From 92a8951bcabebd1617e9cc8710acdc9b167fcfc5 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Wed, 21 Feb 2024 14:05:54 -0500 Subject: [PATCH] fix: check origin only if object is a string --- src/activitypub/notes.js | 11 ++++++----- src/middleware/activitypub.js | 10 ++++++---- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/src/activitypub/notes.js b/src/activitypub/notes.js index 795c807d26..be89ad1b3f 100644 --- a/src/activitypub/notes.js +++ b/src/activitypub/notes.js @@ -21,15 +21,16 @@ Notes.assert = async (uid, input, options = {}) => { const actors = new Set(); await Promise.all(input.map(async (item) => { - let id = activitypub.helpers.isUri(item) ? item : item.pid; - if (activitypub.helpers.isUri(id)) { - id = await activitypub.resolveId(uid, id); - if (!id) { - winston.warn(`[activitypub/notes.assert] Not asserting ${id}`); + // Dereference only if a url is received + if (activitypub.helpers.isUri(item)) { + item = await activitypub.resolveId(uid, item); + if (!item) { + winston.warn(`[activitypub/notes.assert] Not asserting ${item}`); return; } } + const id = activitypub.helpers.isUri(item) ? item : item.pid; const key = `post:${id}`; const exists = await db.exists(key); winston.verbose(`[activitypub/notes.assert] Asserting note id ${id}`); diff --git a/src/middleware/activitypub.js b/src/middleware/activitypub.js index bdf28931fb..7a49987c06 100644 --- a/src/middleware/activitypub.js +++ b/src/middleware/activitypub.js @@ -48,10 +48,12 @@ middleware.validate = async function (req, res, next) { const { actor, object } = req.body; // Origin checking - const actorHostname = new URL(actor).hostname; - const objectHostname = new URL(typeof object === 'string' ? object : object.id).hostname; - if (actorHostname !== objectHostname) { - return res.sendStatus(403); + if (typeof object !== 'string') { + const actorHostname = new URL(actor).hostname; + const objectHostname = new URL(object.id).hostname; + if (actorHostname !== objectHostname) { + return res.sendStatus(403); + } } // Cross-check key ownership against received actor