fix(backend): reject malformed timestamp #12554

acid-chicken · 2023-12-03T04:06:04Z

What

リモートの Activity のタイムスタンプによってタイムスタンプ部がクランプされる ID が生成されるとき、その Activity を拒否する

Why

Fix #12401

Additional info (optional)

Checklist

Read the contribution guide
Test working in a local environment
(If needed) Add story of storybook
(If needed) Update CHANGELOG.md
(If possible) Add tests

codecov · 2023-12-03T04:07:00Z

Codecov Report

Attention: 29 lines in your changes are missing coverage. Please review.

Comparison is base (e17d741) 78.79% compared to head (fefce39) 78.76%.

Files	Patch %	Lines
packages/backend/src/core/IdService.ts	44.44%	10 Missing ⚠️
...ges/backend/src/core/activitypub/ApInboxService.ts	0.00%	7 Missing ⚠️
...ckend/src/core/activitypub/models/ApNoteService.ts	50.00%	2 Missing ⚠️
packages/backend/src/misc/id/aid.ts	50.00%	2 Missing ⚠️
packages/backend/src/misc/id/aidx.ts	50.00%	2 Missing ⚠️
packages/backend/src/misc/id/meid.ts	50.00%	2 Missing ⚠️
packages/backend/src/misc/id/meidg.ts	50.00%	2 Missing ⚠️
packages/backend/src/misc/id/object-id.ts	50.00%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #12554      +/-   ##
===========================================
- Coverage    78.79%   78.76%   -0.04%     
===========================================
  Files          954      953       -1     
  Lines       103756   103735      -21     
  Branches      8346     8348       +2     
===========================================
- Hits         81756    81707      -49     
- Misses       22000    22028      +28

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

github-actions · 2023-12-03T04:07:34Z

このPRによるapi.jsonの差分

差分はこちら

Get diff files from Workflow Page

syuilo · 2023-12-03T04:59:28Z

packages/backend/src/core/activitypub/ApInboxService.ts

@@ -306,9 +306,15 @@ export class ApInboxService {
 			this.logger.info(`Creating the (Re)Note: ${uri}`);

 			const activityAudience = await this.apAudienceService.parseAudience(actor, activity.to, activity.cc);
+			const createdAt = activity.published ? new Date(activity.published) : null;
+
+			if (createdAt && createdAt < this.idService.parse(renote.id).date) {


この判定は無いとどんな問題がある？

Renote の Note ID が同様の問題を発生させる可能性がある
そもそも Renote が参照先の Note より先に発行されるはずはないため、そういう条件で判定している

まぁリモートのサーバーの時計がぶっ壊れてたらここに到達する可能性は否めないが、それは NTP 設定してくれ〜すぎるので

syuilo · 2023-12-03T05:38:45Z

🙏🏻

fix(backend): reject malformed timestamp

fefce39

acid-chicken added 🐛Bug Unexpected behavior packages/backend Server side specific issue/PR 🌌Federation The Federation/ActivityPub feature labels Dec 3, 2023

syuilo reviewed Dec 3, 2023

View reviewed changes

syuilo merged commit af15f8d into develop Dec 3, 2023
19 checks passed

syuilo deleted the patch-12401 branch December 3, 2023 05:38

camilla-ett pushed a commit to kaseiski/misskey that referenced this pull request Jan 2, 2024

fix(backend): reject malformed timestamp (misskey-dev#12554)

bf09869

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(backend): reject malformed timestamp #12554

fix(backend): reject malformed timestamp #12554

acid-chicken commented Dec 3, 2023

codecov bot commented Dec 3, 2023 •

edited

Loading

github-actions bot commented Dec 3, 2023

syuilo Dec 3, 2023

acid-chicken Dec 3, 2023

acid-chicken Dec 3, 2023

syuilo commented Dec 3, 2023

fix(backend): reject malformed timestamp #12554

fix(backend): reject malformed timestamp #12554

Conversation

acid-chicken commented Dec 3, 2023

What

Why

Additional info (optional)

Checklist

codecov bot commented Dec 3, 2023 • edited Loading

Codecov Report

github-actions bot commented Dec 3, 2023

syuilo Dec 3, 2023

Choose a reason for hiding this comment

acid-chicken Dec 3, 2023

Choose a reason for hiding this comment

acid-chicken Dec 3, 2023

Choose a reason for hiding this comment

syuilo commented Dec 3, 2023

codecov bot commented Dec 3, 2023 •

edited

Loading