Validate id of ActivityPub representations (#5114)

Additionally, ActivityPub::FetchRemoteStatusService no longer parses activities. OStatus::Activity::Creation no longer delegates to ActivityPub because the provided ActivityPub representations are not signed while OStatus representations are.
2017-10-04 08:13:48 +09:00 · 2017-10-04 08:13:48 +09:00 · 63f0979799
commit 63f0979799
parent ec13cfa4f9
17 changed files with 118 additions and 113 deletions
--- a/app/services/activitypub/process_account_service.rb
+++ b/app/services/activitypub/process_account_service.rb
@ -90,7 +90,7 @@ class ActivityPub::ProcessAccountService < BaseService
    return if value.nil?
    return value['url'] if value.is_a?(Hash)

-    image = fetch_resource(value)
+    image = fetch_resource_without_id_validation(value)
    image['url'] if image
  end

@ -100,7 +100,7 @@ class ActivityPub::ProcessAccountService < BaseService
    return if value.nil?
    return value['publicKeyPem'] if value.is_a?(Hash)

-    key = fetch_resource(value)
+    key = fetch_resource_without_id_validation(value)
    key['publicKeyPem'] if key
  end

@ -130,7 +130,7 @@ class ActivityPub::ProcessAccountService < BaseService
    return if @json[type].blank?
    return @collections[type] if @collections.key?(type)

-    collection = fetch_resource(@json[type])
+    collection = fetch_resource_without_id_validation(@json[type])

    @collections[type] = collection.is_a?(Hash) && collection['totalItems'].present? && collection['totalItems'].is_a?(Numeric) ? collection['totalItems'] : nil
  rescue HTTP::Error, OpenSSL::SSL::SSLError