[backend] Stricter validation of activity identifiers

This resolves a security issue that was disclosed on 2024-03-24 & patched in coordination with other affected software on 2024-03-30.
Huge thanks to Oneric for the detailed security disclosure.

packages/backend/src/remote/activitypub/resolver.ts

@@ -122,12 +122,29 @@ export default class Resolver {
 		apLogger.debug("Getting object from remote, authenticated as user:");
 		apLogger.debug(JSON.stringify(this.user, null, 2));
 
-		const res = (
+		const {res, object} = await this.doFetch(value);
+
+		if (object.id == null) return object;
+		if (res.finalUrl === object.id) return object;
+
+		if (new URL(res.finalUrl).host !== new URL(object.id).host)
+			throw new Error("Object ID host doesn't match final url host");
+
+		const {res: finalRes, object: finalObject} = await this.doFetch(object.id);
+
+		if (finalRes.finalUrl !== finalObject.id)
+			throw new Error("Object ID still doesn't match final URL after second fetch attempt")
+
+		return finalObject;
+	}
+
+	private async doFetch(uri: string) {
+		let res = (
 			this.user
-				? await signedGet(value, this.user)
-				: await getJsonActivity(value)
+				? await signedGet(uri, this.user)
+				: await getJsonActivity(uri)
 		);
-		const object = res.content as IObject;
+		let object = res.content as IObject;
 
 		if (
 			object == null ||
@@ -140,10 +157,7 @@ export default class Resolver {
 			throw new Error("invalid response");
 		}
 
-		if (object.id != null && new URL(res.finalUrl).host != new URL(object.id).host)
-			throw new Error("Object ID host doesn't match final url host");
-
-		return object;
+		return {res, object};
 	}
 
 	private resolveLocal(url: string): Promise<IObject> {