From 0e7ea7edc2140a74f04b10d13dd0a2c6f35adb8d Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Wed, 27 Mar 2024 07:34:57 +0900
Subject: [PATCH] fix (backend): stricter hostname checking when fetching
 remote objects

Co-authored-by: naskya <m@naskya.net>
---
 .../backend/src/remote/activitypub/resolver.ts  | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/packages/backend/src/remote/activitypub/resolver.ts b/packages/backend/src/remote/activitypub/resolver.ts
index 5db7971a5..5f7752bd3 100644
--- a/packages/backend/src/remote/activitypub/resolver.ts
+++ b/packages/backend/src/remote/activitypub/resolver.ts
@@ -133,14 +133,21 @@ export default class Resolver {
 			throw new Error("invalid response");
 		}
 
-		if (
-			object.id != null &&
-			new URL(finalUrl).host != new URL(object.id).host
-		) {
+		if (object.id == null) return object;
+		if (finalUrl === object.id) return object;
+
+		if (new URL(finalUrl).host !== new URL(object.id).host) {
 			throw new Error("Object ID host doesn't match final url host");
 		}
 
-		return object;
+		const finalRes = await apGet(object.id, this.user);
+
+		if (finalRes.finalUrl !== finalRes.content.id)
+			throw new Error(
+				"Object ID still doesn't match final URL after second fetch attempt",
+			);
+
+		return finalRes.content;
 	}
 
 	private async resolveLocal(url: string): Promise<IObject> {