Validate id of ActivityPub representations (#5114)

Additionally, ActivityPub::FetchRemoteStatusService no longer parses activities. OStatus::Activity::Creation no longer delegates to ActivityPub because the provided ActivityPub representations are not signed while OStatus representations are.
2017-10-04 08:13:48 +09:00 · 2017-10-04 08:13:48 +09:00 · 63f0979799
commit 63f0979799
parent ec13cfa4f9
17 changed files with 118 additions and 113 deletions
--- a/app/helpers/jsonld_helper.rb
+++ b/app/helpers/jsonld_helper.rb
@ -22,7 +22,18 @@ module JsonLdHelper
    graph.dump(:normalize)
  end

-  def fetch_resource(uri)
+  def fetch_resource(uri, id)
+    unless id
+      json = fetch_resource_without_id_validation(uri)
+      return unless json
+      uri = json['id']
+    end
+
+    json = fetch_resource_without_id_validation(uri)
+    json.present? && json['id'] == uri ? json : nil
+  end
+
+  def fetch_resource_without_id_validation(uri)
    response = build_request(uri).perform
    return if response.code != 200
    body_to_json(response.to_s)