From 6073a25bb5cf7ed0b68037a7220723057ae8ee3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Wed, 15 Jan 2025 17:19:27 -0500
Subject: [PATCH] fix: closes #13056, guard against undefined keyid,compare

---
 src/middleware/activitypub.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/middleware/activitypub.js b/src/middleware/activitypub.js
index 30b40e1c7d..f9b8dcd009 100644
--- a/src/middleware/activitypub.js
+++ b/src/middleware/activitypub.js
@@ -107,12 +107,13 @@ middleware.assertPayload = async function (req, res, next) {
 
 	// Cross-check key ownership against received actor
 	await activitypub.actors.assert(actor);
-	const compare = (await db.getObjectField(`userRemote:${actor}:keys`, 'id')).replace(/#[\w-]+$/, '');
+	const compare = ((await db.getObjectField(`userRemote:${actor}:keys`, 'id')) || '').replace(/#[\w-]+$/, '');
 	const { signature } = req.headers;
-	const keyId = new Map(signature.split(',').filter(Boolean).map((v) => {
+	let keyId = new Map(signature.split(',').filter(Boolean).map((v) => {
 		const index = v.indexOf('=');
 		return [v.substring(0, index), v.slice(index + 1)];
-	})).get('keyId').slice(1, -1).replace(/#[\w-]+$/, '');
+	})).get('keyId');
+	keyId = (keyId || '').slice(1, -1).replace(/#[\w-]+$/, '');
 	if (compare !== keyId) {
 		activitypub.helpers.log('[middleware/activitypub] Key ownership cross-check failed.');
 		return res.sendStatus(403);