naskya/firefish
1
0
Fork 1
mirror of https://example.com synced 2024-11-25 00:16:38 +09:00
Code Issues Activity

fix (backend): stricter hostname checking when fetching remote objects

Browse source 
Co-authored-by: naskya <m@naskya.net>
This commit is contained in:
Laura Hausmann 2024-03-27 07:34:57 +09:00 committed by naskya
parent e8aeaf7d53
commit 0e7ea7edc2
Signed by: naskya
GPG key ID: 712D413B3A9FED5C
1 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
packages/backend/src/remote/activitypub/resolver.ts
View file

@ -133,14 +133,21 @@ export default class Resolver {
throw new Error("invalid response");
}
if (
object.id != null &&
new URL(finalUrl).host != new URL(object.id).host
) {
if (object.id == null) return object;
if (finalUrl === object.id) return object;
if (new URL(finalUrl).host !== new URL(object.id).host) {
throw new Error("Object ID host doesn't match final url host");
}
return object;
const finalRes = await apGet(object.id, this.user);
if (finalRes.finalUrl !== finalRes.content.id)
throw new Error(
"Object ID still doesn't match final URL after second fetch attempt",
);
return finalRes.content;
}
private async resolveLocal(url: string): Promise<IObject> {