diff options
| author | dakkar <dakkar@thenautilus.net> | 2025-03-02 18:36:04 +0000 |
|---|---|---|
| committer | dakkar <dakkar@thenautilus.net> | 2025-03-02 18:36:04 +0000 |
| commit | 504e90c190bcf6adc71a47d9ca643ff088e649bf (patch) | |
| tree | ba3fa1cac7e7d09b622764b6dc895b0b7e489731 /packages/backend/src/core/HttpRequestService.ts | |
| parent | merge: handle scheduled notes when deleting and migrating accounts - fixes #9... (diff) | |
| parent | filter `url` properties by `mediaType` (diff) | |
| download | sharkey-504e90c190bcf6adc71a47d9ca643ff088e649bf.tar.gz sharkey-504e90c190bcf6adc71a47d9ca643ff088e649bf.tar.bz2 sharkey-504e90c190bcf6adc71a47d9ca643ff088e649bf.zip | |
merge: Remove assertActivityMatchesUrls in favor of three-way same-authority checks (resolves #956 and #914) (!914)
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/914
Closes #956 and #914
Approved-by: dakkar <dakkar@thenautilus.net>
Approved-by: Marie <github@yuugi.dev>
Diffstat (limited to 'packages/backend/src/core/HttpRequestService.ts')
| -rw-r--r-- | packages/backend/src/core/HttpRequestService.ts | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/packages/backend/src/core/HttpRequestService.ts b/packages/backend/src/core/HttpRequestService.ts index 083153940a..19992a7597 100644 --- a/packages/backend/src/core/HttpRequestService.ts +++ b/packages/backend/src/core/HttpRequestService.ts @@ -16,8 +16,8 @@ import type { Config } from '@/config.js'; import { StatusError } from '@/misc/status-error.js'; import { bindThis } from '@/decorators.js'; import { validateContentTypeSetAsActivityPub } from '@/core/activitypub/misc/validator.js'; -import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js'; -import type { IObject } from '@/core/activitypub/type.js'; +import { IObject } from '@/core/activitypub/type.js'; +import { ApUtilityService } from './activitypub/ApUtilityService.js'; import type { Response } from 'node-fetch'; import type { URL } from 'node:url'; @@ -145,6 +145,7 @@ export class HttpRequestService { constructor( @Inject(DI.config) private config: Config, + private readonly apUtilityService: ApUtilityService, ) { const cache = new CacheableLookup({ maxTtl: 3600, // 1hours @@ -198,6 +199,7 @@ export class HttpRequestService { * Get agent by URL * @param url URL * @param bypassProxy Allways bypass proxy + * @param isLocalAddressAllowed */ @bindThis public getAgentByUrl(url: URL, bypassProxy = false, isLocalAddressAllowed = false): http.Agent | https.Agent { @@ -229,10 +231,11 @@ export class HttpRequestService { validators: [validateContentTypeSetAsActivityPub], }); - const finalUrl = res.url; // redirects may have been involved const activity = await res.json() as IObject; - assertActivityMatchesUrls(activity, [finalUrl]); + // Make sure the object ID matches the final URL (which is where it actually exists). + // The caller (ApResolverService) will verify the ID against the original / entry URL, which ensures that all three match. + this.apUtilityService.assertIdMatchesUrlAuthority(activity, res.url); return activity; } |