From b5461737478fa65f983d6001000acda23790f2aa Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 24 Jul 2022 21:58:09 +0000
Subject: [PATCH] IMproved handling of untrusted posts

---
 src/Protocol/ActivityPub/Processor.php |  3 ++-
 src/Protocol/ActivityPub/Receiver.php  | 12 ++++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/Protocol/ActivityPub/Processor.php b/src/Protocol/ActivityPub/Processor.php
index 1ca6fce902..d012498ab2 100644
--- a/src/Protocol/ActivityPub/Processor.php
+++ b/src/Protocol/ActivityPub/Processor.php
@@ -466,7 +466,7 @@ class Processor
 	 *
 	 * @return boolean
 	 */
-	private static function isActivityGone(string $url): bool
+	public static function isActivityGone(string $url): bool
 	{
 		$curlResult = HTTPSignature::fetchRaw($url, 0);
 
@@ -1346,6 +1346,7 @@ class Processor
 	{
 		$uid = User::getIdForURL($activity['object_id']);
 		if (empty($uid)) {
+			Queue::remove($activity);
 			return;
 		}
 
diff --git a/src/Protocol/ActivityPub/Receiver.php b/src/Protocol/ActivityPub/Receiver.php
index 2655da9f0e..66653579ea 100644
--- a/src/Protocol/ActivityPub/Receiver.php
+++ b/src/Protocol/ActivityPub/Receiver.php
@@ -274,7 +274,7 @@ class Receiver
 	{
 		$id = JsonLD::fetchElement($activity, '@id');
 		$object_id = JsonLD::fetchElement($activity, 'as:object', '@id');
-		
+
 		if (!empty($id) && !$trust_source) {
 			$fetch_uid = $uid ?: self::getBestUserForActivity($activity);
 
@@ -291,7 +291,7 @@ class Receiver
 						Logger::info('Fetched data is the object instead of the activity', ['id' => $id]);
 						unset($object['@context']);
 						$activity['as:object'] = $object;
-					}					
+					}
 				} else {
 					Logger::info('Activity id is not equal', ['id' => $id, 'fetched' => $fetched_id]);
 				}
@@ -371,6 +371,10 @@ class Receiver
 			$object_data['object_object'] = JsonLD::fetchElement($activity['as:object'], 'as:object');
 			$object_data['object_type'] = JsonLD::fetchElement($activity['as:object'], '@type');
 			$object_data['push'] = $push;
+			if ($type == 'as:Delete') {
+				$apcontact = APContact::getByURL($object_data['object_id'], true);
+				$trust_source = ($apcontact['type'] == 'Tombstone');
+			}
 		} elseif (in_array($type, ['as:Create', 'as:Update', 'as:Announce', 'as:Invite']) || strpos($type, '#emojiReaction')) {
 			// Fetch the content only on activities where this matters
 			// We can receive "#emojiReaction" when fetching content from Hubzilla systems
@@ -425,6 +429,10 @@ class Receiver
 			if (($type == 'as:Undo') && !empty($object_data['object_object'])) {
 				$object_data['object_object_type'] = self::fetchObjectType([], $object_data['object_object'], $fetch_uid);
 			}
+
+			if (($type == 'as:Delete') && in_array($object_data['object_type'], array_merge(['as:Tombstone'], self::CONTENT_TYPES))) {
+				$trust_source = Processor::isActivityGone($object_data['object_id']);
+			}
 		}
 
 		$object_data = self::addActivityFields($object_data, $activity);
-- 
2.39.5