Discard notes made before Fedi's existence, or after today (#9605)
This PR should kill #9531 - Safeguarding against posts that are made before 2007 (Identica being made in 2008, the 'first ever activitypub software' according to wikipedia.) Personally, if gone unnoticed, I believe that notes from the past can be used as an attack vector to silently flood a database. Co-authored-by: Kio-td <kio.thedev@gmail.com> Reviewed-on: https://codeberg.org/calckey/calckey/pulls/9605 Co-authored-by: daikei <daikei@noreply.codeberg.org> Co-committed-by: daikei <daikei@noreply.codeberg.org>
This commit is contained in:
parent
4ddb65410b
commit
8b6d3167bc
|
@ -125,6 +125,23 @@ export async function createNote(
|
|||
|
||||
logger.info(`Creating the Note: ${note.id}`);
|
||||
|
||||
// Skip if note is made before 2007 (1yr before Fedi was created)
|
||||
// OR skip if note is made 3 days in advance
|
||||
if (note.published) {
|
||||
const DateChecker = new Date(note.published)
|
||||
const FutureCheck = new Date()
|
||||
FutureCheck.setDate(FutureCheck.getDate() + 3) // Allow some wiggle room for misconfigured hosts
|
||||
if (DateChecker.getFullYear() < 2007) {
|
||||
logger.warn('Note somehow made before Activitypub was created; discarding');
|
||||
return null;
|
||||
}
|
||||
if (DateChecker > FutureCheck) {
|
||||
logger.warn('Note somehow made after today; discarding')
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Fetch author
|
||||
const actor = (await resolvePerson(
|
||||
getOneApId(note.attributedTo),
|
||||
|
|
Loading…
Reference in New Issue