From 1fb1875ac3859a7bf284d45d673698c98230de18 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sat, 23 Nov 2024 19:42:10 -0500
Subject: [PATCH] normalize AP IDs during verification

---
 .../activitypub/misc/check-against-url.ts     | 31 +++++++------
 .../test/unit/misc/check-against-url.ts       | 46 ++++++++++---------
 2 files changed, 42 insertions(+), 35 deletions(-)

diff --git a/packages/backend/src/core/activitypub/misc/check-against-url.ts b/packages/backend/src/core/activitypub/misc/check-against-url.ts
index 34e4907267..c8ad2ce584 100644
--- a/packages/backend/src/core/activitypub/misc/check-against-url.ts
+++ b/packages/backend/src/core/activitypub/misc/check-against-url.ts
@@ -2,26 +2,29 @@
  * SPDX-FileCopyrightText: dakkar and sharkey-project
  * SPDX-License-Identifier: AGPL-3.0-only
  */
+
 import type { IObject } from '../type.js';
 
-function getHrefFrom(one: IObject|string): string | undefined {
-	if (typeof(one) === 'string') return one;
-	return one.href;
+function getHrefsFrom(one: IObject | string | undefined | (IObject | string | undefined)[]): (string | undefined)[] {
+	if (Array.isArray(one)) {
+		return one.flatMap(h => getHrefsFrom(h));
+	}
+	return [
+		typeof(one) === 'object' ? one.href : one,
+	];
 }
 
 export function assertActivityMatchesUrls(activity: IObject, urls: string[]) {
-	const idOk = activity.id !== undefined && urls.includes(activity.id);
-	if (idOk) return;
+	const expectedUrls = new Set(urls
+		.filter(u => URL.canParse(u))
+		.map(u => new URL(u).href),
+	);
 
-	const url = activity.url;
-	if (url) {
-		// `activity.url` can be an `ApObject = IObject | string | (IObject
-		// | string)[]`, we have to look inside it
-		const activityUrls = Array.isArray(url) ? url.map(getHrefFrom) : [getHrefFrom(url)];
-		const goodUrl = activityUrls.find(u => u && urls.includes(u));
+	const actualUrls = [activity.id, ...getHrefsFrom(activity.url)]
+		.filter(u => u && URL.canParse(u))
+		.map(u => new URL(u as string).href);
 
-		if (goodUrl) return;
+	if (!actualUrls.some(u => expectedUrls.has(u))) {
+		throw new Error(`bad Activity: neither id(${activity.id}) nor url(${JSON.stringify(activity.url)}) match location(${urls})`);
 	}
-
-	throw new Error(`bad Activity: neither id(${activity?.id}) nor url(${JSON.stringify(activity?.url)}) match location(${urls})`);
 }
diff --git a/packages/backend/test/unit/misc/check-against-url.ts b/packages/backend/test/unit/misc/check-against-url.ts
index 88edaed839..70ee957ab1 100644
--- a/packages/backend/test/unit/misc/check-against-url.ts
+++ b/packages/backend/test/unit/misc/check-against-url.ts
@@ -3,49 +3,53 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import type { IObject } from '@/core/activitypub/type.js';
 import { describe, expect, test } from '@jest/globals';
+import type { IObject } from '@/core/activitypub/type.js';
 import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js';
 
-function assertOne(activity: IObject) {
+function assertOne(activity: IObject, good = 'http://good') {
 	// return a function so we can use `.toThrow`
-	return () => assertActivityMatchesUrls(activity, ['good']);
+	return () => assertActivityMatchesUrls(activity, [good]);
 }
 
 describe('assertActivityMatchesUrls', () => {
+	it('should throw when no ids are URLs', () => {
+		expect(assertOne({ type: 'Test', id: 'bad' }, 'bad')).toThrow(/bad Activity/);
+	});
+
 	test('id', () => {
-		expect(assertOne({ type: 'Test', id: 'bad' })).toThrow(/bad Activity/);
-		expect(assertOne({ type: 'Test', id: 'good' })).not.toThrow();
+		expect(assertOne({ type: 'Test', id: 'http://bad' })).toThrow(/bad Activity/);
+		expect(assertOne({ type: 'Test', id: 'http://good' })).not.toThrow();
 	});
 
 	test('simple url', () => {
-		expect(assertOne({ type: 'Test', url: 'bad' })).toThrow(/bad Activity/);
-		expect(assertOne({ type: 'Test', url: 'good' })).not.toThrow();
+		expect(assertOne({ type: 'Test', url: 'http://bad' })).toThrow(/bad Activity/);
+		expect(assertOne({ type: 'Test', url: 'http://good' })).not.toThrow();
 	});
 
 	test('array of urls', () => {
-		expect(assertOne({ type: 'Test', url: ['bad'] })).toThrow(/bad Activity/);
-		expect(assertOne({ type: 'Test', url: ['bad', 'other'] })).toThrow(/bad Activity/);
-		expect(assertOne({ type: 'Test', url: ['good'] })).not.toThrow();
-		expect(assertOne({ type: 'Test', url: ['bad', 'good'] })).not.toThrow();
+		expect(assertOne({ type: 'Test', url: ['http://bad'] })).toThrow(/bad Activity/);
+		expect(assertOne({ type: 'Test', url: ['http://bad', 'http://other'] })).toThrow(/bad Activity/);
+		expect(assertOne({ type: 'Test', url: ['http://good'] })).not.toThrow();
+		expect(assertOne({ type: 'Test', url: ['http://bad', 'http://good'] })).not.toThrow();
 	});
 
 	test('array of objects', () => {
-		expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'bad' }] })).toThrow(/bad Activity/);
-		expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'bad' }, { type: 'Test', href: 'other' }] })).toThrow(/bad Activity/);
-		expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'good' }] })).not.toThrow();
-		expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'bad' }, { type: 'Test', href: 'good' }] })).not.toThrow();
+		expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'http://bad' }] })).toThrow(/bad Activity/);
+		expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'http://bad' }, { type: 'Test', href: 'http://other' }] })).toThrow(/bad Activity/);
+		expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'http://good' }] })).not.toThrow();
+		expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'http://bad' }, { type: 'Test', href: 'http://good' }] })).not.toThrow();
 	});
 
 	test('mixed array', () => {
-		expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'bad' }, 'other'] })).toThrow(/bad Activity/);
-		expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'bad' }, 'good'] })).not.toThrow();
-		expect(assertOne({ type: 'Test', url: ['bad', { type: 'Test', href: 'good' }] })).not.toThrow();
+		expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'http://bad' }, 'http://other'] })).toThrow(/bad Activity/);
+		expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'http://bad' }, 'http://good'] })).not.toThrow();
+		expect(assertOne({ type: 'Test', url: ['http://bad', { type: 'Test', href: 'http://good' }] })).not.toThrow();
 	});
 
 	test('id and url', () => {
-		expect(assertOne({ type: 'Test', id: 'other', url: 'bad' })).toThrow(/bad Activity/);
-		expect(assertOne({ type: 'Test', id: 'bad', url: 'good' })).not.toThrow();
-		expect(assertOne({ type: 'Test', id: 'good', url: 'bad' })).not.toThrow();
+		expect(assertOne({ type: 'Test', id: 'http://other', url: 'http://bad' })).toThrow(/bad Activity/);
+		expect(assertOne({ type: 'Test', id: 'http://bad', url: 'http://good' })).not.toThrow();
+		expect(assertOne({ type: 'Test', id: 'http://good', url: 'http://bad' })).not.toThrow();
 	});
 });