Discard notes made before Fedi's existence, or after today (#9605)

This PR should kill #9531 - Safeguarding against posts that are made before 2007 (Identica being made in 2008, the 'first ever activitypub software' according to wikipedia.) Personally, if gone unnoticed, I believe that notes from the past can be used as an attack vector to silently flood a database. Co-authored-by: Kio-td <kio.thedev@gmail.com> Reviewed-on: https://codeberg.org/calckey/calckey/pulls/9605 Co-authored-by: daikei <daikei@noreply.codeberg.org> Co-committed-by: daikei <daikei@noreply.codeberg.org>
2023-02-11 21:05:31 +00:00 · 2023-02-11 21:05:31 +00:00 · 8b6d3167bc
parent 4ddb65410b
commit 8b6d3167bc
1 changed files with 17 additions and 0 deletions
--- a/packages/backend/src/remote/activitypub/models/note.ts
+++ b/packages/backend/src/remote/activitypub/models/note.ts
@ -125,6 +125,23 @@ export async function createNote(

 	logger.info(`Creating the Note: ${note.id}`);

+	// Skip if note is made before 2007 (1yr before Fedi was created)
+	// OR skip if note is made 3 days in advance
+	if (note.published) {
+		const DateChecker = new Date(note.published)
+		const FutureCheck = new Date()
+		FutureCheck.setDate(FutureCheck.getDate() + 3) // Allow some wiggle room for misconfigured hosts
+		if (DateChecker.getFullYear() < 2007) {
+			logger.warn('Note somehow made before Activitypub was created; discarding');
+			return null;
+		}
+		if (DateChecker > FutureCheck) {
+			logger.warn('Note somehow made after today; discarding')
+			return null;
+		}
+	}
+
+
 	// Fetch author
 	const actor = (await resolvePerson(
 		getOneApId(note.attributedTo),