summaryrefslogtreecommitdiff
path: root/src/queue/processors/http
diff options
context:
space:
mode:
Diffstat (limited to 'src/queue/processors/http')
-rw-r--r--src/queue/processors/http/deliver.ts23
-rw-r--r--src/queue/processors/http/process-inbox.ts86
2 files changed, 88 insertions, 21 deletions
diff --git a/src/queue/processors/http/deliver.ts b/src/queue/processors/http/deliver.ts
index e14a162105..621219fec6 100644
--- a/src/queue/processors/http/deliver.ts
+++ b/src/queue/processors/http/deliver.ts
@@ -7,19 +7,18 @@ export default async (job: bq.Job, done: any): Promise<void> => {
await request(job.data.user, job.data.to, job.data.content);
done();
} catch (res) {
- if (res == null || !res.hasOwnProperty('statusCode')) {
- console.warn(`deliver failed (unknown): ${res}`);
- return done();
- }
-
- if (res.statusCode == null) return done();
- if (res.statusCode >= 400 && res.statusCode < 500) {
- // HTTPステータスコード4xxはクライアントエラーであり、それはつまり
- // 何回再送しても成功することはないということなのでエラーにはしないでおく
- done();
+ if (res != null && res.hasOwnProperty('statusCode')) {
+ if (res.statusCode >= 400 && res.statusCode < 500) {
+ // HTTPステータスコード4xxはクライアントエラーであり、それはつまり
+ // 何回再送しても成功することはないということなのでエラーにはしないでおく
+ done();
+ } else {
+ console.warn(`deliver failed: ${res.statusCode} ${res.statusMessage} to=${job.data.to}`);
+ done(res.statusMessage);
+ }
} else {
- console.warn(`deliver failed: ${res.statusMessage}`);
- done(res.statusMessage);
+ console.warn(`deliver failed: ${res} to=${job.data.to}`);
+ done();
}
}
};
diff --git a/src/queue/processors/http/process-inbox.ts b/src/queue/processors/http/process-inbox.ts
index c9c2fa72cb..8e6b3769de 100644
--- a/src/queue/processors/http/process-inbox.ts
+++ b/src/queue/processors/http/process-inbox.ts
@@ -5,7 +5,9 @@ const httpSignature = require('http-signature');
import parseAcct from '../../../misc/acct/parse';
import User, { IRemoteUser } from '../../../models/user';
import perform from '../../../remote/activitypub/perform';
-import { resolvePerson } from '../../../remote/activitypub/models/person';
+import { resolvePerson, updatePerson } from '../../../remote/activitypub/models/person';
+import { toUnicode } from 'punycode';
+import { URL } from 'url';
const log = debug('misskey:queue:inbox');
@@ -32,22 +34,51 @@ export default async (job: bq.Job, done: any): Promise<void> => {
return;
}
- user = await User.findOne({ usernameLower: username, host: host.toLowerCase() }) as IRemoteUser;
-
- // アクティビティを送信してきたユーザーがまだMisskeyサーバーに登録されていなかったら登録する
- if (user === null) {
- user = await resolvePerson(activity.actor) as IRemoteUser;
+ // アクティビティ内のホストの検証
+ try {
+ ValidateActivity(activity, host);
+ } catch (e) {
+ console.warn(e.message);
+ done();
+ return;
}
+
+ user = await User.findOne({ usernameLower: username, host: host.toLowerCase() }) as IRemoteUser;
} else {
+ // アクティビティ内のホストの検証
+ const host = toUnicode(new URL(signature.keyId).hostname.toLowerCase());
+ try {
+ ValidateActivity(activity, host);
+ } catch (e) {
+ console.warn(e.message);
+ done();
+ return;
+ }
+
user = await User.findOne({
host: { $ne: null },
'publicKey.id': signature.keyId
}) as IRemoteUser;
+ }
- // アクティビティを送信してきたユーザーがまだMisskeyサーバーに登録されていなかったら登録する
- if (user === null) {
- user = await resolvePerson(activity.actor) as IRemoteUser;
+ // Update activityの場合は、ここで署名検証/更新処理まで実施して終了
+ if (activity.type === 'Update') {
+ if (activity.object && activity.object.type === 'Person') {
+ if (user == null) {
+ console.warn('Update activity received, but user not registed.');
+ } else if (!httpSignature.verifySignature(signature, user.publicKey.publicKeyPem)) {
+ console.warn('Update activity received, but signature verification failed.');
+ } else {
+ updatePerson(activity.actor, null, activity.object);
+ }
}
+ done();
+ return;
+ }
+
+ // アクティビティを送信してきたユーザーがまだMisskeyサーバーに登録されていなかったら登録する
+ if (user === null) {
+ user = await resolvePerson(activity.actor) as IRemoteUser;
}
if (user === null) {
@@ -69,3 +100,40 @@ export default async (job: bq.Job, done: any): Promise<void> => {
done(e);
}
};
+
+/**
+ * Validate host in activity
+ * @param activity Activity
+ * @param host Expect host
+ */
+function ValidateActivity(activity: any, host: string) {
+ // id (if exists)
+ if (typeof activity.id === 'string') {
+ const uriHost = toUnicode(new URL(activity.id).hostname.toLowerCase());
+ if (host !== uriHost) {
+ const diag = activity.signature ? '. Has LD-Signature. Forwarded?' : '';
+ throw new Error(`activity.id(${activity.id}) has different host(${host})${diag}`);
+ }
+ }
+
+ // actor (if exists)
+ if (typeof activity.actor === 'string') {
+ const uriHost = toUnicode(new URL(activity.actor).hostname.toLowerCase());
+ if (host !== uriHost) throw new Error('activity.actor has different host');
+ }
+
+ // For Create activity
+ if (activity.type === 'Create' && activity.object) {
+ // object.id (if exists)
+ if (typeof activity.object.id === 'string') {
+ const uriHost = toUnicode(new URL(activity.object.id).hostname.toLowerCase());
+ if (host !== uriHost) throw new Error('activity.object.id has different host');
+ }
+
+ // object.attributedTo (if exists)
+ if (typeof activity.object.attributedTo === 'string') {
+ const uriHost = toUnicode(new URL(activity.object.attributedTo).hostname.toLowerCase());
+ if (host !== uriHost) throw new Error('activity.object.attributedTo has different host');
+ }
+ }
+}
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-03-25 22:59:38 +0000