From 0b2c051a04b3eeb7292f2b847c98fcbafbb20ed2 Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Sat, 1 Sep 2018 23:20:02 +0000
Subject: [PATCH] activitypub: fix possibility of spoofing by containing remote
 objects to the same domain as their actor

---
 lib/pleroma/web/activity_pub/activity_pub.ex   |  1 +
 lib/pleroma/web/activity_pub/transmogrifier.ex | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex
index e6c2dc9cf..81c11dd76 100644
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@@ -747,6 +747,7 @@ def fetch_object_from_id(id) do
              "actor" => data["attributedTo"],
              "object" => data
            },
+           :ok <- Transmogrifier.contain_origin(id, params),
            {:ok, activity} <- Transmogrifier.handle_incoming(params) do
         {:ok, Object.normalize(activity.data["object"])}
       else
diff --git a/lib/pleroma/web/activity_pub/transmogrifier.ex b/lib/pleroma/web/activity_pub/transmogrifier.ex
index 1367bc7e3..b75422fc6 100644
--- a/lib/pleroma/web/activity_pub/transmogrifier.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier.ex
@@ -30,6 +30,20 @@ def get_actor(%{"actor" => actor}) when is_map(actor) do
     actor["id"]
   end
 
+  @doc """
+  Checks that an imported AP object's actor matches the domain it came from.
+  """
+  def contain_origin(id, %{"actor" => actor}) do
+    id_uri = URI.parse(id)
+    actor_uri = URI.parse(actor)
+
+    if id_uri.host == actor_uri.host do
+      :ok
+    else
+      :error
+    end
+  end
+
   @doc """
   Modifies an incoming AP object (mastodon format) to our internal format.
   """