comments to remote posts are federated with activity ids pointing at the remote instance #1161

New issue

Open

opened 2024-11-18 14:22:20 +00:00 by dakkar · 0 comments

dakkar commented

2024-11-18 14:22:20 +00:00

Hello!

While inspecting logs of an unrelated fediverse instance, we noticed a mismatch between the host in the signer's URL, and the host in the activity id, with the signature belonging to https://fediverse.blog/@/someone/ but the activity identifying itself as https://writeworks.uk/~/someblog/somepost//comment/12345

This looked like an impersonation attempt (the signer pretending to be a writeworks account), and it was consequently discarded by our instance.

Looking into your source code, I believe the cause of the problem to be in https://git.joinplu.me/Plume/Plume/src/branch/main/plume-models/src/comments.rs#L64-L69 where it generates the URL for the comment based on the URL for the post being commented on. Which is fine when commenting on local posts, but generates nonsensical URLs when the post is remote: it's mashing a remote base URL with a locally-generated primary key. The generated AP URL needs to be under the hostname of the local instance, and should ideally be resolvable to the contents of the comment itself.

(please note that my knowledge of Rust is very rudimentary, and I had never looked at your codebase before now, so I can't really provide a fix…)

Hello! While inspecting logs of an unrelated fediverse instance, we noticed a mismatch between the host in the signer's URL, and the host in the activity id, with the signature belonging to `https://fediverse.blog/@/someone/` but the activity identifying itself as `https://writeworks.uk/~/someblog/somepost//comment/12345` This looked like an impersonation attempt (the signer pretending to be a writeworks account), and it was consequently discarded by our instance. Looking into your source code, I believe the cause of the problem to be in https://git.joinplu.me/Plume/Plume/src/branch/main/plume-models/src/comments.rs#L64-L69 where it generates the URL for the comment based on the URL for the post being commented on. Which is fine when commenting on local posts, but generates nonsensical URLs when the post is remote: it's mashing a remote base URL with a locally-generated primary key. The generated AP URL needs to be under the hostname of the local instance, and should ideally be resolvable to the contents of the comment itself. (please note that my knowledge of Rust is very rudimentary, and I had never looked at your codebase before now, so I can't really provide a fix…)

dakkar added the

C: Bug

label 2024-11-18 14:22:20 +00:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Plume/Plume#1161

No description provided.