From 5cf135001124cd19183336dbfcae1cd432217b00 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Fri, 11 May 2018 15:41:54 +0200
Subject: [PATCH] Improve AP validation for Notes

---
 .../activitypub/video-comments.ts             | 25 ++++++++++++++-----
 .../custom-validators/activitypub/videos.ts   |  5 ++--
 server/lib/activitypub/video-comments.ts      |  6 ++---
 3 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/server/helpers/custom-validators/activitypub/video-comments.ts b/server/helpers/custom-validators/activitypub/video-comments.ts
index 7e8cfece2..151d13075 100644
--- a/server/helpers/custom-validators/activitypub/video-comments.ts
+++ b/server/helpers/custom-validators/activitypub/video-comments.ts
@@ -1,16 +1,19 @@
 import * as validator from 'validator'
-import { ACTIVITY_PUB } from '../../../initializers'
+import { ACTIVITY_PUB, CONSTRAINTS_FIELDS } from '../../../initializers'
 import { exists, isArray, isDateValid } from '../misc'
 import { isActivityPubUrlValid, isBaseActivityValid } from './misc'
 
 function isVideoCommentCreateActivityValid (activity: any) {
   return isBaseActivityValid(activity, 'Create') &&
-    isVideoCommentObjectValid(activity.object)
+    sanitizeAndCheckVideoCommentObject(activity.object)
 }
 
-function isVideoCommentObjectValid (comment: any) {
-  return comment.type === 'Note' &&
-    isActivityPubUrlValid(comment.id) &&
+function sanitizeAndCheckVideoCommentObject (comment: any) {
+  if (comment.type !== 'Note') return false
+
+  normalizeComment(comment)
+
+  return isActivityPubUrlValid(comment.id) &&
     isCommentContentValid(comment.content) &&
     isActivityPubUrlValid(comment.inReplyTo) &&
     isDateValid(comment.published) &&
@@ -31,7 +34,7 @@ function isVideoCommentDeleteActivityValid (activity: any) {
 export {
   isVideoCommentCreateActivityValid,
   isVideoCommentDeleteActivityValid,
-  isVideoCommentObjectValid
+  sanitizeAndCheckVideoCommentObject
 }
 
 // ---------------------------------------------------------------------------
@@ -39,3 +42,13 @@ export {
 function isCommentContentValid (content: any) {
   return exists(content) && validator.isLength('' + content, { min: 1 })
 }
+
+function normalizeComment (comment: any) {
+  if (!comment) return
+
+  if (!comment.url || typeof comment.url !== 'string') {
+    comment.url = comment.url.href || comment.url.url
+  }
+
+  return
+}
diff --git a/server/helpers/custom-validators/activitypub/videos.ts b/server/helpers/custom-validators/activitypub/videos.ts
index 0d2e8766d..7e1d57c34 100644
--- a/server/helpers/custom-validators/activitypub/videos.ts
+++ b/server/helpers/custom-validators/activitypub/videos.ts
@@ -43,13 +43,14 @@ function isActivityPubVideoDurationValid (value: string) {
 }
 
 function sanitizeAndCheckVideoTorrentObject (video: any) {
+  if (video.type !== 'Video') return false
+
   if (!setValidRemoteTags(video)) return false
   if (!setValidRemoteVideoUrls(video)) return false
   if (!setRemoteVideoTruncatedContent(video)) return false
   if (!setValidAttributedTo(video)) return false
 
-  return video.type === 'Video' &&
-    isActivityPubUrlValid(video.id) &&
+  return isActivityPubUrlValid(video.id) &&
     isVideoNameValid(video.name) &&
     isActivityPubVideoDurationValid(video.duration) &&
     isUUIDValid(video.uuid) &&
diff --git a/server/lib/activitypub/video-comments.ts b/server/lib/activitypub/video-comments.ts
index 8ab0cdba4..60c9179a6 100644
--- a/server/lib/activitypub/video-comments.ts
+++ b/server/lib/activitypub/video-comments.ts
@@ -1,5 +1,5 @@
 import { VideoCommentObject } from '../../../shared/models/activitypub/objects/video-comment-object'
-import { isVideoCommentObjectValid } from '../../helpers/custom-validators/activitypub/video-comments'
+import { sanitizeAndCheckVideoCommentObject } from '../../helpers/custom-validators/activitypub/video-comments'
 import { logger } from '../../helpers/logger'
 import { doRequest } from '../../helpers/requests'
 import { ACTIVITY_PUB } from '../../initializers'
@@ -52,7 +52,7 @@ async function addVideoComment (videoInstance: VideoModel, commentUrl: string) {
     activityPub: true
   })
 
-  if (isVideoCommentObjectValid(body) === false) {
+  if (sanitizeAndCheckVideoCommentObject(body) === false) {
     logger.debug('Remote video comment JSON is not valid.', { body })
     return undefined
   }
@@ -123,7 +123,7 @@ async function resolveThread (url: string, comments: VideoCommentModel[] = []) {
       activityPub: true
     })
 
-    if (isVideoCommentObjectValid(body) === false) {
+    if (sanitizeAndCheckVideoCommentObject(body) === false) {
       throw new Error('Remote video comment JSON is not valid :' + JSON.stringify(body))
     }