diff options
| author | Jaehong Kang <sinoru@me.com> | 2023-11-15 11:13:34 +0900 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-15 11:13:34 +0900 |
| commit | 04075ee0bede198452dcd5e8ca6a00a3b750208b (patch) | |
| tree | a8b72ba2146a15ce62e79a63fc5e229b13b15113 /packages/backend | |
| parent | fix(backend): 非公開の投稿に対して返信できないように (#12333) (diff) | |
| download | sharkey-04075ee0bede198452dcd5e8ca6a00a3b750208b.tar.gz sharkey-04075ee0bede198452dcd5e8ca6a00a3b750208b.tar.bz2 sharkey-04075ee0bede198452dcd5e8ca6a00a3b750208b.zip | |
enhance(backend): Implementation of HTTP header and body validation to fix SIF-2023-002 (#12334)
Using Buffer instead of string
Co-authored-by: perillamint <perillamint@silicon.moe>
Diffstat (limited to 'packages/backend')
| -rw-r--r-- | packages/backend/package.json | 1 | ||||
| -rw-r--r-- | packages/backend/src/server/ActivityPubServerService.ts | 26 | ||||
| -rw-r--r-- | packages/backend/src/server/ServerService.ts | 4 |
3 files changed, 26 insertions, 5 deletions
diff --git a/packages/backend/package.json b/packages/backend/package.json index c0e9016c91..beb9661fa1 100644 --- a/packages/backend/package.json +++ b/packages/backend/package.json @@ -151,6 +151,7 @@ "rss-parser": "3.13.0", "rxjs": "7.8.1", "sanitize-html": "2.11.0", + "secure-json-parse": "^2.4.0", "sharp": "0.32.6", "sharp-read-bmp": "github:misskey-dev/sharp-read-bmp", "slacc": "0.0.10", diff --git a/packages/backend/src/server/ActivityPubServerService.ts b/packages/backend/src/server/ActivityPubServerService.ts index 17c503ef8e..2c9e2cf24f 100644 --- a/packages/backend/src/server/ActivityPubServerService.ts +++ b/packages/backend/src/server/ActivityPubServerService.ts @@ -11,6 +11,7 @@ import httpSignature from '@peertube/http-signature'; import { Brackets, In, IsNull, LessThan, Not } from 'typeorm'; import accepts from 'accepts'; import vary from 'vary'; +import secureJson from 'secure-json-parse'; import { DI } from '@/di-symbols.js'; import type { FollowingsRepository, NotesRepository, EmojisRepository, NoteReactionsRepository, UserProfilesRepository, UserNotePiningsRepository, UsersRepository, FollowRequestsRepository } from '@/models/_.js'; import * as url from '@/misc/prelude/url.js'; @@ -28,7 +29,7 @@ import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { bindThis } from '@/decorators.js'; import { IActivity } from '@/core/activitypub/type.js'; import { isPureRenote } from '@/misc/is-pure-renote.js'; -import type { FastifyInstance, FastifyRequest, FastifyReply, FastifyPluginOptions } from 'fastify'; +import type { FastifyInstance, FastifyRequest, FastifyReply, FastifyPluginOptions, FastifyBodyParser } from 'fastify'; import type { FindOptionsWhere } from 'typeorm'; const ACTIVITY_JSON = 'application/activity+json; charset=utf-8'; @@ -512,9 +513,28 @@ export class ActivityPubServerService { }, }); + const almostDefaultJsonParser: FastifyBodyParser<Buffer> = function (request, rawBody, done) { + if (rawBody.length === 0) { + const err = new Error('Body cannot be empty!') as any; + err.statusCode = 400; + return done(err); + } + + try { + const json = secureJson.parse(rawBody.toString('utf8'), null, { + protoAction: 'ignore', + constructorAction: 'ignore', + }); + done(null, json); + } catch (err: any) { + err.statusCode = 400; + return done(err); + } + }; + fastify.register(fastifyAccepts); - fastify.addContentTypeParser('application/activity+json', { parseAs: 'string' }, fastify.getDefaultJsonParser('ignore', 'ignore')); - fastify.addContentTypeParser('application/ld+json', { parseAs: 'string' }, fastify.getDefaultJsonParser('ignore', 'ignore')); + fastify.addContentTypeParser('application/activity+json', { parseAs: 'buffer' }, almostDefaultJsonParser); + fastify.addContentTypeParser('application/ld+json', { parseAs: 'buffer' }, almostDefaultJsonParser); fastify.addHook('onRequest', (request, reply, done) => { reply.header('Access-Control-Allow-Headers', 'Accept'); diff --git a/packages/backend/src/server/ServerService.ts b/packages/backend/src/server/ServerService.ts index 6e1956cd1d..17c2a93525 100644 --- a/packages/backend/src/server/ServerService.ts +++ b/packages/backend/src/server/ServerService.ts @@ -88,9 +88,9 @@ export class ServerService implements OnApplicationShutdown { } // Register raw-body parser for ActivityPub HTTP signature validation. - fastify.register(fastifyRawBody, { + await fastify.register(fastifyRawBody, { global: false, - encoding: 'utf-8', + encoding: null, runFirst: true, }); |