mirror of
				https://github.com/NodeBB/NodeBB.git
				synced 2025-10-26 16:46:12 +01:00 
			
		
		
		
	fix: check origin only if object is a string
This commit is contained in:
		| @@ -21,15 +21,16 @@ Notes.assert = async (uid, input, options = {}) => { | |||||||
| 	const actors = new Set(); | 	const actors = new Set(); | ||||||
|  |  | ||||||
| 	await Promise.all(input.map(async (item) => { | 	await Promise.all(input.map(async (item) => { | ||||||
| 		let id = activitypub.helpers.isUri(item) ? item : item.pid; | 		// Dereference only if a url is received | ||||||
| 		if (activitypub.helpers.isUri(id)) { | 		if (activitypub.helpers.isUri(item)) { | ||||||
| 			id = await activitypub.resolveId(uid, id); | 			item = await activitypub.resolveId(uid, item); | ||||||
| 			if (!id) { | 			if (!item) { | ||||||
| 				winston.warn(`[activitypub/notes.assert] Not asserting ${id}`); | 				winston.warn(`[activitypub/notes.assert] Not asserting ${item}`); | ||||||
| 				return; | 				return; | ||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
|  | 		const id = activitypub.helpers.isUri(item) ? item : item.pid; | ||||||
| 		const key = `post:${id}`; | 		const key = `post:${id}`; | ||||||
| 		const exists = await db.exists(key); | 		const exists = await db.exists(key); | ||||||
| 		winston.verbose(`[activitypub/notes.assert] Asserting note id ${id}`); | 		winston.verbose(`[activitypub/notes.assert] Asserting note id ${id}`); | ||||||
|   | |||||||
| @@ -48,11 +48,13 @@ middleware.validate = async function (req, res, next) { | |||||||
| 	const { actor, object } = req.body; | 	const { actor, object } = req.body; | ||||||
|  |  | ||||||
| 	// Origin checking | 	// Origin checking | ||||||
|  | 	if (typeof object !== 'string') { | ||||||
| 		const actorHostname = new URL(actor).hostname; | 		const actorHostname = new URL(actor).hostname; | ||||||
| 	const objectHostname = new URL(typeof object === 'string' ? object : object.id).hostname; | 		const objectHostname = new URL(object.id).hostname; | ||||||
| 		if (actorHostname !== objectHostname) { | 		if (actorHostname !== objectHostname) { | ||||||
| 			return res.sendStatus(403); | 			return res.sendStatus(403); | ||||||
| 		} | 		} | ||||||
|  | 	} | ||||||
|  |  | ||||||
| 	// Cross-check key ownership against received actor | 	// Cross-check key ownership against received actor | ||||||
| 	await activitypub.actors.assert(actor); | 	await activitypub.actors.assert(actor); | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user