From 5f6096c1b7b37b771055e6e3b9d7b15ca10a05da Mon Sep 17 00:00:00 2001 From: Laura Hausmann Date: Fri, 16 Feb 2024 18:34:22 +0100 Subject: [PATCH] [backend] Verify object id host matches final URL when fetching remote activities --- packages/backend/src/misc/fetch.ts | 5 ++++- packages/backend/src/remote/activitypub/request.ts | 5 ++++- packages/backend/src/remote/activitypub/resolver.ts | 8 ++++++-- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/packages/backend/src/misc/fetch.ts b/packages/backend/src/misc/fetch.ts index 1cbaa78c4..46379af1a 100644 --- a/packages/backend/src/misc/fetch.ts +++ b/packages/backend/src/misc/fetch.ts @@ -51,7 +51,10 @@ export async function getJsonActivity( if (contentType == null || (contentType !== 'application/activity+json' && !contentType.startsWith('application/activity+json;') && contentType !== 'application/ld+json' && !contentType.startsWith('application/ld+json;'))) throw new Error(`getJsonActivity response had unexpected content-type: ${contentType}`); - return await res.json(); + return { + finalUrl: res.url, + content: await res.json() + } } export async function getHtml( diff --git a/packages/backend/src/remote/activitypub/request.ts b/packages/backend/src/remote/activitypub/request.ts index d4996c5db..b5d089a92 100644 --- a/packages/backend/src/remote/activitypub/request.ts +++ b/packages/backend/src/remote/activitypub/request.ts @@ -69,5 +69,8 @@ export async function signedGet(url: string, user: { id: User["id"] }, redirects if (contentType == null || (contentType !== 'application/activity+json' && !contentType.startsWith('application/activity+json;') && contentType !== 'application/ld+json' && !contentType.startsWith('application/ld+json;'))) throw new Error(`signedGet response had unexpected content-type: ${contentType}`); - return await res.json(); + return { + finalUrl: res.url, + content: await res.json() + }; } diff --git a/packages/backend/src/remote/activitypub/resolver.ts b/packages/backend/src/remote/activitypub/resolver.ts index 1da888dd2..a6c407be5 100644 --- a/packages/backend/src/remote/activitypub/resolver.ts +++ b/packages/backend/src/remote/activitypub/resolver.ts @@ -121,11 +121,12 @@ export default class Resolver { apLogger.debug("Getting object from remote, authenticated as user:"); apLogger.debug(JSON.stringify(this.user, null, 2)); - const object = ( + const res = ( this.user ? await signedGet(value, this.user) : await getJsonActivity(value) - ) as IObject; + ); + const object = res.content as IObject; if ( object == null || @@ -138,6 +139,9 @@ export default class Resolver { throw new Error("invalid response"); } + if (object.id != null && new URL(res.finalUrl).host != new URL(object.id).host) + throw new Error("Object ID host doesn't match final url host"); + return object; }