From 68d3e25a3d9c9ef524777bf36ab5a81030fdfe3c Mon Sep 17 00:00:00 2001 From: Laura Hausmann Date: Wed, 27 Mar 2024 07:16:44 +0900 Subject: [PATCH] fix (backend): verify object id host matches final URL when fetching remote activities https://iceshrimp.dev/iceshrimp/iceshrimp/commit/5f6096c1b7b37b771055e6e3b9d7b15ca10a05da Co-authored-by: naskya --- src/remote/activitypub/request.ts | 9 ++++++--- src/remote/activitypub/resolver.ts | 9 ++++++++- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/src/remote/activitypub/request.ts b/src/remote/activitypub/request.ts index ac29d7faf..905cacdb8 100644 --- a/src/remote/activitypub/request.ts +++ b/src/remote/activitypub/request.ts @@ -70,8 +70,8 @@ export async function signedGet(url: string, user: ILocalUser) { export async function apGet( url: string, user?: ILocalUser, - redirects: boolean = true -): Promise { + redirects: boolean = true, +): Promise<{ finalUrl: string; content: IObject }> { if (!isValidUrl(url)) { throw new StatusError('Invalid URL', 400); } @@ -136,7 +136,10 @@ export async function apGet( const text = await res.text(); if (text.length > 65536) throw new Error("too big result"); - return JSON.parse(text) as IObject; + return { + finalUrl: res.url, + content: JSON.parse(text) as IObject, + }; } function validateContentType(contentType: string): boolean { diff --git a/src/remote/activitypub/resolver.ts b/src/remote/activitypub/resolver.ts index d321564aa..c8cd70988 100644 --- a/src/remote/activitypub/resolver.ts +++ b/src/remote/activitypub/resolver.ts @@ -82,7 +82,7 @@ export default class Resolver { this.user = await getInstanceActor(); } - const object = await apGet(value, this.user); + const { finalUrl, content: object } = await apGet(value, this.user); if (object == null || ( Array.isArray(object['@context']) ? @@ -92,6 +92,13 @@ export default class Resolver { throw new Error('invalid response'); } + if ( + object.id != null && + new URL(finalUrl).host != new URL(object.id).host + ) { + throw new Error("Object ID host doesn't match final url host"); + } + return object; }