activitypub: fix possibility of spoofing by containing remote objects to the same domain as their actor

lib/pleroma/web/activity_pub/activity_pub.ex

@@ -747,6 +747,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
              "actor" => data["attributedTo"],
              "object" => data
            },
+           :ok <- Transmogrifier.contain_origin(id, params),
            {:ok, activity} <- Transmogrifier.handle_incoming(params) do
         {:ok, Object.normalize(activity.data["object"])}
       else

lib/pleroma/web/activity_pub/transmogrifier.ex

@@ -31,6 +31,20 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
   end
 
   @doc """
+  Checks that an imported AP object's actor matches the domain it came from.
+  """
+  def contain_origin(id, %{"actor" => actor}) do
+    id_uri = URI.parse(id)
+    actor_uri = URI.parse(actor)
+
+    if id_uri.host == actor_uri.host do
+      :ok
+    else
+      :error
+    end
+  end
+
+  @doc """
   Modifies an incoming AP object (mastodon format) to our internal format.
   """
   def fix_object(object) do