diff options
| author | 饺子w (Yumechi) <35571479+eternal-flame-AD@users.noreply.github.com> | 2025-02-23 04:21:34 -0600 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-02-23 19:21:34 +0900 |
| commit | 25052164c0971497f9177f88446b110e8ca91ce2 (patch) | |
| tree | 6df09b4f006d9322706d16f650c3e40b7dd7ceba /packages/backend/src/core/HttpRequestService.ts | |
| parent | ignore js-built (#15523) (diff) | |
| download | sharkey-25052164c0971497f9177f88446b110e8ca91ce2.tar.gz sharkey-25052164c0971497f9177f88446b110e8ca91ce2.tar.bz2 sharkey-25052164c0971497f9177f88446b110e8ca91ce2.zip | |
Merge commit from fork
* fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly.
[GHSA-6w2c-vf6f-xf26](https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26)
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
* Enhance: Add configuration option to disable all external redirects when responding to an ActivityPub lookup (config.disallowExternalApRedirect)
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
* fixup! fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly.
* docs & one edge case
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
* apply suggestions
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
* remove stale frontend reference to _responseInvalidIdHostNotMatch
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
* apply suggestions
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
---------
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
Diffstat (limited to 'packages/backend/src/core/HttpRequestService.ts')
| -rw-r--r-- | packages/backend/src/core/HttpRequestService.ts | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/packages/backend/src/core/HttpRequestService.ts b/packages/backend/src/core/HttpRequestService.ts index 083153940a..8085bbf961 100644 --- a/packages/backend/src/core/HttpRequestService.ts +++ b/packages/backend/src/core/HttpRequestService.ts @@ -16,7 +16,7 @@ import type { Config } from '@/config.js'; import { StatusError } from '@/misc/status-error.js'; import { bindThis } from '@/decorators.js'; import { validateContentTypeSetAsActivityPub } from '@/core/activitypub/misc/validator.js'; -import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js'; +import { assertActivityMatchesUrls, FetchAllowSoftFailMask } from '@/core/activitypub/misc/check-against-url.js'; import type { IObject } from '@/core/activitypub/type.js'; import type { Response } from 'node-fetch'; import type { URL } from 'node:url'; @@ -215,7 +215,7 @@ export class HttpRequestService { } @bindThis - public async getActivityJson(url: string, isLocalAddressAllowed = false): Promise<IObject> { + public async getActivityJson(url: string, isLocalAddressAllowed = false, allowSoftfail: FetchAllowSoftFailMask = FetchAllowSoftFailMask.Strict): Promise<IObject> { const res = await this.send(url, { method: 'GET', headers: { @@ -232,7 +232,7 @@ export class HttpRequestService { const finalUrl = res.url; // redirects may have been involved const activity = await res.json() as IObject; - assertActivityMatchesUrls(activity, [finalUrl]); + assertActivityMatchesUrls(url, activity, [finalUrl], allowSoftfail); return activity; } |