[backend] Verify object id host matches final URL when fetching remote activities

This commit is contained in:
Laura Hausmann 2024-02-16 18:34:22 +01:00
parent 9fc45f166c
commit 5f6096c1b7
No known key found for this signature in database
GPG key ID: D044E84C5BE01605
3 changed files with 14 additions and 4 deletions

View file

@ -51,7 +51,10 @@ export async function getJsonActivity(
if (contentType == null || (contentType !== 'application/activity+json' && !contentType.startsWith('application/activity+json;') && contentType !== 'application/ld+json' && !contentType.startsWith('application/ld+json;')))
throw new Error(`getJsonActivity response had unexpected content-type: ${contentType}`);
return await res.json();
return {
finalUrl: res.url,
content: await res.json()
}
}
export async function getHtml(

View file

@ -69,5 +69,8 @@ export async function signedGet(url: string, user: { id: User["id"] }, redirects
if (contentType == null || (contentType !== 'application/activity+json' && !contentType.startsWith('application/activity+json;') && contentType !== 'application/ld+json' && !contentType.startsWith('application/ld+json;')))
throw new Error(`signedGet response had unexpected content-type: ${contentType}`);
return await res.json();
return {
finalUrl: res.url,
content: await res.json()
};
}

View file

@ -121,11 +121,12 @@ export default class Resolver {
apLogger.debug("Getting object from remote, authenticated as user:");
apLogger.debug(JSON.stringify(this.user, null, 2));
const object = (
const res = (
this.user
? await signedGet(value, this.user)
: await getJsonActivity(value)
) as IObject;
);
const object = res.content as IObject;
if (
object == null ||
@ -138,6 +139,9 @@ export default class Resolver {
throw new Error("invalid response");
}
if (object.id != null && new URL(res.finalUrl).host != new URL(object.id).host)
throw new Error("Object ID host doesn't match final url host");
return object;
}