fix(client): validate urls to improve security

author: syuilo <Syuilotan@yahoo.co.jp> 2023-02-04 14:20:07 +0900
committer: syuilo <Syuilotan@yahoo.co.jp> 2023-02-04 14:20:07 +0900
commit: 38f9d1e76428bea47c5944c440eab25428c7d99e (patch)
tree: 1be8cb88a5ee77f2770df402e9023b59ef33e5bf /packages/backend/src/server
parent: perf(server): improvement of external mediaProxy (#9787) (diff)
download: misskey-38f9d1e76428bea47c5944c440eab25428c7d99e.tar.gz
misskey-38f9d1e76428bea47c5944c440eab25428c7d99e.tar.bz2
misskey-38f9d1e76428bea47c5944c440eab25428c7d99e.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/packages/backend/src/server/web/UrlPreviewService.ts b/packages/backend/src/server/web/UrlPreviewService.ts
index 1bf88fe434..57461b7a33 100644
--- a/packages/backend/src/server/web/UrlPreviewService.ts
+++ b/packages/backend/src/server/web/UrlPreviewService.ts
@@ -73,6 +73,14 @@ export class UrlPreviewService {
 			});
 	
 			this.logger.succ(`Got preview of ${url}: ${summary.title}`);
+
+			if (summary.url && !(summary.url.startsWith('http://') || summary.url.startsWith('https://'))) {
+				throw new Error('unsupported schema included');
+			}
+
+			if (summary.player?.url && !(summary.player.url.startsWith('http://') || summary.player.url.startsWith('https://'))) {
+				throw new Error('unsupported schema included');
+			}
 	
 			summary.icon = this.wrap(summary.icon);
 			summary.thumbnail = this.wrap(summary.thumbnail);
author	syuilo <Syuilotan@yahoo.co.jp>	2023-02-04 14:20:07 +0900
committer	syuilo <Syuilotan@yahoo.co.jp>	2023-02-04 14:20:07 +0900
commit	38f9d1e76428bea47c5944c440eab25428c7d99e (patch)
tree	1be8cb88a5ee77f2770df402e9023b59ef33e5bf /packages/backend/src/server
parent	perf(server): improvement of external mediaProxy (#9787) (diff)
download	misskey-38f9d1e76428bea47c5944c440eab25428c7d99e.tar.gz misskey-38f9d1e76428bea47c5944c440eab25428c7d99e.tar.bz2 misskey-38f9d1e76428bea47c5944c440eab25428c7d99e.zip