From 4e254a9072ef92f89291d761e52ef1a3403e3958 Mon Sep 17 00:00:00 2001 From: syuilo Date: Fri, 8 Oct 2021 14:05:07 +0900 Subject: [PATCH] =?UTF-8?q?enhance(api):=20ap=E7=B3=BB=E3=81=AE=E3=82=A8?= =?UTF-8?q?=E3=83=B3=E3=83=89=E3=83=9D=E3=82=A4=E3=83=B3=E3=83=88=E3=82=92?= =?UTF-8?q?=E3=83=AD=E3=82=B0=E3=82=A4=E3=83=B3=E5=BF=85=E9=A0=88=E5=8C=96?= =?UTF-8?q?+=E3=83=AC=E3=83=BC=E3=83=88=E3=83=AA=E3=83=9F=E3=83=83?= =?UTF-8?q?=E3=83=88=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 他のサーバーにリクエストを送信するという性質上、攻撃の踏み台にされることがあるため --- CHANGELOG.md | 1 + src/server/api/endpoints/ap/get.ts | 8 +++++++- src/server/api/endpoints/ap/show.ts | 8 +++++++- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd526fd69..f65de7911 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ - クライアント: アニメーションを減らす設定をメニューのアニメーションにも適用するように - クライアント: MFM関数構文のサジェストを実装 - ActivityPub: HTML -> MFMの変換を強化 +- API: ap系のエンドポイントをログイン必須化+レートリミット追加 ### Bugfixes - Fix createDeleteAccountJob diff --git a/src/server/api/endpoints/ap/get.ts b/src/server/api/endpoints/ap/get.ts index 2cffce1f1..2f97a2477 100644 --- a/src/server/api/endpoints/ap/get.ts +++ b/src/server/api/endpoints/ap/get.ts @@ -2,11 +2,17 @@ import $ from 'cafy'; import define from '../../define'; import Resolver from '@/remote/activitypub/resolver'; import { ApiError } from '../../error'; +import ms from 'ms'; export const meta = { tags: ['federation'], - requireCredential: false as const, + requireCredential: true as const, + + limit: { + duration: ms('1hour'), + max: 30 + }, params: { uri: { diff --git a/src/server/api/endpoints/ap/show.ts b/src/server/api/endpoints/ap/show.ts index aa0dae070..32685d44b 100644 --- a/src/server/api/endpoints/ap/show.ts +++ b/src/server/api/endpoints/ap/show.ts @@ -11,11 +11,17 @@ import { Note } from '@/models/entities/note'; import { User } from '@/models/entities/user'; import { fetchMeta } from '@/misc/fetch-meta'; import { isActor, isPost, getApId } from '@/remote/activitypub/type'; +import ms from 'ms'; export const meta = { tags: ['federation'], - requireCredential: false as const, + requireCredential: true as const, + + limit: { + duration: ms('1hour'), + max: 30 + }, params: { uri: {