[backend] Verify object id host matches final URL when fetching remote activities

This commit is contained in:
Laura Hausmann 2024-02-16 18:34:22 +01:00
parent 9fc45f166c
commit 5f6096c1b7
No known key found for this signature in database
GPG key ID: D044E84C5BE01605
3 changed files with 14 additions and 4 deletions

View file

@ -51,7 +51,10 @@ export async function getJsonActivity(
if (contentType == null || (contentType !== 'application/activity+json' && !contentType.startsWith('application/activity+json;') && contentType !== 'application/ld+json' && !contentType.startsWith('application/ld+json;'))) if (contentType == null || (contentType !== 'application/activity+json' && !contentType.startsWith('application/activity+json;') && contentType !== 'application/ld+json' && !contentType.startsWith('application/ld+json;')))
throw new Error(`getJsonActivity response had unexpected content-type: ${contentType}`); throw new Error(`getJsonActivity response had unexpected content-type: ${contentType}`);
return await res.json(); return {
finalUrl: res.url,
content: await res.json()
}
} }
export async function getHtml( export async function getHtml(

View file

@ -69,5 +69,8 @@ export async function signedGet(url: string, user: { id: User["id"] }, redirects
if (contentType == null || (contentType !== 'application/activity+json' && !contentType.startsWith('application/activity+json;') && contentType !== 'application/ld+json' && !contentType.startsWith('application/ld+json;'))) if (contentType == null || (contentType !== 'application/activity+json' && !contentType.startsWith('application/activity+json;') && contentType !== 'application/ld+json' && !contentType.startsWith('application/ld+json;')))
throw new Error(`signedGet response had unexpected content-type: ${contentType}`); throw new Error(`signedGet response had unexpected content-type: ${contentType}`);
return await res.json(); return {
finalUrl: res.url,
content: await res.json()
};
} }

View file

@ -121,11 +121,12 @@ export default class Resolver {
apLogger.debug("Getting object from remote, authenticated as user:"); apLogger.debug("Getting object from remote, authenticated as user:");
apLogger.debug(JSON.stringify(this.user, null, 2)); apLogger.debug(JSON.stringify(this.user, null, 2));
const object = ( const res = (
this.user this.user
? await signedGet(value, this.user) ? await signedGet(value, this.user)
: await getJsonActivity(value) : await getJsonActivity(value)
) as IObject; );
const object = res.content as IObject;
if ( if (
object == null || object == null ||
@ -138,6 +139,9 @@ export default class Resolver {
throw new Error("invalid response"); throw new Error("invalid response");
} }
if (object.id != null && new URL(res.finalUrl).host != new URL(object.id).host)
throw new Error("Object ID host doesn't match final url host");
return object; return object;
} }