diff options
| author | Laura Hausmann <laura@hausmann.dev> | 2024-10-24 04:18:49 +0200 |
|---|---|---|
| committer | Julia Johannesen <julia@insertdomain.name> | 2024-11-20 19:17:24 -0500 |
| commit | 4d925fc08683a9415c9488b5bcc516ca8f43d4af (patch) | |
| tree | 7c751c44bb4d407e71c5986ae44935577208e437 /packages/backend/src | |
| parent | fix: primitive 16: improper same-origin validation for user uri and url (diff) | |
| download | sharkey-4d925fc08683a9415c9488b5bcc516ca8f43d4af.tar.gz sharkey-4d925fc08683a9415c9488b5bcc516ca8f43d4af.tar.bz2 sharkey-4d925fc08683a9415c9488b5bcc516ca8f43d4af.zip | |
fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array
Diffstat (limited to 'packages/backend/src')
| -rw-r--r-- | packages/backend/src/core/activitypub/ApInboxService.ts | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/packages/backend/src/core/activitypub/ApInboxService.ts b/packages/backend/src/core/activitypub/ApInboxService.ts index edd1041062..b5a97d34c4 100644 --- a/packages/backend/src/core/activitypub/ApInboxService.ts +++ b/packages/backend/src/core/activitypub/ApInboxService.ts @@ -426,6 +426,9 @@ export class ApInboxService { return 'skip: host in actor.uri !== note.id'; } } + else { + return 'skip: note.id is not a string' + } } const unlock = await this.appLockService.getApLock(uri); |