fix(server): validate url from ap to improve security

author: syuilo <Syuilotan@yahoo.co.jp> 2023-02-08 17:50:23 +0900
committer: syuilo <Syuilotan@yahoo.co.jp> 2023-02-08 17:50:23 +0900
commit: 0da0cc80b94c1a8032b79e0a345378557019ff19 (patch)
tree: a235d7d3853bf8e308e3b06a2fb214fcad15fe1c
parent: perf(client): do not render custom emojis in user names (diff)
download: misskey-0da0cc80b94c1a8032b79e0a345378557019ff19.tar.gz
misskey-0da0cc80b94c1a8032b79e0a345378557019ff19.tar.bz2
misskey-0da0cc80b94c1a8032b79e0a345378557019ff19.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/packages/backend/src/core/activitypub/models/ApImageService.ts b/packages/backend/src/core/activitypub/models/ApImageService.ts
index d01817b0de..928ef1ae79 100644
--- a/packages/backend/src/core/activitypub/models/ApImageService.ts
+++ b/packages/backend/src/core/activitypub/models/ApImageService.ts
@@ -48,6 +48,10 @@ export class ApImageService {
 			throw new Error('invalid image: url not privided');
 		}
 
+		if (!image.url.startsWith('https://')) {
+			throw new Error('invalid image: unexpected shcema of url: ' + image.url);
+		}
+
 		this.logger.info(`Creating the Image: ${image.url}`);
 
 		const instance = await this.metaService.fetch();
author	syuilo <Syuilotan@yahoo.co.jp>	2023-02-08 17:50:23 +0900
committer	syuilo <Syuilotan@yahoo.co.jp>	2023-02-08 17:50:23 +0900
commit	0da0cc80b94c1a8032b79e0a345378557019ff19 (patch)
tree	a235d7d3853bf8e308e3b06a2fb214fcad15fe1c
parent	perf(client): do not render custom emojis in user names (diff)
download	misskey-0da0cc80b94c1a8032b79e0a345378557019ff19.tar.gz misskey-0da0cc80b94c1a8032b79e0a345378557019ff19.tar.bz2 misskey-0da0cc80b94c1a8032b79e0a345378557019ff19.zip