UNTESTED maybe laxer match on authority - fixes #815

This commit is contained in:
dakkar 2024-11-23 17:51:09 +00:00
parent 536060e63c
commit 387dc4bb4b
7 changed files with 46 additions and 21 deletions

View file

@ -93,6 +93,7 @@
"@swc/core": "1.6.6", "@swc/core": "1.6.6",
"@transfem-org/sfm-js": "0.24.5", "@transfem-org/sfm-js": "0.24.5",
"@twemoji/parser": "15.1.1", "@twemoji/parser": "15.1.1",
"@types/psl": "^1.1.3",
"accepts": "1.3.8", "accepts": "1.3.8",
"ajv": "8.17.1", "ajv": "8.17.1",
"archiver": "7.0.1", "archiver": "7.0.1",
@ -135,9 +136,9 @@
"json5": "2.2.3", "json5": "2.2.3",
"jsonld": "8.3.2", "jsonld": "8.3.2",
"jsrsasign": "11.1.0", "jsrsasign": "11.1.0",
"juice": "11.0.0",
"megalodon": "workspace:*", "megalodon": "workspace:*",
"meilisearch": "0.42.0", "meilisearch": "0.42.0",
"juice": "11.0.0",
"microformats-parser": "2.0.2", "microformats-parser": "2.0.2",
"mime-types": "2.1.35", "mime-types": "2.1.35",
"misskey-js": "workspace:*", "misskey-js": "workspace:*",
@ -158,6 +159,7 @@
"probe-image-size": "7.2.3", "probe-image-size": "7.2.3",
"promise-limit": "2.7.0", "promise-limit": "2.7.0",
"proxy-addr": "^2.0.7", "proxy-addr": "^2.0.7",
"psl": "^1.13.0",
"pug": "3.0.3", "pug": "3.0.3",
"punycode": "2.3.1", "punycode": "2.3.1",
"qrcode": "1.5.4", "qrcode": "1.5.4",

View file

@ -7,6 +7,7 @@ import { URL } from 'node:url';
import { toASCII } from 'punycode'; import { toASCII } from 'punycode';
import { Inject, Injectable } from '@nestjs/common'; import { Inject, Injectable } from '@nestjs/common';
import RE2 from 're2'; import RE2 from 're2';
import psl from 'psl';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
import type { Config } from '@/config.js'; import type { Config } from '@/config.js';
import { bindThis } from '@/decorators.js'; import { bindThis } from '@/decorators.js';
@ -122,6 +123,14 @@ export class UtilityService {
return host; return host;
} }
@bindThis
public punyHostPSLDomain(url: string): string {
const urlObj = new URL(url);
const domain = psl.get(urlObj.hostname) ?? urlObj.hostname;
const host = `${this.toPuny(domain)}${urlObj.port.length > 0 ? ':' + urlObj.port : ''}`;
return host;
}
public isFederationAllowedHost(host: string): boolean { public isFederationAllowedHost(host: string): boolean {
if (this.meta.federation === 'none') return false; if (this.meta.federation === 'none') return false;
if (this.meta.federation === 'specified' && !this.meta.federationHosts.some(x => `.${host.toLowerCase()}`.endsWith(`.${x}`))) return false; if (this.meta.federation === 'specified' && !this.meta.federationHosts.some(x => `.${host.toLowerCase()}`.endsWith(`.${x}`))) return false;

View file

@ -243,7 +243,7 @@ export class ApRequestService {
if (alternate) { if (alternate) {
const href = alternate.getAttribute('href'); const href = alternate.getAttribute('href');
if (href) { if (href) {
if (this.utilityService.punyHost(url) === this.utilityService.punyHost(href)) { if (this.utilityService.punyHostPSLDomain(url) === this.utilityService.punyHostPSLDomain(href)) {
return await this.signedGet(href, user, false); return await this.signedGet(href, user, false);
} }
} }

View file

@ -131,7 +131,7 @@ export class Resolver {
throw new UnrecoverableError(`invalid AP object ${value}: missing id`); throw new UnrecoverableError(`invalid AP object ${value}: missing id`);
} }
if (this.utilityService.punyHost(object.id) !== this.utilityService.punyHost(value)) { if (this.utilityService.punyHostPSLDomain(object.id) !== this.utilityService.punyHostPSLDomain(value)) {
throw new UnrecoverableError(`invalid AP object ${value}: id ${object.id} has different host`); throw new UnrecoverableError(`invalid AP object ${value}: id ${object.id} has different host`);
} }

