[backend] Verify object id host matches final URL when fetching remote activities
This commit is contained in:
parent
9fc45f166c
commit
5f6096c1b7
3 changed files with 14 additions and 4 deletions
|
@ -51,7 +51,10 @@ export async function getJsonActivity(
|
|||
if (contentType == null || (contentType !== 'application/activity+json' && !contentType.startsWith('application/activity+json;') && contentType !== 'application/ld+json' && !contentType.startsWith('application/ld+json;')))
|
||||
throw new Error(`getJsonActivity response had unexpected content-type: ${contentType}`);
|
||||
|
||||
return await res.json();
|
||||
return {
|
||||
finalUrl: res.url,
|
||||
content: await res.json()
|
||||
}
|
||||
}
|
||||
|
||||
export async function getHtml(
|
||||
|
|
|
@ -69,5 +69,8 @@ export async function signedGet(url: string, user: { id: User["id"] }, redirects
|
|||
if (contentType == null || (contentType !== 'application/activity+json' && !contentType.startsWith('application/activity+json;') && contentType !== 'application/ld+json' && !contentType.startsWith('application/ld+json;')))
|
||||
throw new Error(`signedGet response had unexpected content-type: ${contentType}`);
|
||||
|
||||
return await res.json();
|
||||
return {
|
||||
finalUrl: res.url,
|
||||
content: await res.json()
|
||||
};
|
||||
}
|
||||
|
|
|
@ -121,11 +121,12 @@ export default class Resolver {
|
|||
apLogger.debug("Getting object from remote, authenticated as user:");
|
||||
apLogger.debug(JSON.stringify(this.user, null, 2));
|
||||
|
||||
const object = (
|
||||
const res = (
|
||||
this.user
|
||||
? await signedGet(value, this.user)
|
||||
: await getJsonActivity(value)
|
||||
) as IObject;
|
||||
);
|
||||
const object = res.content as IObject;
|
||||
|
||||
if (
|
||||
object == null ||
|
||||
|
@ -138,6 +139,9 @@ export default class Resolver {
|
|||
throw new Error("invalid response");
|
||||
}
|
||||
|
||||
if (object.id != null && new URL(res.finalUrl).host != new URL(object.id).host)
|
||||
throw new Error("Object ID host doesn't match final url host");
|
||||
|
||||
return object;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue