From 29ebf648c791ebf4f262b31020da397d41e25b48 Mon Sep 17 00:00:00 2001
From: Felix Ableitner <me@nutomic.com>
Date: Tue, 9 Apr 2024 13:01:33 +0200
Subject: [PATCH] Dont allow federation to overwrite local objects

---
 crates/apub/src/objects/comment.rs         | 5 +++++
 crates/apub/src/objects/community.rs       | 5 +++++
 crates/apub/src/objects/instance.rs        | 4 ++++
 crates/apub/src/objects/person.rs          | 4 ++++
 crates/apub/src/objects/post.rs            | 5 +++++
 crates/apub/src/objects/private_message.rs | 5 +++++
 6 files changed, 28 insertions(+)

diff --git a/crates/apub/src/objects/comment.rs b/crates/apub/src/objects/comment.rs
index ba7cc914f..364583865 100644
--- a/crates/apub/src/objects/comment.rs
+++ b/crates/apub/src/objects/comment.rs
@@ -158,6 +158,11 @@ impl Object for ApubComment {
   /// If the parent community, post and comment(s) are not known locally, these are also fetched.
   #[tracing::instrument(skip_all)]
   async fn from_json(note: Note, context: &Data<LemmyContext>) -> Result<ApubComment, LemmyError> {
+    // Dont allow overwriting local object
+    if note.id.inner().domain() == Some(context.domain()) {
+      return note.id.dereference_local(context).await;
+    }
+
     let creator = note.attributed_to.dereference(context).await?;
     let (post, parent_comment) = note.get_parents(context).await?;
 
diff --git a/crates/apub/src/objects/community.rs b/crates/apub/src/objects/community.rs
index 7630d80b2..8a1fa9a71 100644
--- a/crates/apub/src/objects/community.rs
+++ b/crates/apub/src/objects/community.rs
@@ -138,6 +138,11 @@ impl Object for ApubCommunity {
     group: Group,
     context: &Data<Self::DataType>,
   ) -> Result<ApubCommunity, LemmyError> {
+    // Dont allow overwriting local object
+    if group.id.inner().domain() == Some(context.domain()) {
+      return group.id.dereference_local(context).await;
+    }
+
     let instance_id = fetch_instance_actor_for_object(&group.id, context).await?;
 
     let local_site = LocalSite::read(&mut context.pool()).await.ok();
diff --git a/crates/apub/src/objects/instance.rs b/crates/apub/src/objects/instance.rs
index 6894643d6..c50bce28e 100644
--- a/crates/apub/src/objects/instance.rs
+++ b/crates/apub/src/objects/instance.rs
@@ -138,6 +138,10 @@ impl Object for ApubSite {
 
   #[tracing::instrument(skip_all)]
   async fn from_json(apub: Self::Kind, context: &Data<Self::DataType>) -> Result<Self, LemmyError> {
+    // Dont allow overwriting local object
+    if apub.id.inner().domain() == Some(context.domain()) {
+      return apub.id.dereference_local(context).await;
+    }
     let domain = apub.id.inner().domain().expect("group id has domain");
     let instance = DbInstance::read_or_create(&mut context.pool(), domain.to_string()).await?;
 
diff --git a/crates/apub/src/objects/person.rs b/crates/apub/src/objects/person.rs
index d4456344f..8950f05e6 100644
--- a/crates/apub/src/objects/person.rs
+++ b/crates/apub/src/objects/person.rs
@@ -149,6 +149,10 @@ impl Object for ApubPerson {
     person: Person,
     context: &Data<Self::DataType>,
   ) -> Result<ApubPerson, LemmyError> {
+    // Dont allow overwriting local object
+    if person.id.inner().domain() == Some(context.domain()) {
+      return person.id.dereference_local(context).await;
+    }
     let instance_id = fetch_instance_actor_for_object(&person.id, context).await?;
 
     let local_site = LocalSite::read(&mut context.pool()).await.ok();
diff --git a/crates/apub/src/objects/post.rs b/crates/apub/src/objects/post.rs
index 0ddc6d17b..c02b34768 100644
--- a/crates/apub/src/objects/post.rs
+++ b/crates/apub/src/objects/post.rs
@@ -182,6 +182,11 @@ impl Object for ApubPost {
 
   #[tracing::instrument(skip_all)]
   async fn from_json(page: Page, context: &Data<Self::DataType>) -> Result<ApubPost, LemmyError> {
+    // Dont allow overwriting local object
+    if page.id.inner().domain() == Some(context.domain()) {
+      return page.id.dereference_local(context).await;
+    }
+
     let creator = page.creator()?.dereference(context).await?;
     let community = page.community(context).await?;
     if community.posting_restricted_to_mods {
diff --git a/crates/apub/src/objects/private_message.rs b/crates/apub/src/objects/private_message.rs
index 647510802..a1cecfe1e 100644
--- a/crates/apub/src/objects/private_message.rs
+++ b/crates/apub/src/objects/private_message.rs
@@ -121,6 +121,11 @@ impl Object for ApubPrivateMessage {
     note: ChatMessage,
     context: &Data<Self::DataType>,
   ) -> Result<ApubPrivateMessage, LemmyError> {
+    // Dont allow overwriting local object
+    if note.id.inner().domain() == Some(context.domain()) {
+      return note.id.dereference_local(context).await;
+    }
+
     let creator = note.attributed_to.dereference(context).await?;
     let recipient = note.to[0].dereference(context).await?;
     check_person_block(creator.id, recipient.id, &mut context.pool()).await?;