fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections

This commit is contained in:
Laura Hausmann 2024-10-26 19:51:11 +02:00 committed by Julia Johannesen
parent 1c7e05ce9e
commit 322b3b677f
No known key found for this signature in database
GPG Key ID: 4A1377AF3E7FBC46
1 changed files with 12 additions and 1 deletions

View File

@ -154,13 +154,24 @@ export class ApPersonService implements OnModuleInit {
throw new Error('invalid Actor: inbox has different host'); throw new Error('invalid Actor: inbox has different host');
} }
const sharedInboxObject = x.sharedInbox ?? (x.endpoints ? x.endpoints.sharedInbox : undefined);
if (sharedInboxObject != null) {
const sharedInbox = getApId(sharedInboxObject);
if (!(typeof sharedInbox === "string" && sharedInbox.length > 0 && this.utilityService.punyHost(sharedInbox) === expectHost)) {
throw new Error("invalid Actor: wrong shared inbox");
}
}
for (const collection of ['outbox', 'followers', 'following'] as (keyof IActor)[]) { for (const collection of ['outbox', 'followers', 'following'] as (keyof IActor)[]) {
const collectionUri = (x as IActor)[collection]; const collectionUri = getApId((x as IActor)[collection]);
if (typeof collectionUri === 'string' && collectionUri.length > 0) { if (typeof collectionUri === 'string' && collectionUri.length > 0) {
if (this.utilityService.punyHost(collectionUri) !== expectHost) { if (this.utilityService.punyHost(collectionUri) !== expectHost) {
throw new Error(`invalid Actor: ${collection} has different host`); throw new Error(`invalid Actor: ${collection} has different host`);
} }
} }
else if (collectionUri != null) {
throw new Error(`invalid Actor: wrong ${collection}`);
}
} }
if (!(typeof x.preferredUsername === 'string' && x.preferredUsername.length > 0 && x.preferredUsername.length <= 128 && /^\w([\w-.]*\w)?$/.test(x.preferredUsername))) { if (!(typeof x.preferredUsername === 'string' && x.preferredUsername.length > 0 && x.preferredUsername.length <= 128 && /^\w([\w-.]*\w)?$/.test(x.preferredUsername))) {