From 52b44184b40930a4ca7b4dc463631d7439feb726 Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Thu, 23 Aug 2018 01:23:02 +0000
Subject: [PATCH 1/3] transmogrifier: reject activities lacking a valid ID

---
 lib/pleroma/web/activity_pub/transmogrifier.ex | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/pleroma/web/activity_pub/transmogrifier.ex b/lib/pleroma/web/activity_pub/transmogrifier.ex
index 5e07d5ea9..1367bc7e3 100644
--- a/lib/pleroma/web/activity_pub/transmogrifier.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier.ex
@@ -177,6 +177,12 @@ def fix_content_map(%{"contentMap" => content_map} = object) do
 
   def fix_content_map(object), do: object
 
+  # disallow objects with bogus IDs
+  def handle_incoming(%{"id" => nil}), do: :error
+  def handle_incoming(%{"id" => ""}), do: :error
+  # length of https:// = 8, should validate better, but good enough for now.
+  def handle_incoming(%{"id" => id}) when not (is_binary(id) and length(id) > 8), do: :error
+
   # TODO: validate those with a Ecto scheme
   # - tags
   # - emoji

From bc36d40bee790c57d8e422d75c1999bdc8f4c031 Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Thu, 23 Aug 2018 00:55:41 +0000
Subject: [PATCH 2/3] tests: add a testcase for verifying that objects without
 a valid ID are always rejected

---
 test/web/activity_pub/transmogrifier_test.exs | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs
index e455da39f..e2926d495 100644
--- a/test/web/activity_pub/transmogrifier_test.exs
+++ b/test/web/activity_pub/transmogrifier_test.exs
@@ -615,6 +615,18 @@ test "it works for incoming rejects which are referenced by IRI only" do
 
       assert User.following?(follower, followed) == false
     end
+
+    test "it rejects activities without a valid ID" do
+      user = insert(:user)
+
+      data =
+        File.read!("test/fixtures/mastodon-follow-activity.json")
+        |> Poison.decode!()
+        |> Map.put("object", user.ap_id)
+        |> Map.put("id", "")
+
+      :error = Transmogrifier.handle_incoming(data)
+    end
   end
 
   describe "prepare outgoing" do

From a909fe45a6d680cc5a069cc7c340818ecbca54dc Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Thu, 23 Aug 2018 01:34:36 +0000
Subject: [PATCH 3/3] formatting

---
 lib/pleroma/web/twitter_api/views/user_view.ex | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/pleroma/web/twitter_api/views/user_view.ex b/lib/pleroma/web/twitter_api/views/user_view.ex
index 712557f77..32f93153d 100644
--- a/lib/pleroma/web/twitter_api/views/user_view.ex
+++ b/lib/pleroma/web/twitter_api/views/user_view.ex
@@ -38,7 +38,8 @@ def render("user.json", %{user: user = %User{}} = assigns) do
 
     data = %{
       "created_at" => user.inserted_at |> Utils.format_naive_asctime(),
-      "description" => HtmlSanitizeEx.strip_tags((user.bio || "") |> String.replace("<br>", "\n")),
+      "description" =>
+        HtmlSanitizeEx.strip_tags((user.bio || "") |> String.replace("<br>", "\n")),
       "description_html" => HtmlSanitizeEx.basic_html(user.bio),
       "favourites_count" => 0,
       "followers_count" => user_info[:follower_count],