View file

@ -192,8 +192,8 @@ export class ApNoteService {
throw new UnrecoverableError(`unexpected schema of note.url ${url} in ${entryUri}`); throw new UnrecoverableError(`unexpected schema of note.url ${url} in ${entryUri}`);
} }
if (this.utilityService.punyHost(url) !== this.utilityService.punyHost(note.id)) { if (this.utilityService.punyHostPSLDomain(url) !== this.utilityService.punyHostPSLDomain(note.id)) {
throw new Error(`note url <> uri host mismatch: ${url} <> ${note.id} in ${entryUri}`); throw new UnrecoverableError(`note url <> uri host mismatch: ${url} <> ${note.id} in ${entryUri}`);
} }
} }
@ -444,7 +444,7 @@ export class ApNoteService {
throw new UnrecoverableError(`unexpected schema of note.url ${url} in ${noteUri}`); throw new UnrecoverableError(`unexpected schema of note.url ${url} in ${noteUri}`);
} }
if (this.utilityService.punyHost(url) !== this.utilityService.punyHost(note.id)) { if (this.utilityService.punyHostPSLDomain(url) !== this.utilityService.punyHostPSLDomain(note.id)) {
throw new UnrecoverableError(`note url <> id host mismatch: ${url} <> ${note.id} in ${noteUri}`); throw new UnrecoverableError(`note url <> id host mismatch: ${url} <> ${note.id} in ${noteUri}`);
} }
} }

View file

@ -138,7 +138,7 @@ export class ApPersonService implements OnModuleInit {
*/ */
@bindThis @bindThis
private validateActor(x: IObject, uri: string): IActor { private validateActor(x: IObject, uri: string): IActor {
const expectHost = this.utilityService.punyHost(uri); const expectHost = this.utilityService.punyHostPSLDomain(uri);
if (!isActor(x)) { if (!isActor(x)) {
throw new UnrecoverableError(`invalid Actor type '${x.type}' in ${uri}`); throw new UnrecoverableError(`invalid Actor type '${x.type}' in ${uri}`);
@ -152,7 +152,7 @@ export class ApPersonService implements OnModuleInit {
throw new UnrecoverableError(`invalid Actor ${uri} - wrong inbox type`); throw new UnrecoverableError(`invalid Actor ${uri} - wrong inbox type`);
} }
const inboxHost = this.utilityService.punyHost(x.inbox); const inboxHost = this.utilityService.punyHostPSLDomain(x.inbox);
if (inboxHost !== expectHost) { if (inboxHost !== expectHost) {
throw new UnrecoverableError(`invalid Actor ${uri} - wrong inbox ${inboxHost}`); throw new UnrecoverableError(`invalid Actor ${uri} - wrong inbox ${inboxHost}`);
} }
@ -160,7 +160,7 @@ export class ApPersonService implements OnModuleInit {
const sharedInboxObject = x.sharedInbox ?? (x.endpoints ? x.endpoints.sharedInbox : undefined); const sharedInboxObject = x.sharedInbox ?? (x.endpoints ? x.endpoints.sharedInbox : undefined);
if (sharedInboxObject != null) { if (sharedInboxObject != null) {
const sharedInbox = getApId(sharedInboxObject); const sharedInbox = getApId(sharedInboxObject);
if (!(typeof sharedInbox === 'string' && sharedInbox.length > 0 && this.utilityService.punyHost(sharedInbox) === expectHost)) { if (!(typeof sharedInbox === 'string' && sharedInbox.length > 0 && this.utilityService.punyHostPSLDomain(sharedInbox) === expectHost)) {
throw new UnrecoverableError(`invalid Actor ${uri} - wrong shared inbox ${sharedInbox}`); throw new UnrecoverableError(`invalid Actor ${uri} - wrong shared inbox ${sharedInbox}`);
