diff options
| author | Laura Hausmann <laura@hausmann.dev> | 2024-10-24 05:07:58 +0200 |
|---|---|---|
| committer | Julia Johannesen <julia@insertdomain.name> | 2024-11-20 19:17:24 -0500 |
| commit | ebea1a296228fb2a7694e9090e4fa8080cbaa1ec (patch) | |
| tree | f30c8b099bdca317e0de801857f17bf06945e680 | |
| parent | fix: code style for primitive 14 (diff) | |
| download | sharkey-ebea1a296228fb2a7694e9090e4fa8080cbaa1ec.tar.gz sharkey-ebea1a296228fb2a7694e9090e4fa8080cbaa1ec.tar.bz2 sharkey-ebea1a296228fb2a7694e9090e4fa8080cbaa1ec.zip | |
fix: primitive 15: improper same-origin validation for note uri and url
| -rw-r--r-- | packages/backend/src/core/activitypub/models/ApNoteService.ts | 32 |
1 files changed, 28 insertions, 4 deletions
diff --git a/packages/backend/src/core/activitypub/models/ApNoteService.ts b/packages/backend/src/core/activitypub/models/ApNoteService.ts index f404a77fbb..146ccb11a2 100644 --- a/packages/backend/src/core/activitypub/models/ApNoteService.ts +++ b/packages/backend/src/core/activitypub/models/ApNoteService.ts @@ -141,14 +141,24 @@ export class ApNoteService { this.logger.debug(`Note fetched: ${JSON.stringify(note, null, 2)}`); - if (note.id && !checkHttps(note.id)) { + if (note.id == null) { + throw new Error('Refusing to create note without id'); + } + + if (!checkHttps(note.id)) { throw new Error('unexpected schema of note.id: ' + note.id); } const url = getOneApHrefNullable(note.url); - if (url && !checkHttps(url)) { - throw new Error('unexpected schema of note url: ' + url); + if (url != null) { + if (!checkHttps(url)) { + throw new Error('unexpected schema of note url: ' + url); + } + + if (this.utilityService.punyHost(url) !== this.utilityService.punyHost(note.id)) { + throw new Error(`note url <> uri host mismatch: ${url} <> ${note.id}`); + } } this.logger.info(`Creating the Note: ${note.id}`); @@ -366,7 +376,11 @@ export class ApNoteService { this.logger.debug(`Note fetched: ${JSON.stringify(note, null, 2)}`); - if (note.id && !checkHttps(note.id)) { + if (note.id == null) { + throw new Error('Refusing to update note without id'); + } + + if (!checkHttps(note.id)) { throw new Error('unexpected schema of note.id: ' + note.id); } @@ -376,6 +390,16 @@ export class ApNoteService { throw new Error('unexpected schema of note url: ' + url); } + if (url != null) { + if (!checkHttps(url)) { + throw new Error('unexpected schema of note url: ' + url); + } + + if (this.utilityService.punyHost(url) !== this.utilityService.punyHost(note.id)) { + throw new Error(`note url <> id host mismatch: ${url} <> ${note.id}`); + } + } + this.logger.info(`Creating the Note: ${note.id}`); // 投稿者をフェッチ |