fix (backend): verify object id host matches final URL when fetching …

…remote activities https://iceshrimp.dev/iceshrimp/iceshrimp/commit/5f6096c1b7b37b771055e6e3b9d7b15ca10a05da Co-authored-by: naskya <[email protected]>
sakura-tel · Mar 31, 2024 · 68d3e25 · 68d3e25
1 parent 0f5dec0
commit 68d3e25
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 4 deletions.
diff --git a/src/remote/activitypub/request.ts b/src/remote/activitypub/request.ts
@@ -70,8 +70,8 @@ export async function signedGet(url: string, user: ILocalUser) {
 export async function apGet(
 	url: string,
 	user?: ILocalUser,
-	redirects: boolean = true
-): Promise<IObject> {
+	redirects: boolean = true,
+): Promise<{ finalUrl: string; content: IObject }> {
 	if (!isValidUrl(url)) {
 		throw new StatusError('Invalid URL', 400);
 	}
@@ -136,7 +136,10 @@ export async function apGet(
 	const text = await res.text();
 	if (text.length > 65536) throw new Error("too big result");
 
-	return JSON.parse(text) as IObject;
+	return {
+		finalUrl: res.url,
+		content: JSON.parse(text) as IObject,
+	};
 }
 
 function validateContentType(contentType: string): boolean {

diff --git a/src/remote/activitypub/resolver.ts b/src/remote/activitypub/resolver.ts
@@ -82,7 +82,7 @@ export default class Resolver {
 			this.user = await getInstanceActor();
 		}
 
-		const object = await apGet(value, this.user);
+		const { finalUrl, content: object } = await apGet(value, this.user);
 
 		if (object == null || (
 			Array.isArray(object['@context']) ?
@@ -92,6 +92,13 @@ export default class Resolver {
 			throw new Error('invalid response');
 		}
 
+		if (
+			object.id != null &&
+			new URL(finalUrl).host != new URL(object.id).host
+		) {
+			throw new Error("Object ID host doesn't match final url host");
+		}
+
 		return object;
 	}