} }
} }
@ -170,7 +170,7 @@ export class ApPersonService implements OnModuleInit {
if (xCollection != null) { if (xCollection != null) {
const collectionUri = getApId(xCollection); const collectionUri = getApId(xCollection);
if (typeof collectionUri === 'string' && collectionUri.length > 0) { if (typeof collectionUri === 'string' && collectionUri.length > 0) {
if (this.utilityService.punyHost(collectionUri) !== expectHost) { if (this.utilityService.punyHostPSLDomain(collectionUri) !== expectHost) {
throw new UnrecoverableError(`invalid Actor ${uri} - wrong ${collection} ${collectionUri}`); throw new UnrecoverableError(`invalid Actor ${uri} - wrong ${collection} ${collectionUri}`);
} }
} else if (collectionUri != null) { } else if (collectionUri != null) {
@ -202,7 +202,7 @@ export class ApPersonService implements OnModuleInit {
x.summary = truncate(x.summary, summaryLength); x.summary = truncate(x.summary, summaryLength);
} }
const idHost = this.utilityService.punyHost(x.id); const idHost = this.utilityService.punyHostPSLDomain(x.id);
if (idHost !== expectHost) { if (idHost !== expectHost) {
throw new UnrecoverableError(`invalid Actor ${uri} - wrong id ${x.id}`); throw new UnrecoverableError(`invalid Actor ${uri} - wrong id ${x.id}`);
} }
@ -212,7 +212,7 @@ export class ApPersonService implements OnModuleInit {
throw new UnrecoverableError(`invalid Actor ${uri} - wrong publicKey.id type`); throw new UnrecoverableError(`invalid Actor ${uri} - wrong publicKey.id type`);
} }
const publicKeyIdHost = this.utilityService.punyHost(x.publicKey.id); const publicKeyIdHost = this.utilityService.punyHostPSLDomain(x.publicKey.id);
if (publicKeyIdHost !== expectHost) { if (publicKeyIdHost !== expectHost) {
throw new UnrecoverableError(`invalid Actor ${uri} - wrong publicKey.id ${x.publicKey.id}`); throw new UnrecoverableError(`invalid Actor ${uri} - wrong publicKey.id ${x.publicKey.id}`);
} }
@ -351,7 +351,7 @@ export class ApPersonService implements OnModuleInit {
throw new UnrecoverableError(`unexpected schema of person url ${url} in ${uri}`); throw new UnrecoverableError(`unexpected schema of person url ${url} in ${uri}`);
} }
if (this.utilityService.punyHost(url) !== this.utilityService.punyHost(person.id)) { if (this.utilityService.punyHostPSLDomain(url) !== this.utilityService.punyHostPSLDomain(person.id)) {
throw new UnrecoverableError(`person url <> uri host mismatch: ${url} <> ${person.id} in ${uri}`); throw new UnrecoverableError(`person url <> uri host mismatch: ${url} <> ${person.id} in ${uri}`);
} }
} }
@ -563,7 +563,7 @@ export class ApPersonService implements OnModuleInit {
throw new UnrecoverableError(`unexpected schema of person url ${url} in ${uri}`); throw new UnrecoverableError(`unexpected schema of person url ${url} in ${uri}`);
} }
if (this.utilityService.punyHost(url) !== this.utilityService.punyHost(person.id)) { if (this.utilityService.punyHostPSLDomain(url) !== this.utilityService.punyHostPSLDomain(person.id)) {
throw new UnrecoverableError(`person url <> uri host mismatch: ${url} <> ${person.id} in ${uri}`); throw new UnrecoverableError(`person url <> uri host mismatch: ${url} <> ${person.id} in ${uri}`);
} }
} }

