kyush/misskey
1
0
Fork 0
forked from mirrors/misskey
Code Pull requests Projects Releases Packages 1 Activity Actions

fix(backend): skip inbox activities without an actor instead of throwing TypeError (#17558)

Browse source 
* fix(backend): skip inbox activities without an actor instead of throwing TypeError

- guard getApId() against null/undefined (and fix the 'detemine' typo)
- skip actor-less inbox activities early with Bull.UnrecoverableError

Fixes #17557

* fix(backend): reject actor-less inbox activities at enqueue time

Per review feedback (#17558), move the actor presence check to the inbox
HTTP handler and drop the processor-side guard.

- ActivityPubServerService.inbox(): validate the request body from the
  loose (unknown) type and return 400 for structurally invalid activities
  (non-object / missing actor) instead of enqueueing a job that can never
  be authenticated. Avoids useless retries and TypeError noise.
- InboxProcessorService.process(): remove the actor null guard; IActivity.actor
  is non-null, so the check is unnecessary once enqueue is validated.
- getApId(): widen the parameter to include undefined so the existing null
  guard is type-honest (getOneApId can pass value[0] of an empty array).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
SASAPIYO (SASAGAWA Kiyoshi) 2026-06-19 15:00:17 +09:00 committed by GitHub
commit ae5d2d40d7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 15 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
packages/backend/src/core/activitypub/type.ts
View file

@ -58,10 +58,10 @@ export function getOneApId(value: ApObject): string {
/**
* Get ActivityStreams Object id
*/
export function getApId(value: string | IObject): string {
export function getApId(value: string | IObject | undefined): string {
if (typeof value === 'string') return value;
if (typeof value.id === 'string') return value.id;
throw new Error('cannot detemine id');
if (value != null && typeof value.id === 'string') return value.id;
throw new Error('cannot determine id');
}
/**

12
packages/backend/src/server/ActivityPubServerService.ts
View file

@ -174,7 +174,17 @@ export class ActivityPubServerService {
}
}
this.queueService.inbox(request.body as IActivity, signature);
const body = request.body;
// Reject structurally invalid activities (e.g. missing actor) here instead
// of letting them fail deep inside the inbox processor. An actor-less
// activity can never be authenticated, so there is no point enqueueing it.
if (typeof body !== 'object' || body == null || !('actor' in body) || body.actor == null) {
reply.code(400);
return;
}
this.queueService.inbox(body as IActivity, signature);
reply.code(202);
}