Prevention against self pings (#1022)

* Prevention against self pings

* remove unused namespace

CHANGELOG.md

@@ -24,6 +24,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 * Fediverse preview showing `preferredUsername` instead of `name`
 * Fixed a potential fatal error in Enable Mastodon Apps
+* Prevention against self pings
 
 ## 4.2.1 - 2024-11-20
 

includes/functions.php

@@ -1497,3 +1497,30 @@ function get_upload_baseurl() {
 	 */
 	return apply_filters( 'activitypub_get_upload_baseurl', $upload_dir['baseurl'] );
 }
+
+/**
+ * Check if an ID is from the same domain as the site.
+ *
+ * @param string $id The ID URI to check.
+ *
+ * @return boolean True if the ID is a self-pint, false otherwise.
+ */
+function is_self_ping( $id ) {
+	$query_string = \wp_parse_url( $id, PHP_URL_QUERY );
+
+	if ( ! $query_string ) {
+		return false;
+	}
+
+	$query = array();
+	\parse_str( $query_string, $query );
+
+	if (
+		is_same_domain( $id ) &&
+		in_array( 'c', array_keys( $query ), true )
+	) {
+		return true;
+	}
+
+	return false;
+}

includes/handler/class-create.php

@@ -9,6 +9,7 @@
 
 use Activitypub\Collection\Interactions;
 
+use function Activitypub\is_self_ping;
 use function Activitypub\is_activity_public;
 use function Activitypub\object_id_to_comment;
 
@@ -65,6 +66,11 @@ public static function handle_create( $activity, $user_id, $activity_object = nu
 			return;
 		}
 
+		if ( is_self_ping( $activity['object']['id'] ) ) {
+			// @todo maybe send email.
+			return;
+		}
+
 		$state    = Interactions::add_comment( $activity );
 		$reaction = null;
 
@@ -106,17 +112,18 @@ public static function validate_object( $valid, $param, $request ) {
 			return $valid;
 		}
 
-		$object   = $json_params['object'];
+		$object = $json_params['object'];
+
+		if ( ! is_array( $object ) ) {
+			return false;
+		}
+
 		$required = array(
 			'id',
 			'inReplyTo',
 			'content',
 		);
 
-		if ( ! is_array( $object ) ) {
-			return false;
-		}
-
 		if ( array_intersect( $required, array_keys( $object ) ) !== $required ) {
 			return false;
 		}

readme.txt

@@ -143,6 +143,7 @@ For reasons of data protection, it is not possible to see the followers of other
 * Improved: Better handling of `readme.txt` and `README.md`
 * Fixed: Fediverse preview showing `preferredUsername` instead of `name`
 * Fixed: Potential fatal error in Enable Mastodon Apps
+* Fixed: Prevention against self pings
 
 = 4.2.1 =
 

tests/class-test-functions.php

@@ -134,6 +134,18 @@ public function test_object_to_uri( $input, $output ) {
 		$this->assertEquals( $output, \Activitypub\object_to_uri( $input ) );
 	}
 
+	/**
+	 * Test is_self_ping.
+	 *
+	 * @covers ::is_self_ping
+	 */
+	public function test_is_self_ping() {
+		$this->assertFalse( \Activitypub\is_self_ping( 'https://example.org' ) );
+		$this->assertFalse( \Activitypub\is_self_ping( 'https://example.com' ) );
+		$this->assertTrue( \Activitypub\is_self_ping( 'https://example.org/?c=123' ) );
+		$this->assertFalse( \Activitypub\is_self_ping( 'https://example.com/?c=123' ) );
+	}
+
 	/**
 	 * Data provider for test_object_to_uri.
 	 *