update(old_entity, args, additional) do
+    case Managable.update(old_entity, args, Map.put(additional, :local, local)) do
      {:ok, entity, update_data} ->
        {:ok, activity} = create_activity(update_data, local)
        maybe_federate(activity)
--- a/lib/federation/activity_pub/transmogrifier.ex
+++ b/lib/federation/activity_pub/transmogrifier.ex
@@ -407,6 +407,13 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier do
           Actions.Update.update(old_actor, object_data, false, %{updater_actor: author}) do
      {:ok, activity, new_actor}
    else
+      {:error, :update_not_allowed} ->
+        Logger.warn("Activity tried to update an actor that's local or not a group",
+          activity: params
+        )
+
+        :error
+
      e ->
        Sentry.capture_message("Error while handling an Update activity",
          extra: %{params: params}
--- a/lib/federation/activity_pub/types/actors.ex
+++ b/lib/federation/activity_pub/types/actors.ex
@@ -45,25 +45,30 @@ defmodule Mobilizon.Federation.ActivityPub.Types.Actors do
  def update(%Actor{} = old_actor, args, additional) do
    updater_actor = Map.get(args, :updater_actor) || Map.get(additional, :updater_actor)

-    case Actors.update_actor(old_actor, args) do
-      {:ok, %Actor{} = new_actor} ->
-        GroupActivity.insert_activity(new_actor,
-          subject: "group_updated",
-          old_group: old_actor,
-          updater_actor: updater_actor
-        )
+    if Map.get(additional, :local, false) == true or not match?(%Actor{domain: nil}, old_actor) or
+         match?(%Actor{type: :Group}, old_actor) do
+      case Actors.update_actor(old_actor, args) do
+        {:ok, %Actor{} = new_actor} ->
+          GroupActivity.insert_activity(new_actor,
+            subject: "group_updated",
+            old_group: old_actor,
+            updater_actor: updater_actor
+          )

-        actor_as_data = Convertible.model_to_as(new_actor)
-        Cachex.del(:activity_pub, "actor_#{new_actor.preferred_username}")
-        audience = Audience.get_audience(new_actor)
+          actor_as_data = Convertible.model_to_as(new_actor)
+          Cachex.del(:activity_pub, "actor_#{new_actor.preferred_username}")
+          audience = Audience.get_audience(new_actor)

-        additional = Map.merge(additional, %{"actor" => (updater_actor || old_actor).url})
+          additional = Map.merge(additional, %{"actor" => (updater_actor || old_actor).url})

-        update_data = make_update_data(actor_as_data, Map.merge(audience, additional))
-        {:ok, new_actor, update_data}
+          update_data = make_update_data(actor_as_data, Map.merge(audience, additional))
+          {:ok, new_actor, update_data}

-      {:error, %Ecto.Changeset{} = err} ->
-        {:error, err}
+        {:error, %Ecto.Changeset{} = err} ->
+          {:error, err}
+      end
+    else
+      {:error, :update_not_allowed}
    end
  end