Merge commit from fork

* Add limit on inbox payload size The 1MB limit is consistent with the limit we use when fetching remote resources * Add limit to number of options from federated polls * Add a limit to the number of federated profile fields * Add limit on federated username length * Add hard limits for federated display name and account bio * Add hard limits for `alsoKnownAs` and `attributionDomains` * Add hard limit on federated custom emoji shortcode * Highlight most destructive limits and expand on their reasoning
2026-02-04 03:25:14 +00:00 · 2026-01-20 15:14:45 +01:00 · 2026-01-20 15:14:45 +01:00 · 1a74b74a40
commit 1a74b74a40
parent 9a25b12f0c
7 changed files with 51 additions and 8 deletions
--- a/app/services/activitypub/process_account_service.rb
+++ b/app/services/activitypub/process_account_service.rb
@ -6,6 +6,7 @@ class ActivityPub::ProcessAccountService < BaseService
  include Redisable
  include Lockable

+  MAX_PROFILE_FIELDS = 50
  SUBDOMAINS_RATELIMIT = 10
  DISCOVERIES_PER_REQUEST = 400

@ -123,15 +124,15 @@ class ActivityPub::ProcessAccountService < BaseService

  def set_immediate_attributes!
    @account.featured_collection_url = valid_collection_uri(@json['featured'])
-    @account.display_name            = @json['name'] || ''
-    @account.note                    = @json['summary'] || ''
+    @account.display_name            = (@json['name'] || '')[0...(Account::DISPLAY_NAME_LENGTH_HARD_LIMIT)]
+    @account.note                    = (@json['summary'] || '')[0...(Account::NOTE_LENGTH_HARD_LIMIT)]
    @account.locked                  = @json['manuallyApprovesFollowers'] || false
    @account.fields                  = property_values || {}
-    @account.also_known_as           = as_array(@json['alsoKnownAs'] || []).map { |item| value_or_id(item) }
+    @account.also_known_as           = as_array(@json['alsoKnownAs'] || []).take(Account::ALSO_KNOWN_AS_HARD_LIMIT).map { |item| value_or_id(item) }
    @account.discoverable            = @json['discoverable'] || false
    @account.indexable               = @json['indexable'] || false
    @account.memorial                = @json['memorial'] || false
-    @account.attribution_domains     = as_array(@json['attributionDomains'] || []).map { |item| value_or_id(item) }
+    @account.attribution_domains     = as_array(@json['attributionDomains'] || []).take(Account::ATTRIBUTION_DOMAINS_HARD_LIMIT).map { |item| value_or_id(item) }
  end

  def set_fetchable_key!
@ -252,7 +253,10 @@ class ActivityPub::ProcessAccountService < BaseService
  def property_values
    return unless @json['attachment'].is_a?(Array)

-    as_array(@json['attachment']).select { |attachment| attachment['type'] == 'PropertyValue' }.map { |attachment| attachment.slice('name', 'value') }
+    as_array(@json['attachment'])
+      .select { |attachment| attachment['type'] == 'PropertyValue' }
+      .take(MAX_PROFILE_FIELDS)
+      .map { |attachment| attachment.slice('name', 'value') }
  end

  def mismatching_origin?(url)