diff options
| author | piuvas <piuvas@proton.me> | 2025-04-19 23:04:48 -0300 |
|---|---|---|
| committer | piuvas <piuvas@proton.me> | 2025-04-19 23:04:48 -0300 |
| commit | 6a775127379c5534fd3e0f664f5039d77717ab59 (patch) | |
| tree | 73cc57564f5cb6611cc2fcb2649e693ebb6b921a /packages/backend/src | |
| parent | merge: fix: friendlycaptcha always failing (!963) (diff) | |
| download | sharkey-6a775127379c5534fd3e0f664f5039d77717ab59.tar.gz sharkey-6a775127379c5534fd3e0f664f5039d77717ab59.tar.bz2 sharkey-6a775127379c5534fd3e0f664f5039d77717ab59.zip | |
refactor link verification.
Diffstat (limited to 'packages/backend/src')
| -rw-r--r-- | packages/backend/src/misc/verify-field-link.ts | 32 | ||||
| -rw-r--r-- | packages/backend/src/server/api/endpoints/i/update.ts | 13 |
2 files changed, 44 insertions, 1 deletions
diff --git a/packages/backend/src/misc/verify-field-link.ts b/packages/backend/src/misc/verify-field-link.ts new file mode 100644 index 0000000000..9f9a37d655 --- /dev/null +++ b/packages/backend/src/misc/verify-field-link.ts @@ -0,0 +1,32 @@ +/* +* SPDX-FileCopyrightText: piuvas and other Sharkey contributors +* SPDX-License-Identifier: AGPL-3.0-only +*/ + +import { JSDOM } from 'jsdom'; +import { HttpRequestService } from '@/core/HttpRequestService.js'; +import { safeForSql } from './safe-for-sql.js'; + + +export async function verifyFieldLink(field_url: string, profile_url: string, httpRequestService: HttpRequestService): Promise<boolean | undefined> { + if (!safeForSql(field_url)) return; + + try { + const html = await httpRequestService.getHtml(field_url); + + const { window } = new JSDOM(html); + const doc: Document = window.document; + + const aEls = Array.from(doc.getElementsByTagName('a')); + const linkEls = Array.from(doc.getElementsByTagName('link')); + + const includesProfileLinks = [...aEls, ...linkEls].some(link => link.rel === 'me' && link.href === profile_url); + + window.close(); + + return includesProfileLinks; + } catch (err) { + // なにもしない + return; + } +} diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts index f1d201d081..b6675505e0 100644 --- a/packages/backend/src/server/api/endpoints/i/update.ts +++ b/packages/backend/src/server/api/endpoints/i/update.ts @@ -31,6 +31,7 @@ import { DriveFileEntityService } from '@/core/entities/DriveFileEntityService.j import { HttpRequestService } from '@/core/HttpRequestService.js'; import type { Config } from '@/config.js'; import { safeForSql } from '@/misc/safe-for-sql.js'; +import { verifyFieldLink } from '@/misc/verify-field-link.js' import { AvatarDecorationService } from '@/core/AvatarDecorationService.js'; import { notificationRecieveConfig } from '@/models/json-schema/user.js'; import { userUnsignedFetchOptions } from '@/const.js'; @@ -613,13 +614,23 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint- const urls = updatedProfile.fields.filter(x => x.value.startsWith('https://')); for (const url of urls) { - this.verifyLink(url.value, user); + // this is a different, broader implementation so we can support remote users. + const includesProfileLinks = await verifyFieldLink(url.value, `${this.config.url}/@${user.username}`, this.httpRequestService); + if (includesProfileLinks) { + await userProfilesRepository.createQueryBuilder('profile').update() + .where('userId = :userId', { userId: user.id }) + .set({ + verifiedLinks: () => `array_append("verifiedLinks", '${url}')`, // ここでSQLインジェクションされそうなのでとりあえず safeForSql で弾いている + }) + .execute(); + } } return iObj; }); } + // this function is superseded by '@/misc/verify-field-link.ts' private async verifyLink(url: string, user: MiLocalUser) { if (!safeForSql(url)) return; |