diff --git a/packages/backend/src/core/IdService.ts b/packages/backend/src/core/IdService.ts
index c98b8ea6fc334f74d57ef301b94346d31031d874..43e72d2d7bdacfbeb5e2a645992fc662ee4afdb0 100644
--- a/packages/backend/src/core/IdService.ts
+++ b/packages/backend/src/core/IdService.ts
@@ -7,11 +7,11 @@ import { Inject, Injectable } from '@nestjs/common';
import { ulid } from 'ulid';
import { DI } from '@/di-symbols.js';
import type { Config } from '@/config.js';
-import { genAid, parseAid } from '@/misc/id/aid.js';
-import { genAidx, parseAidx } from '@/misc/id/aidx.js';
-import { genMeid, parseMeid } from '@/misc/id/meid.js';
-import { genMeidg, parseMeidg } from '@/misc/id/meidg.js';
-import { genObjectId, parseObjectId } from '@/misc/id/object-id.js';
+import { genAid, isSafeAidT, parseAid } from '@/misc/id/aid.js';
+import { genAidx, isSafeAidxT, parseAidx } from '@/misc/id/aidx.js';
+import { genMeid, isSafeMeidT, parseMeid } from '@/misc/id/meid.js';
+import { genMeidg, isSafeMeidgT, parseMeidg } from '@/misc/id/meidg.js';
+import { genObjectId, isSafeObjectIdT, parseObjectId } from '@/misc/id/object-id.js';
import { bindThis } from '@/decorators.js';
import { parseUlid } from '@/misc/id/ulid.js';
@@ -26,6 +26,19 @@ export class IdService {
this.method = config.id.toLowerCase();
}
+ @bindThis
+ public isSafeT(t: number): boolean {
+ switch (this.method) {
+ case 'aid': return isSafeAidT(t);
+ case 'aidx': return isSafeAidxT(t);
+ case 'meid': return isSafeMeidT(t);
+ case 'meidg': return isSafeMeidgT(t);
+ case 'ulid': return t > 0;
+ case 'objectid': return isSafeObjectIdT(t);
+ default: throw new Error('unrecognized id generation method');
+ }
+ }
+
/**
* 時間を元ã«IDを生æˆã—ã¾ã™(çœç•¥æ™‚ã¯ç¾åœ¨æ—¥æ™‚)
* @param time 日時
diff --git a/packages/backend/src/core/activitypub/ApInboxService.ts b/packages/backend/src/core/activitypub/ApInboxService.ts
index 7aba140689510715a97f52d7ad94928eb8662492..baaab67e481d94e36e7cbc59228655c43ac30f0d 100644
--- a/packages/backend/src/core/activitypub/ApInboxService.ts
+++ b/packages/backend/src/core/activitypub/ApInboxService.ts
@@ -306,9 +306,15 @@ export class ApInboxService {
this.logger.info(`Creating the (Re)Note: ${uri}`);
const activityAudience = await this.apAudienceService.parseAudience(actor, activity.to, activity.cc);
+ const createdAt = activity.published ? new Date(activity.published) : null;
+
+ if (createdAt && createdAt < this.idService.parse(renote.id).date) {
+ this.logger.warn('skip: malformed createdAt');
+ return;
+ }
await this.noteCreateService.create(actor, {
- createdAt: activity.published ? new Date(activity.published) : null,
+ createdAt,
renote,
visibility: activityAudience.visibility,
visibleUsers: activityAudience.visibleUsers,
diff --git a/packages/backend/src/core/activitypub/models/ApNoteService.ts b/packages/backend/src/core/activitypub/models/ApNoteService.ts
index 1979cdda9c8a298d69fd3008d286cc134108ddff..05d5ca15db17742295e208718eb44b94922defbf 100644
--- a/packages/backend/src/core/activitypub/models/ApNoteService.ts
+++ b/packages/backend/src/core/activitypub/models/ApNoteService.ts
@@ -92,6 +92,10 @@ export class ApNoteService {
return new Error(`invalid Note: attributedTo has different host. expected: ${expectHost}, actual: ${actualHost}`);
}
+ if (object.published && !this.idService.isSafeT(new Date(object.published).valueOf())) {
+ return new Error('invalid Note: published timestamp is malformed');
+ }
+
return null;
}
diff --git a/packages/backend/src/misc/id/aid.ts b/packages/backend/src/misc/id/aid.ts
index e7b59f262b84b21a14e6e3d8b2af5c2215be90af..de03f6793f3016d719b239cfee5bb8526b40172d 100644
--- a/packages/backend/src/misc/id/aid.ts
+++ b/packages/backend/src/misc/id/aid.ts
@@ -34,3 +34,7 @@ export function parseAid(id: string): { date: Date; } {
const time = parseInt(id.slice(0, 8), 36) + TIME2000;
return { date: new Date(time) };
}
+
+export function isSafeAidT(t: number): boolean {
+ return t > TIME2000;
+}
diff --git a/packages/backend/src/misc/id/aidx.ts b/packages/backend/src/misc/id/aidx.ts
index bed223225aedb28648208a4fef3cac2d60c9a76a..9f457f6f0aa2737d3a17c760f0bd58c4d7566123 100644
--- a/packages/backend/src/misc/id/aidx.ts
+++ b/packages/backend/src/misc/id/aidx.ts
@@ -41,3 +41,7 @@ export function parseAidx(id: string): { date: Date; } {
const time = parseInt(id.slice(0, TIME_LENGTH), 36) + TIME2000;
return { date: new Date(time) };
}
+
+export function isSafeAidxT(t: number): boolean {
+ return t > TIME2000;
+}
diff --git a/packages/backend/src/misc/id/meid.ts b/packages/backend/src/misc/id/meid.ts
index 366738de05baf0c18a2f2a22a7d40e3f4de58170..7646282edb00ecefcb02c9e3f1315c9cbd360442 100644
--- a/packages/backend/src/misc/id/meid.ts
+++ b/packages/backend/src/misc/id/meid.ts
@@ -38,3 +38,7 @@ export function parseMeid(id: string): { date: Date; } {
date: new Date(parseInt(id.slice(0, 12), 16) - 0x800000000000),
};
}
+
+export function isSafeMeidT(t: number): boolean {
+ return t > 0;
+}
diff --git a/packages/backend/src/misc/id/meidg.ts b/packages/backend/src/misc/id/meidg.ts
index 426a46970b1f5df501c2541ebbc83c4f0b749b3e..f2a55443efb377fc401fcc3f8c8cfe52c27f2273 100644
--- a/packages/backend/src/misc/id/meidg.ts
+++ b/packages/backend/src/misc/id/meidg.ts
@@ -38,3 +38,7 @@ export function parseMeidg(id: string): { date: Date; } {
date: new Date(parseInt(id.slice(1, 12), 16)),
};
}
+
+export function isSafeMeidgT(t: number): boolean {
+ return t > 0;
+}
diff --git a/packages/backend/src/misc/id/object-id.ts b/packages/backend/src/misc/id/object-id.ts
index 49bd9591c05b530d05fbd3ffccdb877df4c2fb80..f5c3619fdbd09805c0bbb1194b8bd4902aa0c6fe 100644
--- a/packages/backend/src/misc/id/object-id.ts
+++ b/packages/backend/src/misc/id/object-id.ts
@@ -38,3 +38,7 @@ export function parseObjectId(id: string): { date: Date; } {
date: new Date(parseInt(id.slice(0, 8), 16) * 1000),
};
}
+
+export function isSafeObjectIdT(t: number): boolean {
+ return t > 0;
+}