diff options
| author | dakkar <dakkar@thenautilus.net> | 2025-03-02 18:36:04 +0000 |
|---|---|---|
| committer | dakkar <dakkar@thenautilus.net> | 2025-03-02 18:36:04 +0000 |
| commit | 504e90c190bcf6adc71a47d9ca643ff088e649bf (patch) | |
| tree | ba3fa1cac7e7d09b622764b6dc895b0b7e489731 /packages/backend/src/server | |
| parent | merge: handle scheduled notes when deleting and migrating accounts - fixes #9... (diff) | |
| parent | filter `url` properties by `mediaType` (diff) | |
| download | sharkey-504e90c190bcf6adc71a47d9ca643ff088e649bf.tar.gz sharkey-504e90c190bcf6adc71a47d9ca643ff088e649bf.tar.bz2 sharkey-504e90c190bcf6adc71a47d9ca643ff088e649bf.zip | |
merge: Remove assertActivityMatchesUrls in favor of three-way same-authority checks (resolves #956 and #914) (!914)
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/914
Closes #956 and #914
Approved-by: dakkar <dakkar@thenautilus.net>
Approved-by: Marie <github@yuugi.dev>
Diffstat (limited to 'packages/backend/src/server')
| -rw-r--r-- | packages/backend/src/server/api/endpoints/ap/show.ts | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/packages/backend/src/server/api/endpoints/ap/show.ts b/packages/backend/src/server/api/endpoints/ap/show.ts index fc19e18e59..22bec8ef95 100644 --- a/packages/backend/src/server/api/endpoints/ap/show.ts +++ b/packages/backend/src/server/api/endpoints/ap/show.ts @@ -7,7 +7,7 @@ import { Inject, Injectable } from '@nestjs/common'; import { Endpoint } from '@/server/api/endpoint-base.js'; import type { MiNote } from '@/models/Note.js'; import type { MiLocalUser, MiUser } from '@/models/User.js'; -import { isActor, isPost, getApId, getNullableApId, ObjectWithId } from '@/core/activitypub/type.js'; +import { isActor, isPost, getApId, getNullableApId } from '@/core/activitypub/type.js'; import type { SchemaType } from '@/misc/json-schema.js'; import { ApResolverService } from '@/core/activitypub/ApResolverService.js'; import { ApDbResolverService } from '@/core/activitypub/ApDbResolverService.js'; @@ -154,7 +154,9 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint- // Before we fetch, resolve the URI in case it has a cross-origin redirect or anything like that. // Resolver.resolve() uses strict verification, which is overly paranoid for a user-provided lookup. uri = await this.resolveCanonicalUri(uri); // eslint-disable-line no-param-reassign - if (!this.utilityService.isFederationAllowedUri(uri)) return null; + if (!this.utilityService.isFederationAllowedUri(uri)) { + throw new ApiError(meta.errors.federationNotAllowed); + } const host = this.utilityService.extractDbHost(uri); @@ -244,7 +246,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint- */ private async resolveCanonicalUri(uri: string): Promise<string> { const user = await this.instanceActorService.getInstanceActor(); - const res = await this.apRequestService.signedGet(uri, user, true) as ObjectWithId; + const res = await this.apRequestService.signedGet(uri, user, true); return getNullableApId(res) ?? uri; } } |