From 8b6d3167bccd4c7baa40f74cccfbdc50a7bc8390 Mon Sep 17 00:00:00 2001
From: daikei <daikei@noreply.codeberg.org>
Date: Sat, 11 Feb 2023 21:05:31 +0000
Subject: [PATCH] Discard notes made before Fedi's existence, or after today
 (#9605)

This PR should kill #9531 - Safeguarding against posts that are made before 2007 (Identica being made in 2008, the 'first ever activitypub software' according to wikipedia.)

Personally, if gone unnoticed, I believe that notes from the past can be used as an attack vector to silently flood a database.

Co-authored-by: Kio-td <kio.thedev@gmail.com>
Reviewed-on: https://codeberg.org/calckey/calckey/pulls/9605
Co-authored-by: daikei <daikei@noreply.codeberg.org>
Co-committed-by: daikei <daikei@noreply.codeberg.org>
---
 .../src/remote/activitypub/models/note.ts       | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/packages/backend/src/remote/activitypub/models/note.ts b/packages/backend/src/remote/activitypub/models/note.ts
index 28ce46e300..e643e24c9f 100644
--- a/packages/backend/src/remote/activitypub/models/note.ts
+++ b/packages/backend/src/remote/activitypub/models/note.ts
@@ -125,6 +125,23 @@ export async function createNote(
 
 	logger.info(`Creating the Note: ${note.id}`);
 
+	// Skip if note is made before 2007 (1yr before Fedi was created)
+	// OR skip if note is made 3 days in advance
+	if (note.published) {
+		const DateChecker = new Date(note.published)
+		const FutureCheck = new Date()
+		FutureCheck.setDate(FutureCheck.getDate() + 3) // Allow some wiggle room for misconfigured hosts
+		if (DateChecker.getFullYear() < 2007) {
+			logger.warn('Note somehow made before Activitypub was created; discarding');
+			return null;
+		}
+		if (DateChecker > FutureCheck) {
+			logger.warn('Note somehow made after today; discarding')
+			return null;
+		}
+	}
+
+
 	// Fetch author
 	const actor = (await resolvePerson(
 		getOneApId(note.attributedTo),