Ignore posts with out-of-range timestamps#466
Merged
dahlia merged 1 commit intofedify-dev:mainfrom May 5, 2026
Merged
Conversation
Incoming ActivityPub posts whose published or updated timestamp is more than 12 hours in the future are now silently rejected before any remote dereferencing takes place. This prevents timeline manipulation via forged future timestamps. Posts with a published date before the Unix epoch (e.g. 1963) no longer crash the server: the UUIDv7 generator was receiving a negative millisecond value, causing an exception. The timestamp is now clamped to zero (Unix epoch) when generating the row ID. Also fixed onPostUpdated() in the federation inbox: it previously ignored the return value of persistPost(), so a rejected Update activity could still dispatch quoted_update notifications for the stale pre-update row. Fixes fedify-dev#67 Assisted-by: Claude Code:claude-sonnet-4-6 Assisted-by: Codex:gpt-5.5
Member
Author
|
@codex review |
|
Codex Review: Didn't find any major issues. More of your lovely PRs please. ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
#67 reports two bugs caused by fediverse posts with forged timestamps.
Hollo accepted remote posts whose
publishedvalue was far in the future and sorted them to the top of the federated timeline. UUIDv7 encodes the timestamp in the high bits, and timeline queries order by ID, so a post dated 2038 sorts ahead of posts created today. A remote actor that can deliver a valid ActivityPub object could keep content above newer posts for years.Hollo also crashed on posts dated before the Unix epoch. Those posts passed a negative millisecond value to
uuidv7(), which throws on negative input.In src/federation/post.ts,
persistPost()now validatespublishedandupdatedafter the existing-local-post checks and before any remote network requests. Posts more than 12 hours in the future are dropped before fetches or inserts. Pre-epoch posts are still accepted; theuuidv7()call clamps the timestamp to zero.onPostUpdated()in src/federation/inbox.ts now checkspersistPost()'s return value. Without that, a rejected Update activity could still dispatchquoted_updatenotifications against the stale pre-update row.src/federation/post.test.ts covers rejection at 13 hours, acceptance at 11 hours,
updatedtimestamps in the future, and pre-epoch dates no longer crashinguuidv7().Closes #67.