From a2d5202d4e6e0e02c2188e54d7c710b9b19685e4 Mon Sep 17 00:00:00 2001
From: Anthony Wang <ta180m@proton.me>
Date: Wed, 15 Jun 2022 20:43:19 -0500
Subject: [PATCH] Limit maximum ActivityPub request and response sizes to a
 configurable setting

---
 custom/conf/app.example.ini                           | 3 +++
 docs/content/doc/advanced/config-cheat-sheet.en-us.md | 1 +
 modules/setting/federation.go                         | 2 ++
 routers/api/v1/activitypub/reqsignature.go            | 2 +-
 4 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 2fb2c1a56..5a38a5200 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -2249,6 +2249,9 @@ PATH =
 ;; Enable/Disable user statistics for nodeinfo if federation is enabled
 ; SHARE_USER_STATISTICS = true
 ;;
+;; Maximum ActivityPub request and response size (MB)
+; MAX_SIZE = 4
+;;
 ;; HTTP signature algorithms
 ; ALGORITHMS = rsa-sha256, rsa-sha512
 ;;
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 314ecf478..bb610a722 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -1087,6 +1087,7 @@ Task queue configuration has been moved to `queue.task`. However, the below conf
 
 - `ENABLED`: **true**: Enable/Disable federation capabilities
 - `SHARE_USER_STATISTICS`: **true**: Enable/Disable user statistics for nodeinfo if federation is enabled
+- `MAX_SIZE`: **4**: Maximum ActivityPub request and response size (MB)
 - `ALGORITHMS`: **rsa-sha256, rsa-sha512**: HTTP signature algorithms
 - `DIGEST_ALGORITHM`: **SHA-256**: HTTP signature digest algorithm
 - `GET_HEADERS`: **(request-target), Date**: GET headers for federation requests
diff --git a/modules/setting/federation.go b/modules/setting/federation.go
index cba1851df..db81eaebb 100644
--- a/modules/setting/federation.go
+++ b/modules/setting/federation.go
@@ -15,6 +15,7 @@ var (
 	Federation = struct {
 		Enabled             bool
 		ShareUserStatistics bool
+		MaxSize             int64
 		Algorithms          []string
 		DigestAlgorithm     string
 		GetHeaders          []string
@@ -22,6 +23,7 @@ var (
 	}{
 		Enabled:             true,
 		ShareUserStatistics: true,
+		MaxSize:             4,
 		Algorithms:          []string{"rsa-sha256", "rsa-sha512"},
 		DigestAlgorithm:     "SHA-256",
 		GetHeaders:          []string{"(request-target)", "Date"},
diff --git a/routers/api/v1/activitypub/reqsignature.go b/routers/api/v1/activitypub/reqsignature.go
index f080f4e20..e734da89d 100644
--- a/routers/api/v1/activitypub/reqsignature.go
+++ b/routers/api/v1/activitypub/reqsignature.go
@@ -61,7 +61,7 @@ func fetch(iri *url.URL) (b []byte, err error) {
 		err = fmt.Errorf("url IRI fetch [%s] failed with status (%d): %s", iri, resp.StatusCode, resp.Status)
 		return
 	}
-	b, err = io.ReadAll(resp.Body)
+	b, err = io.ReadAll(io.LimitReader(resp.Body, setting.Federation.MaxSize*(1<<20)))
 	return
 }