fix: primitive 16: improper same-origin validation for user uri and url

This commit is contained in:
Laura Hausmann 2024-10-24 05:11:16 +02:00 committed by Julia Johannesen
parent ebea1a2962
commit b74e2e9167
No known key found for this signature in database
GPG Key ID: 4A1377AF3E7FBC46
1 changed files with 24 additions and 4 deletions

View File

@ -337,8 +337,18 @@ export class ApPersonService implements OnModuleInit {
const url = getOneApHrefNullable(person.url); const url = getOneApHrefNullable(person.url);
if (url && !checkHttps(url)) { if (person.id == null) {
throw new Error('unexpected schema of person url: ' + url); throw new Error('Refusing to create person without id');
}
if (url != null) {
if (!checkHttps(url)) {
throw new Error('unexpected schema of person url: ' + url);
}
if (this.utilityService.punyHost(url) !== this.utilityService.punyHost(person.id)) {
throw new Error(`person url <> uri host mismatch: ${url} <> ${person.id}`);
}
} }
// Create user // Create user
@ -539,8 +549,18 @@ export class ApPersonService implements OnModuleInit {
const url = getOneApHrefNullable(person.url); const url = getOneApHrefNullable(person.url);
if (url && !checkHttps(url)) { if (person.id == null) {
throw new Error('unexpected schema of person url: ' + url); throw new Error('Refusing to update person without id');
}
if (url != null) {
if (!checkHttps(url)) {
throw new Error('unexpected schema of person url: ' + url);
}
if (this.utilityService.punyHost(url) !== this.utilityService.punyHost(person.id)) {
throw new Error(`person url <> uri host mismatch: ${url} <> ${person.id}`);
}
} }
const updates = { const updates = {