diff options
| author | Hazelnoot <acomputerdog@gmail.com> | 2025-02-22 14:12:05 -0500 |
|---|---|---|
| committer | Hazelnoot <acomputerdog@gmail.com> | 2025-03-02 11:06:29 -0500 |
| commit | a568333ecd17edd1a4752abe755bb223fbfe44f4 (patch) | |
| tree | 2cb0054b8df518ce55b51deb4c552d6b598387d8 /packages/backend/src/server/api/endpoints | |
| parent | merge: Add "reject quotes" settings (!901) (diff) | |
| download | sharkey-a568333ecd17edd1a4752abe755bb223fbfe44f4.tar.gz sharkey-a568333ecd17edd1a4752abe755bb223fbfe44f4.tar.bz2 sharkey-a568333ecd17edd1a4752abe755bb223fbfe44f4.zip | |
remove assertActivityMatchesUrls in favor of three-way same-authority checks
Diffstat (limited to 'packages/backend/src/server/api/endpoints')
| -rw-r--r-- | packages/backend/src/server/api/endpoints/ap/show.ts | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/packages/backend/src/server/api/endpoints/ap/show.ts b/packages/backend/src/server/api/endpoints/ap/show.ts index fc19e18e59..22bec8ef95 100644 --- a/packages/backend/src/server/api/endpoints/ap/show.ts +++ b/packages/backend/src/server/api/endpoints/ap/show.ts @@ -7,7 +7,7 @@ import { Inject, Injectable } from '@nestjs/common'; import { Endpoint } from '@/server/api/endpoint-base.js'; import type { MiNote } from '@/models/Note.js'; import type { MiLocalUser, MiUser } from '@/models/User.js'; -import { isActor, isPost, getApId, getNullableApId, ObjectWithId } from '@/core/activitypub/type.js'; +import { isActor, isPost, getApId, getNullableApId } from '@/core/activitypub/type.js'; import type { SchemaType } from '@/misc/json-schema.js'; import { ApResolverService } from '@/core/activitypub/ApResolverService.js'; import { ApDbResolverService } from '@/core/activitypub/ApDbResolverService.js'; @@ -154,7 +154,9 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint- // Before we fetch, resolve the URI in case it has a cross-origin redirect or anything like that. // Resolver.resolve() uses strict verification, which is overly paranoid for a user-provided lookup. uri = await this.resolveCanonicalUri(uri); // eslint-disable-line no-param-reassign - if (!this.utilityService.isFederationAllowedUri(uri)) return null; + if (!this.utilityService.isFederationAllowedUri(uri)) { + throw new ApiError(meta.errors.federationNotAllowed); + } const host = this.utilityService.extractDbHost(uri); @@ -244,7 +246,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint- */ private async resolveCanonicalUri(uri: string): Promise<string> { const user = await this.instanceActorService.getInstanceActor(); - const res = await this.apRequestService.signedGet(uri, user, true) as ObjectWithId; + const res = await this.apRequestService.signedGet(uri, user, true); return getNullableApId(res) ?? uri; } } |