Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: check origin only if object is a string

Browse Source
This commit is contained in:
Julian Lam
2024-02-21 14:05:54 -05:00
parent a94341f489
commit 92a8951bca
2 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/activitypub/notes.js
View File

@@ -21,15 +21,16 @@ Notes.assert = async (uid, input, options = {}) => {
const actors = new Set();
await Promise.all(input.map(async (item) => {
let id = activitypub.helpers.isUri(item) ? item : item.pid;
if (activitypub.helpers.isUri(id)) {
id = await activitypub.resolveId(uid, id);
if (!id) {
winston.warn(`[activitypub/notes.assert] Not asserting ${id}`);
// Dereference only if a url is received
if (activitypub.helpers.isUri(item)) {
item = await activitypub.resolveId(uid, item);
if (!item) {
winston.warn(`[activitypub/notes.assert] Not asserting ${item}`);
return;
}
}
const id = activitypub.helpers.isUri(item) ? item : item.pid;
const key = `post:${id}`;
const exists = await db.exists(key);
winston.verbose(`[activitypub/notes.assert] Asserting note id ${id}`);

4
src/middleware/activitypub.js
View File

@@ -48,11 +48,13 @@ middleware.validate = async function (req, res, next) {
const { actor, object } = req.body;
// Origin checking
if (typeof object !== 'string') {
const actorHostname = new URL(actor).hostname;
const objectHostname = new URL(typeof object === 'string' ? object : object.id).hostname;
const objectHostname = new URL(object.id).hostname;
if (actorHostname !== objectHostname) {
return res.sendStatus(403);
}
}
// Cross-check key ownership against received actor
await activitypub.actors.assert(actor);