Add some hard limits on inserted activities.

2018-12-26 12:39:35 +01:00 · 2018-12-26 12:39:35 +01:00 · 5811e65e67
commit 5811e65e67
parent 922abcda61
4 changed files with 29 additions and 1 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -98,7 +98,8 @@
  name: "Pleroma",
  email: "example@example.com",
  description: "A Pleroma instance, an alternative fediverse server",
-  limit: 5000,
+  limit: 5_000,
+  remote_limit: 10_000,
  upload_limit: 16_000_000,
  avatar_upload_limit: 2_000_000,
  background_upload_limit: 4_000_000,
--- a/docs/config.md
+++ b/docs/config.md
@ -63,6 +63,7 @@ config :pleroma, Pleroma.Mailer,
 * `email`: Email used to reach an Administrator/Moderator of the instance
 * `description`: The instance’s description, can be seen in nodeinfo and ``/api/v1/instance``
 * `limit`: Posts character limit (CW/Subject included in the counter)
+* `remote_limit`: Hard character limit beyond which remote posts will be dropped.
 * `upload_limit`: File size limit of uploads (except for avatar, background, banner)
 * `avatar_upload_limit`: File size limit of user’s profile avatars
 * `background_upload_limit`: File size limit of user’s profile backgrounds
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@ -56,10 +56,18 @@ defp check_actor_is_active(actor) do
    end
  end

+  defp check_remote_limit(%{"object" => %{"content" => content}}) do
+    limit = Pleroma.Config.get([:instance, :remote_limit])
+    String.length(content) <= limit
+  end
+
+  defp check_remote_limit(_), do: true
+
  def insert(map, local \\ true) when is_map(map) do
    with nil <- Activity.normalize(map),
         map <- lazy_put_activity_defaults(map),
         :ok <- check_actor_is_active(map["actor"]),
+         {_, true} <- {:remote_limit_error, check_remote_limit(map)},
         {:ok, map} <- MRF.filter(map),
         :ok <- insert_full_object(map) do
      {recipients, _, _} = get_recipients(map)
--- a/test/web/activity_pub/activity_pub_test.exs
+++ b/test/web/activity_pub/activity_pub_test.exs
@ -31,6 +31,24 @@ test "it returns a user" do
  end

  describe "insertion" do
+    test "drops activities beyond a certain limit" do
+      limit = Pleroma.Config.get([:instance, :remote_limit])
+
+      random_text =
+        :crypto.strong_rand_bytes(limit + 1)
+        |> Base.encode64()
+        |> binary_part(0, limit + 1)
+
+      data = %{
+        "ok" => true,
+        "object" => %{
+          "content" => random_text
+        }
+      }
+
+      assert {:error, {:remote_limit_error, _}} = ActivityPub.insert(data)
+    end
+
    test "returns the activity if one with the same id is already in" do
      activity = insert(:note_activity)
      {:ok, new_activity} = ActivityPub.insert(activity.data)