diff options
| author | syuilo <Syuilotan@yahoo.co.jp> | 2018-08-30 21:11:43 +0900 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-08-30 21:11:43 +0900 |
| commit | 5e202c3def39ee19c3d72d5378f1997dca235caa (patch) | |
| tree | 14ca7469a37e2667858014281aed34aa840a7f07 /src/queue/processors/http | |
| parent | Merge pull request #2539 from syuilo/greenkeeper/@types/websocket-0.0.40 (diff) | |
| parent | Validate host in activity (diff) | |
| download | sharkey-5e202c3def39ee19c3d72d5378f1997dca235caa.tar.gz sharkey-5e202c3def39ee19c3d72d5378f1997dca235caa.tar.bz2 sharkey-5e202c3def39ee19c3d72d5378f1997dca235caa.zip | |
Merge pull request #2547 from mei23/mei-0830-httpsignature
HTTP Signature 周辺の修正
Diffstat (limited to 'src/queue/processors/http')
| -rw-r--r-- | src/queue/processors/http/process-inbox.ts | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/src/queue/processors/http/process-inbox.ts b/src/queue/processors/http/process-inbox.ts index c9c2fa72cb..a30efe1a3a 100644 --- a/src/queue/processors/http/process-inbox.ts +++ b/src/queue/processors/http/process-inbox.ts @@ -6,6 +6,8 @@ import parseAcct from '../../../misc/acct/parse'; import User, { IRemoteUser } from '../../../models/user'; import perform from '../../../remote/activitypub/perform'; import { resolvePerson } from '../../../remote/activitypub/models/person'; +import { toUnicode } from 'punycode'; +import { URL } from 'url'; const log = debug('misskey:queue:inbox'); @@ -32,6 +34,15 @@ export default async (job: bq.Job, done: any): Promise<void> => { return; } + // アクティビティ内のホストの検証 + try { + ValidateActivity(activity, host); + } catch (e) { + console.warn(e); + done(); + return; + } + user = await User.findOne({ usernameLower: username, host: host.toLowerCase() }) as IRemoteUser; // アクティビティを送信してきたユーザーがまだMisskeyサーバーに登録されていなかったら登録する @@ -39,6 +50,16 @@ export default async (job: bq.Job, done: any): Promise<void> => { user = await resolvePerson(activity.actor) as IRemoteUser; } } else { + // アクティビティ内のホストの検証 + const host = toUnicode(new URL(signature.keyId).hostname.toLowerCase()); + try { + ValidateActivity(activity, host); + } catch (e) { + console.warn(e); + done(); + return; + } + user = await User.findOne({ host: { $ne: null }, 'publicKey.id': signature.keyId @@ -69,3 +90,37 @@ export default async (job: bq.Job, done: any): Promise<void> => { done(e); } }; + +/** + * Validate host in activity + * @param activity Activity + * @param host Expect host + */ +function ValidateActivity(activity: any, host: string) { + // id (if exists) + if (typeof activity.id === 'string') { + const uriHost = toUnicode(new URL(activity.id).hostname.toLowerCase()); + if (host !== uriHost) throw new Error('activity.id has different host'); + } + + // actor (if exists) + if (typeof activity.actor === 'string') { + const uriHost = toUnicode(new URL(activity.actor).hostname.toLowerCase()); + if (host !== uriHost) throw new Error('activity.actor has different host'); + } + + // For Create activity + if (activity.type === 'Create' && activity.object) { + // object.id (if exists) + if (typeof activity.object.id === 'string') { + const uriHost = toUnicode(new URL(activity.object.id).hostname.toLowerCase()); + if (host !== uriHost) throw new Error('activity.object.id has different host'); + } + + // object.attributedTo (if exists) + if (typeof activity.object.attributedTo === 'string') { + const uriHost = toUnicode(new URL(activity.object.attributedTo).hostname.toLowerCase()); + if (host !== uriHost) throw new Error('activity.object.attributedTo has different host'); + } + } +} |