Merge commit from fork

* Add limit on inbox payload size

The 1MB limit is consistent with the limit we use when fetching remote resources

* Add limit to number of options from federated polls

* Add a limit to the number of federated profile fields

* Add limit on federated username length

* Add hard limits for federated display name and account bio

* Add hard limits for `alsoKnownAs` and `attributionDomains`

* Add hard limit on federated custom emoji shortcode

* Highlight most destructive limits and expand on their reasoning

app/lib/activitypub/activity.rb

@@ -5,6 +5,7 @@ class ActivityPub::Activity
   include Redisable
   include Lockable
 
+  MAX_JSON_SIZE = 1.megabyte
   SUPPORTED_TYPES = %w(Note Question).freeze
   CONVERTED_TYPES = %w(Image Audio Video Article Page Event).freeze
 

app/lib/activitypub/parser/poll_parser.rb

@@ -3,6 +3,10 @@
 class ActivityPub::Parser::PollParser
   include JsonLdHelper
 
+  # Limit the number of items for performance purposes.
+  # We truncate rather than error out to avoid missing the post entirely.
+  MAX_ITEMS = 500
+
   def initialize(json)
     @json = json
   end
@@ -48,6 +52,6 @@ class ActivityPub::Parser::PollParser
   private
 
   def items
-    @json['anyOf'] || @json['oneOf']
+    (@json['anyOf'] || @json['oneOf'])&.take(MAX_ITEMS)
   end
 end