fix (backend): stricter hostname checking when fetching remote objects

Co-authored-by: naskya <[email protected]>
sakura-tel · Mar 31, 2024 · aed7dd1 · aed7dd1
1 parent 68d3e25
commit aed7dd1
Showing 1 changed file with 12 additions and 5 deletions.
diff --git a/src/remote/activitypub/resolver.ts b/src/remote/activitypub/resolver.ts
@@ -92,14 +92,21 @@ export default class Resolver {
 			throw new Error('invalid response');
 		}
 
-		if (
-			object.id != null &&
-			new URL(finalUrl).host != new URL(object.id).host
-		) {
+		if (object.id == null) return object;
+		if (finalUrl === object.id) return object;
+
+		if (new URL(finalUrl).host !== new URL(object.id).host) {
 			throw new Error("Object ID host doesn't match final url host");
 		}
 
-		return object;
+		const finalRes = await apGet(object.id, this.user);
+
+		if (finalRes.finalUrl !== finalRes.content.id)
+			throw new Error(
+				"Object ID still doesn't match final URL after second fetch attempt",
+			);
+
+		return finalRes.content;
 	}
 
 	private async resolveLocal(url: string): Promise<IObject> {