From 4d925fc08683a9415c9488b5bcc516ca8f43d4af Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Thu, 24 Oct 2024 04:18:49 +0200
Subject: [PATCH] fix: primitive 17: note same-origin identifier validation can
 be bypassed by wrapping the id in an array

---
 packages/backend/src/core/activitypub/ApInboxService.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/packages/backend/src/core/activitypub/ApInboxService.ts b/packages/backend/src/core/activitypub/ApInboxService.ts
index edd1041062..b5a97d34c4 100644
--- a/packages/backend/src/core/activitypub/ApInboxService.ts
+++ b/packages/backend/src/core/activitypub/ApInboxService.ts
@@ -426,6 +426,9 @@ export class ApInboxService {
 					return 'skip: host in actor.uri !== note.id';
 				}
 			}
+			else {
+				return 'skip: note.id is not a string'
+			}
 		}
 
 		const unlock = await this.appLockService.getApLock(uri);