Limit maximum ActivityPub request and response sizes to a configurable setting

custom/conf/app.example.ini

@@ -2249,6 +2249,9 @@ PATH =
 ;; Enable/Disable user statistics for nodeinfo if federation is enabled
 ; SHARE_USER_STATISTICS = true
 ;;
+;; Maximum ActivityPub request and response size (MB)
+; MAX_SIZE = 4
+;;
 ;; HTTP signature algorithms
 ; ALGORITHMS = rsa-sha256, rsa-sha512
 ;;

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -1087,6 +1087,7 @@ Task queue configuration has been moved to `queue.task`. However, the below conf
 
 - `ENABLED`: **true**: Enable/Disable federation capabilities
 - `SHARE_USER_STATISTICS`: **true**: Enable/Disable user statistics for nodeinfo if federation is enabled
+- `MAX_SIZE`: **4**: Maximum ActivityPub request and response size (MB)
 - `ALGORITHMS`: **rsa-sha256, rsa-sha512**: HTTP signature algorithms
 - `DIGEST_ALGORITHM`: **SHA-256**: HTTP signature digest algorithm
 - `GET_HEADERS`: **(request-target), Date**: GET headers for federation requests

modules/setting/federation.go

@@ -15,6 +15,7 @@ var (
 	Federation = struct {
 		Enabled             bool
 		ShareUserStatistics bool
+		MaxSize             int64
 		Algorithms          []string
 		DigestAlgorithm     string
 		GetHeaders          []string
@@ -22,6 +23,7 @@ var (
 	}{
 		Enabled:             true,
 		ShareUserStatistics: true,
+		MaxSize:             4,
 		Algorithms:          []string{"rsa-sha256", "rsa-sha512"},
 		DigestAlgorithm:     "SHA-256",
 		GetHeaders:          []string{"(request-target)", "Date"},

routers/api/v1/activitypub/reqsignature.go

@@ -61,7 +61,7 @@ func fetch(iri *url.URL) (b []byte, err error) {
 		err = fmt.Errorf("url IRI fetch [%s] failed with status (%d): %s", iri, resp.StatusCode, resp.Status)
 		return
 	}
-	b, err = io.ReadAll(resp.Body)
+	b, err = io.ReadAll(io.LimitReader(resp.Body, setting.Federation.MaxSize*(1<<20)))
 	return
 }