[backend] Verify response content type when fetching remote activities

This commit is contained in:
Laura Hausmann 2024-02-16 18:22:38 +01:00
parent 4cd9c002e6
commit 9fc45f166c
No known key found for this signature in database
GPG key ID: D044E84C5BE01605
3 changed files with 32 additions and 2 deletions

View file

@ -28,6 +28,32 @@ export async function getJson(
return await res.json(); return await res.json();
} }
export async function getJsonActivity(
url: string,
accept = "application/activity+json, application/ld+json",
timeout = 10000,
headers?: Record<string, string>,
) {
const res = await getResponse({
url,
method: "GET",
headers: Object.assign(
{
"User-Agent": config.userAgent,
Accept: accept,
},
headers || {},
),
timeout,
});
const contentType = res.headers.get('content-type');
if (contentType == null || (contentType !== 'application/activity+json' && !contentType.startsWith('application/activity+json;') && contentType !== 'application/ld+json' && !contentType.startsWith('application/ld+json;')))
throw new Error(`getJsonActivity response had unexpected content-type: ${contentType}`);
return await res.json();
}
export async function getHtml( export async function getHtml(
url: string, url: string,
accept = "text/html, */*", accept = "text/html, */*",

View file

@ -65,5 +65,9 @@ export async function signedGet(url: string, user: { id: User["id"] }, redirects
return signedGet(newUrl, user, false); return signedGet(newUrl, user, false);
} }
const contentType = res.headers.get('content-type');
if (contentType == null || (contentType !== 'application/activity+json' && !contentType.startsWith('application/activity+json;') && contentType !== 'application/ld+json' && !contentType.startsWith('application/ld+json;')))
throw new Error(`signedGet response had unexpected content-type: ${contentType}`);
return await res.json(); return await res.json();
} }

View file

@ -1,5 +1,5 @@
import config from "@/config/index.js"; import config from "@/config/index.js";
import { getJson } from "@/misc/fetch.js"; import { getJsonActivity } from "@/misc/fetch.js";
import type { ILocalUser } from "@/models/entities/user.js"; import type { ILocalUser } from "@/models/entities/user.js";
import { getInstanceActor } from "@/services/instance-actor.js"; import { getInstanceActor } from "@/services/instance-actor.js";
import { fetchMeta } from "@/misc/fetch-meta.js"; import { fetchMeta } from "@/misc/fetch-meta.js";
@ -124,7 +124,7 @@ export default class Resolver {
const object = ( const object = (
this.user this.user
? await signedGet(value, this.user) ? await signedGet(value, this.user)
: await getJson(value, "application/activity+json, application/ld+json") : await getJsonActivity(value)
) as IObject; ) as IObject;
if ( if (