fix: check origin only if object is a string

This commit is contained in:
Julian Lam
2024-02-21 14:05:54 -05:00
parent a94341f489
commit 92a8951bca
2 changed files with 12 additions and 9 deletions

View File

@@ -21,15 +21,16 @@ Notes.assert = async (uid, input, options = {}) => {
const actors = new Set();
await Promise.all(input.map(async (item) => {
let id = activitypub.helpers.isUri(item) ? item : item.pid;
if (activitypub.helpers.isUri(id)) {
id = await activitypub.resolveId(uid, id);
if (!id) {
winston.warn(`[activitypub/notes.assert] Not asserting ${id}`);
// Dereference only if a url is received
if (activitypub.helpers.isUri(item)) {
item = await activitypub.resolveId(uid, item);
if (!item) {
winston.warn(`[activitypub/notes.assert] Not asserting ${item}`);
return;
}
}
const id = activitypub.helpers.isUri(item) ? item : item.pid;
const key = `post:${id}`;
const exists = await db.exists(key);
winston.verbose(`[activitypub/notes.assert] Asserting note id ${id}`);

View File

@@ -48,10 +48,12 @@ middleware.validate = async function (req, res, next) {
const { actor, object } = req.body;
// Origin checking
const actorHostname = new URL(actor).hostname;
const objectHostname = new URL(typeof object === 'string' ? object : object.id).hostname;
if (actorHostname !== objectHostname) {
return res.sendStatus(403);
if (typeof object !== 'string') {
const actorHostname = new URL(actor).hostname;
const objectHostname = new URL(object.id).hostname;
if (actorHostname !== objectHostname) {
return res.sendStatus(403);
}
}
// Cross-check key ownership against received actor