diff options
| author | Julia <julia@insertdomain.name> | 2024-11-20 18:20:09 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-11-21 08:20:09 +0900 |
| commit | 5f675201f261d5db6a58d3099a190372bb2f09f0 (patch) | |
| tree | 6b4a58d60234df8a9df24ba220cfbab0bf6ee27e /packages/backend/src/core/UtilityService.ts | |
| parent | New Crowdin updates (#15000) (diff) | |
| download | sharkey-5f675201f261d5db6a58d3099a190372bb2f09f0.tar.gz sharkey-5f675201f261d5db6a58d3099a190372bb2f09f0.tar.bz2 sharkey-5f675201f261d5db6a58d3099a190372bb2f09f0.zip | |
Merge commit from fork
* enhance: Add a few validation fixes from Sharkey
See the original MR on the GitLab instance:
https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484
Co-Authored-By: Dakkar <dakkar@thenautilus.net>
* fix: primitive 2: acceptance of cross-origin alternate
Co-Authored-By: Laura Hausmann <laura@hausmann.dev>
* fix: primitive 3: validation of non-final url
* fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities
* fix: primitives 5 & 8: reject activities with non
string identifiers
Co-Authored-By: Laura Hausmann <laura@hausmann.dev>
* fix: primitive 6: reject anonymous objects that were fetched by their id
* fix: primitives 9, 10 & 11: http signature validation
doesn't enforce required headers or specify auth header name
Co-Authored-By: Laura Hausmann <laura@hausmann.dev>
* fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections
* fix: code style for primitive 14
* fix: primitive 15: improper same-origin validation for
note uri and url
Co-Authored-By: Laura Hausmann <laura@hausmann.dev>
* fix: primitive 16: improper same-origin validation for user uri and url
* fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array
* fix: code style for primitive 17
* fix: check attribution against actor in notes
While this isn't strictly required to fix the exploits at hand, this
mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a
preemptive countermeasure.
* fix: primitive 18: `ap/get` bypasses access checks
One might argue that we could make this one actually preform access
checks against the returned activity object, but I feel like that's a
lot more work than just restricting it to administrators, since, to me
at least, it seems more like a debugging tool than anything else.
* fix: primitive 19 & 20: respect blocks and hide more
Ideally, the user property should also be hidden (as leaving it in leaks
information slightly), but given the schema of the note endpoint, I
don't think that would be possible without introducing some kind of
"ghost" user, who is attributed for posts by users who have you blocked.
* fix: primitives 21, 22, and 23: reuse resolver
This also increases the default `recursionLimit` for `Resolver`, as it
theoretically will go higher that it previously would and could possibly
fail on non-malicious collection activities.
* fix: primitives 25-33: proper local instance checks
* revert: fix: primitive 19 & 20
This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c.
---------
Co-authored-by: Dakkar <dakkar@thenautilus.net>
Co-authored-by: Laura Hausmann <laura@hausmann.dev>
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
Diffstat (limited to 'packages/backend/src/core/UtilityService.ts')
| -rw-r--r-- | packages/backend/src/core/UtilityService.ts | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/packages/backend/src/core/UtilityService.ts b/packages/backend/src/core/UtilityService.ts index 86082ccdcd..9a2ba72ed3 100644 --- a/packages/backend/src/core/UtilityService.ts +++ b/packages/backend/src/core/UtilityService.ts @@ -35,6 +35,11 @@ export class UtilityService { } @bindThis + public isUriLocal(uri: string): boolean { + return this.punyHost(uri) === this.toPuny(this.config.host); + } + + @bindThis public isBlockedHost(blockedHosts: string[], host: string | null): boolean { if (host == null) return false; return blockedHosts.some(x => `.${host.toLowerCase()}`.endsWith(`.${x}`)); @@ -96,7 +101,7 @@ export class UtilityService { @bindThis public extractDbHost(uri: string): string { const url = new URL(uri); - return this.toPuny(url.hostname); + return this.toPuny(url.host); } @bindThis @@ -111,6 +116,13 @@ export class UtilityService { } @bindThis + public punyHost(url: string): string { + const urlObj = new URL(url); + const host = `${this.toPuny(urlObj.hostname)}${urlObj.port.length > 0 ? ':' + urlObj.port : ''}`; + return host; + } + + @bindThis public isFederationAllowedHost(host: string): boolean { if (this.meta.federation === 'none') return false; if (this.meta.federation === 'specified' && !this.meta.federationHosts.some(x => `.${host.toLowerCase()}`.endsWith(`.${x}`))) return false; |