misty.cafe/mistykey
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

remove assertActivityMatchesUrls in favor of three-way same-authority checks

Browse source
This commit is contained in:
Hazelnoot 2025-02-22 14:12:05 -05:00
parent 14a81b4f85
commit a568333ecd
13 changed files with 318 additions and 172 deletions
Download patch file Download diff file Expand all files Collapse all files

8
packages/backend/src/server/api/endpoints/ap/show.ts
View file

@ -7,7 +7,7 @@ import { Inject, Injectable } from '@nestjs/common';
import { Endpoint } from '@/server/api/endpoint-base.js';
import type { MiNote } from '@/models/Note.js';
import type { MiLocalUser, MiUser } from '@/models/User.js';
import { isActor, isPost, getApId, getNullableApId, ObjectWithId } from '@/core/activitypub/type.js';
import { isActor, isPost, getApId, getNullableApId } from '@/core/activitypub/type.js';
import type { SchemaType } from '@/misc/json-schema.js';
import { ApResolverService } from '@/core/activitypub/ApResolverService.js';
import { ApDbResolverService } from '@/core/activitypub/ApDbResolverService.js';
@ -154,7 +154,9 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
// Before we fetch, resolve the URI in case it has a cross-origin redirect or anything like that.
// Resolver.resolve() uses strict verification, which is overly paranoid for a user-provided lookup.
uri = await this.resolveCanonicalUri(uri); // eslint-disable-line no-param-reassign
if (!this.utilityService.isFederationAllowedUri(uri)) return null;
if (!this.utilityService.isFederationAllowedUri(uri)) {
throw new ApiError(meta.errors.federationNotAllowed);
}
const host = this.utilityService.extractDbHost(uri);
@ -244,7 +246,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
*/
private async resolveCanonicalUri(uri: string): Promise<string> {
const user = await this.instanceActorService.getInstanceActor();
const res = await this.apRequestService.signedGet(uri, user, true) as ObjectWithId;
const res = await this.apRequestService.signedGet(uri, user, true);
return getNullableApId(res) ?? uri;
}
}