Use JSON.parse in AP inboxes (#38238)

2026-03-29 03:00:33 +02:00 · 2026-03-16 12:58:13 -04:00
parent 3832030711
commit 16c41e035b
2 changed files with 20 additions and 2 deletions
--- a/app/controllers/activitypub/inboxes_controller.rb
+++ b/app/controllers/activitypub/inboxes_controller.rb
@@ -26,9 +26,9 @@ class ActivityPub::InboxesController < ActivityPub::BaseController
  end

  def unknown_affected_account?
-    json = Oj.load(body, mode: :strict)
+    json = JSON.parse(body)
    json.is_a?(Hash) && %w(Delete Update).include?(json['type']) && json['actor'].present? && json['actor'] == value_or_id(json['object']) && !Account.exists?(uri: json['actor'])
-  rescue Oj::ParseError
+  rescue JSON::ParserError
    false
  end

--- a/spec/requests/activitypub/inboxes_spec.rb
+++ b/spec/requests/activitypub/inboxes_spec.rb
@@ -156,6 +156,24 @@ RSpec.describe 'ActivityPub Inboxes' do
        expect(response)
          .to have_http_status(401)
      end
+
+      context 'when sending an unknown account' do
+        let(:unknown_actor) do
+          {
+            actor: 'https://unknown-actor.host',
+            object: 'https://unknown-actor.host',
+            type: 'Update',
+          }
+        end
+        let(:headers) { { 'CONTENT_TYPE' => 'application/json' } }
+
+        it 'returns http accepted' do
+          post(inbox_path, params: unknown_actor.to_json, headers:)
+
+          expect(response)
+            .to have_http_status(202)
+        end
+      end
    end
  end
 end