View file

@ -170,6 +170,9 @@ importers:
'@twemoji/parser': '@twemoji/parser':
specifier: 15.1.1 specifier: 15.1.1
version: 15.1.1 version: 15.1.1
'@types/psl':
specifier: ^1.1.3
version: 1.1.3
accepts: accepts:
specifier: 1.3.8 specifier: 1.3.8
version: 1.3.8 version: 1.3.8
@ -365,6 +368,9 @@ importers:
proxy-addr: proxy-addr:
specifier: ^2.0.7 specifier: ^2.0.7
version: 2.0.7 version: 2.0.7
psl:
specifier: ^1.13.0
version: 1.13.0
pug: pug:
specifier: 3.0.3 specifier: 3.0.3
version: 3.0.3 version: 3.0.3
@ -4835,6 +4841,9 @@ packages:
'@types/proxy-addr@2.0.3': '@types/proxy-addr@2.0.3':
resolution: {integrity: sha512-TgAHHO4tNG3HgLTUhB+hM4iwW6JUNeQHCLnF1DjaDA9c69PN+IasoFu2MYDhubFc+ZIw5c5t9DMtjvrD6R3Egg==} resolution: {integrity: sha512-TgAHHO4tNG3HgLTUhB+hM4iwW6JUNeQHCLnF1DjaDA9c69PN+IasoFu2MYDhubFc+ZIw5c5t9DMtjvrD6R3Egg==}
'@types/psl@1.1.3':
resolution: {integrity: sha512-Iu174JHfLd7i/XkXY6VDrqSlPvTDQOtQI7wNAXKKOAADJ9TduRLkNdMgjGiMxSttUIZnomv81JAbAbC0DhggxA==}
'@types/pug@2.0.10': '@types/pug@2.0.10':
resolution: {integrity: sha512-Sk/uYFOBAB7mb74XcpizmH0KOR2Pv3D2Hmrh1Dmy5BmK3MpdSa5kqZcg6EKBdklU0bFXX9gCfzvpnyUehrPIuA==} resolution: {integrity: sha512-Sk/uYFOBAB7mb74XcpizmH0KOR2Pv3D2Hmrh1Dmy5BmK3MpdSa5kqZcg6EKBdklU0bFXX9gCfzvpnyUehrPIuA==}
@ -5307,6 +5316,7 @@ packages:
acorn-import-assertions@1.9.0: acorn-import-assertions@1.9.0:
resolution: {integrity: sha512-cmMwop9x+8KFhxvKrKfPYmN6/pKTYYHBqLa0DfvVZcKMJWNyWLnaqND7dx/qn66R7ewM1UX5XMaDVP5wlVTaVA==} resolution: {integrity: sha512-cmMwop9x+8KFhxvKrKfPYmN6/pKTYYHBqLa0DfvVZcKMJWNyWLnaqND7dx/qn66R7ewM1UX5XMaDVP5wlVTaVA==}
deprecated: package has been renamed to acorn-import-attributes
peerDependencies: peerDependencies:
acorn: ^8 acorn: ^8
@ -9736,8 +9746,8 @@ packages:
pseudomap@1.0.2: pseudomap@1.0.2:
resolution: {integrity: sha512-b/YwNhb8lk1Zz2+bXXpS/LK9OisiZZ1SNsSLxN1x2OXVEhW2Ckr/7mWE5vrC1ZTiJlD9g19jWszTmJsB+oEpFQ==} resolution: {integrity: sha512-b/YwNhb8lk1Zz2+bXXpS/LK9OisiZZ1SNsSLxN1x2OXVEhW2Ckr/7mWE5vrC1ZTiJlD9g19jWszTmJsB+oEpFQ==}
psl@1.9.0: psl@1.13.0:
resolution: {integrity: sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==} resolution: {integrity: sha512-BFwmFXiJoFqlUpZ5Qssolv15DMyc84gTBds1BjsV1BfXEo1UyyD7GsmN67n7J77uRhoSNW1AXtXKPLcBFQn9Aw==}
pstree.remy@1.1.8: pstree.remy@1.1.8:
resolution: {integrity: sha512-77DZwxQmxKnu3aR542U+X8FypNzbfJ+C5XQDk3uWjWxn6151aIMGthWYRXTqT1E5oJvg+ljaa2OJi+VfvCOQ8w==} resolution: {integrity: sha512-77DZwxQmxKnu3aR542U+X8FypNzbfJ+C5XQDk3uWjWxn6151aIMGthWYRXTqT1E5oJvg+ljaa2OJi+VfvCOQ8w==}
@ -13103,7 +13113,7 @@ snapshots:
'@eslint/config-array@0.17.1': '@eslint/config-array@0.17.1':
dependencies: dependencies:
'@eslint/object-schema': 2.1.4 '@eslint/object-schema': 2.1.4
debug: 4.3.5(supports-color@8.1.1) debug: 4.3.7
minimatch: 3.1.2 minimatch: 3.1.2
transitivePeerDependencies: transitivePeerDependencies:
- supports-color - supports-color
@ -13125,7 +13135,7 @@ snapshots:
'@eslint/eslintrc@3.1.0': '@eslint/eslintrc@3.1.0':
dependencies: dependencies:
ajv: 6.12.6 ajv: 6.12.6
debug: 4.3.5(supports-color@8.1.1) debug: 4.3.7
espree: 10.1.0 espree: 10.1.0
globals: 14.0.0 globals: 14.0.0
ignore: 5.3.1 ignore: 5.3.1
@ -15648,6 +15658,8 @@ snapshots:
dependencies: dependencies:
'@types/node': 20.14.12 '@types/node': 20.14.12
'@types/psl@1.1.3': {}
'@types/pug@2.0.10': {} '@types/pug@2.0.10': {}
'@types/punycode@2.1.4': {} '@types/punycode@2.1.4': {}
@ -18435,7 +18447,7 @@ snapshots:
ajv: 6.12.6 ajv: 6.12.6
chalk: 4.1.2 chalk: 4.1.2
cross-spawn: 7.0.3 cross-spawn: 7.0.3
debug: 4.3.5(supports-color@8.1.1) debug: 4.3.7
escape-string-regexp: 4.0.0 escape-string-regexp: 4.0.0
eslint-scope: 8.0.2 eslint-scope: 8.0.2
eslint-visitor-keys: 4.0.0 eslint-visitor-keys: 4.0.0
@ -22014,7 +22026,9 @@ snapshots:
pseudomap@1.0.2: {} pseudomap@1.0.2: {}
psl@1.9.0: {} psl@1.13.0:
dependencies:
punycode: 2.3.1
pstree.remy@1.1.8: {} pstree.remy@1.1.8: {}
@ -23256,7 +23270,7 @@ snapshots:
tough-cookie@4.1.4: tough-cookie@4.1.4:
dependencies: dependencies:
psl: 1.9.0 psl: 1.13.0
punycode: 2.3.1 punycode: 2.3.1
universalify: 0.2.0 universalify: 0.2.0
url-parse: 1.5.10 url-parse: 1.5.10