activitypub 0.4.2 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 56987420fcce47e1c1c7e1244f804a49bd9e83d80d161c63f90af8ad05c0b669
-  data.tar.gz: a80c527aa688521d97671dcfdbcb3eb55d2b35168fb2dcf1bee5c9ef92123d01
+  metadata.gz: 3d306bc2763af88f633f0645a032d1e0ed47e5a790b140ad566e6a53fdf9aeea
+  data.tar.gz: 2f12fc9aa91aa64fedd909b68b6182ae2ed352e2bb06e80e60a65ee0f6ad4e6e
 SHA512:
-  metadata.gz: 1e6b1f21ab13dfa05f3d9c44f1b3ccf71cc09b83af207800f99dd1ed1d89876cbd3c123385232652285a0e9227edc762a2f8010050f194930d783d11efa4a929
-  data.tar.gz: 9cfdb2e7f56a4b01dfd46f376adbf40843d28347af49d7f281f7588c7650920f29fc1df0b411b45ee9c867c709e71a87d92d3f7d73cf0b133d1375d98db02308
+  metadata.gz: b154f2bcf3cb03386947ea1f137f55b53461c0dcaa0a6fde15c5098b276c809620fe3f94f90d110b416dd29b31a9ff75a5f5376d1cdaefaa98e5e9f713fd4c4c
+  data.tar.gz: 44ca4b68aa880bed6a62a92e757c4e48ead8afb5f4b71fb300c8156729062d79f9ac15333ba38e2e776c52c89dc03701070ef84040e8b5033ead9d7cac03eb25

data/lib/activitypub/base.rb

@@ -6,11 +6,11 @@ module ActivityPub
   class Error < StandardError; end
 
   
-  def self.from_json(json)
-    from_hash(JSON.parse(json))
+  def self.from_json(json, resolver: nil)
+    from_hash(JSON.parse(json), resolver:)
   end
 
-  def self.from_hash(h)
+  def self.from_hash(h, resolver: nil)
     type = h&.dig("type")
 
     raise Error, "'type' attribute is required" if !type
@@ -21,6 +21,7 @@ module ActivityPub
     klass = ActivityPub.const_get(type)
 
     ob = klass ? klass.new : nil
+    ob._resolver = resolver
 
     # FIXME: Useful for debug. Add flag to allow enabling.
     # ob.instance_variable_set("@_raw",h)
@@ -41,7 +42,8 @@ module ActivityPub
         end
 
         if t = klass.ap_types[attr]
-          v = t.new(v) if v
+          v = t.new(v) if v && !v.kind_of?(ActivityPub::Base)
+          v._resolver = ob._resolver if v
         end
         ob.instance_variable_set("@#{attr}", v) if !v.nil?
       end
@@ -57,6 +59,8 @@ module ActivityPub
     def _context = @_context || "https://www.w3.org/ns/activitystreams"
     def _type = self.class.name.split("::").last
 
+    attr_accessor :_resolver
+
 
     # FIXME: Allow specifying a type (e.g. URI)
     def self.ap_attr(name, type=nil)

data/lib/activitypub/resolvers.rb

@@ -0,0 +1,46 @@
+
+require 'uri'
+require 'faraday'
+
+# Classes to resolve URI's into objects.
+
+
+module ActivityPub
+
+  class WebResolver
+    def self.call(path)
+      response = Faraday.get(path, {}, {"Accept": "application/activity+json"})
+      if response.status == 200
+        ActivityPub.from_json(response.body)
+      else
+        response
+      end
+    end
+  end
+
+  #
+  # UnsafeResolver supports filesystem references. It's named as it is to make
+  # you stop and think. If you load remote objects and allow the use of UnsafeResolver,
+  # it *will* try to load things from your filesystem. If you subsequently
+  # allow access to that data in ways that are not strictly controlled, you run
+  # the risk of a security hole.
+  #
+  # A future version will likely allow containing this to specific paths,
+  # but currently it makes *NO ATTEMPTS* to sanitise paths, so paths including
+  # ".." etc. will allow filesystem traversal.
+  #
+  class UnsafeResolver
+    def initialize(base)
+      @base = base
+    end
+    
+    def call(path)
+      path = File.expand_path(File.join(@base, path))
+      if File.exist?(path)
+        data = File.read(path)
+        return ActivityPub.from_json(data)
+      end
+      WebResolver.call(path)
+    end
+  end
+end

data/lib/activitypub/types.rb

@@ -25,7 +25,7 @@ module ActivityPub
   class Object < Base
     ap_attr :id
     ap_attr :attachment
-    ap_attr :attributedTo
+    ap_attr :attributedTo, URI
     ap_attr :audience
     ap_attr :content
     ap_attr :context
@@ -238,8 +238,8 @@ module ActivityPub
 
     # Mastodon extension per
     # https://docs-p.joinmastodon.org/spec/activitypub/#extensions
-    ap_attr :likes
-    ap_attr :bookmarks
+    ap_attr :likes, URI
+    ap_attr :bookmarks, URI
     ap_attr :manuallyApprovesFollowers
   end
 

data/lib/activitypub/uri.rb

@@ -1,23 +1,20 @@
 
-require 'uri'
-require 'faraday'
+require_relative 'resolvers'
 
 module ActivityPub
   class URI
-    def initialize(href)
+    attr_accessor :_resolver
+
+    def initialize(href, resolver: nil)
       @href = href
+      @_resolver = resolver || WebResolver
     end
 
     def to_s = @href
     def to_json(...) = @href
 
     def get
-      response = Faraday.get(self.to_s, {}, {"Accept": "application/activity+json"})
-      if response.status == 200
-        ActivityPub.from_json(response.body)
-      else
-        response
-      end
+      @_resolver&.call(self.to_s)
     end
   end
 end

data/lib/activitypub/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ActivityPub
-  VERSION = "0.4.2"
+  VERSION = "0.5.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activitypub
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.5.0
 platform: ruby
 authors:
 - Vidar Hokstad
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-07-16 00:00:00.000000000 Z
+date: 2024-07-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: webfinger
@@ -40,6 +40,7 @@ files:
 - examples/get_actor.rb
 - lib/activitypub.rb
 - lib/activitypub/base.rb
+- lib/activitypub/resolvers.rb
 - lib/activitypub/types.rb
 - lib/activitypub/uri.rb
 - lib/activitypub/version.rb