Fix: forkbomb DOS mitigation

packages/backend/src/remote/activitypub/models/mention.ts

@@ -5,11 +5,9 @@ import * as promiseLimit from 'promise-limit';
 import Resolver from '../resolver';
 import { User } from '@/models/entities/user';
 
-export async function extractApMentions(tags: IObject | IObject[] | null | undefined) {
+export async function extractApMentions(tags: IObject | IObject[] | null | undefined, resolver: Resolver) {
 	const hrefs = unique(extractApMentionObjects(tags).map(x => x.href as string));
 
-	const resolver = new Resolver();
-
 	const limit = promiseLimit<User | null>(2);
 	const mentionedUsers = (await Promise.all(
 		hrefs.map(x => limit(() => resolvePerson(x, resolver).catch(() => null)))

packages/backend/src/remote/activitypub/models/note.ts

@@ -97,7 +97,7 @@ export async function createNote(value: string | IObject, resolver?: Resolver, s
 		throw new Error('actor has been suspended');
 	}
 
-	const noteAudience = await parseAudience(actor, note.to, note.cc);
+	const noteAudience = await parseAudience(actor, note.to, note.cc, resolver);
 	let visibility = noteAudience.visibility;
 	const visibleUsers = noteAudience.visibleUsers;
 
@@ -111,7 +111,7 @@ export async function createNote(value: string | IObject, resolver?: Resolver, s
 
 	let isTalk = note._misskey_talk && visibility === 'specified';
 
-	const apMentions = await extractApMentions(note.tag);
+	const apMentions = await extractApMentions(note.tag, resolver);
 	const apHashtags = await extractApHashtags(note.tag);
 
 	// 添付ファイル

packages/backend/src/remote/activitypub/resolver.ts

@@ -14,6 +14,7 @@ export default class Resolver {
 
 	constructor(recursionLimit = 100) {
 		this.history = new Set();
+		this.recursionLimit = recursionLimit;
 	}
 
 	public getHistory(): string[] {