From 1e14612f0e4349b00f5016f3a9184ff3e40fc37e Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Thu, 24 Oct 2024 04:11:35 +0200
Subject: [PATCH] fix: primitive 4: missing same-origin identifier validation
 of collection-wrapped activities

---
 packages/backend/src/core/activitypub/ApInboxService.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/packages/backend/src/core/activitypub/ApInboxService.ts b/packages/backend/src/core/activitypub/ApInboxService.ts
index d54c9544c3..5a6f6f083f 100644
--- a/packages/backend/src/core/activitypub/ApInboxService.ts
+++ b/packages/backend/src/core/activitypub/ApInboxService.ts
@@ -100,6 +100,10 @@ export class ApInboxService {
 			const resolver = this.apResolverService.createResolver();
 			for (const item of toArray(isCollection(activity) ? activity.items : activity.orderedItems)) {
 				const act = await resolver.resolve(item);
+				if (act.id == null || this.utilityService.extractDbHost(act.id) !== this.utilityService.extractDbHost(actor.uri)) {
+					this.logger.debug('skipping activity: activity id is null or mismatching');
+					continue;
+				}
 				try {
 					results.push([getApId(item), await this.performOneActivity(actor, act)]);
 				} catch (err) {