Inbox: Apply disallowed list before processing (#1590)

obenland · web-flow · commit 11270b65a2d0 · 2025-04-22T10:26:54.000-05:00
diff --git a/.github/changelog/1590-from-description b/.github/changelog/1590-from-description
@@ -0,0 +1,4 @@
+Significance: minor
+Type: changed
+
+Added WordPress disallowed list filtering to block unwanted ActivityPub interactions.
diff --git a/includes/rest/class-inbox-controller.php b/includes/rest/class-inbox-controller.php
@@ -8,6 +8,7 @@
 namespace Activitypub\Rest;
 
 use Activitypub\Activity\Activity;
+use Activitypub\Debug;
 
 /**
  * Inbox_Controller class.
@@ -127,27 +128,31 @@ public function register_routes() {
 	public function create_item( $request ) {
 		$data     = $request->get_json_params();
 		$activity = Activity::init_from_array( $data );
-		$type     = $request->get_param( 'type' );
-		$type     = \strtolower( $type );
-
-		/**
-		 * ActivityPub inbox action.
-		 *
-		 * @param array              $data     The data array.
-		 * @param int|null           $user_id  The user ID.
-		 * @param string             $type     The type of the activity.
-		 * @param Activity|\WP_Error $activity The Activity object.
-		 */
-		\do_action( 'activitypub_inbox', $data, null, $type, $activity );
-
-		/**
-		 * ActivityPub inbox action for specific activity types.
-		 *
-		 * @param array              $data     The data array.
-		 * @param int|null           $user_id  The user ID.
-		 * @param Activity|\WP_Error $activity The Activity object.
-		 */
-		\do_action( 'activitypub_inbox_' . $type, $data, null, $activity );
+		$type     = \strtolower( $request->get_param( 'type' ) );
+
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+		if ( wp_check_comment_disallowed_list( $activity->to_json( false ), '', '', '', $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_USER_AGENT'] ?? '' ) ) {
+			Debug::write_log( 'Blocked activity from: ' . $activity->get_actor() );
+		} else {
+			/**
+			 * ActivityPub inbox action.
+			 *
+			 * @param array              $data     The data array.
+			 * @param int|null           $user_id  The user ID.
+			 * @param string             $type     The type of the activity.
+			 * @param Activity|\WP_Error $activity The Activity object.
+			 */
+			\do_action( 'activitypub_inbox', $data, null, $type, $activity );
+
+			/**
+			 * ActivityPub inbox action for specific activity types.
+			 *
+			 * @param array              $data     The data array.
+			 * @param int|null           $user_id  The user ID.
+			 * @param Activity|\WP_Error $activity The Activity object.
+			 */
+			\do_action( 'activitypub_inbox_' . $type, $data, null, $activity );
+		}
 
 		$response = \rest_ensure_response( array() );
 		$response->set_status( 202 );
diff --git a/tests/includes/rest/class-test-inbox-controller.php b/tests/includes/rest/class-test-inbox-controller.php
@@ -84,6 +84,54 @@ public function test_create_item() {
 		\remove_filter( 'activitypub_defer_signature_verification', '__return_true' );
 	}
 
+	/**
+	 * Test disallow list block.
+	 *
+	 * @covers ::create_item
+	 */
+	public function test_disallow_list_block() {
+		\add_filter( 'activitypub_defer_signature_verification', '__return_true' );
+
+		// Add a keyword that will be in our test content.
+		\update_option( 'disallowed_keys', 'https://remote.example/@test' );
+
+		// Set up mock action.
+		$inbox_action = new \MockAction();
+		\add_action( 'activitypub_inbox', array( $inbox_action, 'action' ) );
+
+		// Create a valid request with content that contains the disallowed keyword.
+		$json = array(
+			'id'     => 'https://remote.example/@id',
+			'type'   => 'Create',
+			'actor'  => 'https://remote.example/@test',
+			'object' => array(
+				'id'        => 'https://remote.example/post/test',
+				'type'      => 'Note',
+				'content'   => 'Hello, World!',
+				'inReplyTo' => 'https://local.example/post/test',
+				'published' => '2020-01-01T00:00:00Z',
+			),
+		);
+
+		$request = new \WP_REST_Request( 'POST', '/' . ACTIVITYPUB_REST_NAMESPACE . '/inbox' );
+		$request->set_header( 'Content-Type', 'application/activity+json' );
+		$request->set_body( \wp_json_encode( $json ) );
+
+		// Dispatch the request.
+		$response = \rest_do_request( $request );
+
+		// Verify the response is still successful (202).
+		$this->assertEquals( 202, $response->get_status() );
+
+		// Verify that the hooks were not called.
+		$this->assertEquals( 0, $inbox_action->get_call_count(), 'activitypub_inbox hook should not be called when content is disallowed' );
+
+		// Clean up.
+		\delete_option( 'disallowed_keys' );
+		\remove_filter( 'activitypub_defer_signature_verification', '__return_true' );
+		\remove_action( 'activitypub_inbox', array( $inbox_action, 'action' ) );
+	}
+
 	/**
 	 * Test whether an activity is public.
 	 *
