look inside url
when checking activity origin - #512
The previous assertion that: > if it's a complicated thing and the `activity.id` doesn't match, I > think we're fine rejecting the activity was wrong: at least peertube sends activities that have `url` as an array of objects. Notice that this does *not*, in fact, fix #512: the peertube activity does not contain its short URL (`https://example.com/w/someid`), so there's no way to confirm that it is the activity we requested.
This commit is contained in:
parent
95ec40d3c8
commit
c05cc63e24
@ -4,16 +4,24 @@
|
|||||||
*/
|
*/
|
||||||
import type { IObject } from '../type.js';
|
import type { IObject } from '../type.js';
|
||||||
|
|
||||||
|
function getHrefFrom(one: IObject|string): string | undefined {
|
||||||
|
if (typeof(one) === 'string') return one;
|
||||||
|
return one.href;
|
||||||
|
}
|
||||||
|
|
||||||
export function assertActivityMatchesUrls(activity: IObject, urls: string[]) {
|
export function assertActivityMatchesUrls(activity: IObject, urls: string[]) {
|
||||||
const idOk = activity.id !== undefined && urls.includes(activity.id);
|
const idOk = activity.id !== undefined && urls.includes(activity.id);
|
||||||
|
if (idOk) return;
|
||||||
|
|
||||||
// technically `activity.url` could be an `ApObject = IObject |
|
const url = activity.url;
|
||||||
// string | (IObject | string)[]`, but if it's a complicated thing
|
if (url) {
|
||||||
// and the `activity.id` doesn't match, I think we're fine
|
// `activity.url` can be an `ApObject = IObject | string | (IObject
|
||||||
// rejecting the activity
|
// | string)[]`, we have to look inside it
|
||||||
const urlOk = typeof(activity.url) === 'string' && urls.includes(activity.url);
|
const activityUrls = Array.isArray(url) ? url.map(getHrefFrom) : [getHrefFrom(url)];
|
||||||
|
const goodUrl = activityUrls.find(u => u && urls.includes(u));
|
||||||
|
|
||||||
if (!idOk && !urlOk) {
|
if (goodUrl) return;
|
||||||
throw new Error(`bad Activity: neither id(${activity?.id}) nor url(${activity?.url}) match location(${urls})`);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
throw new Error(`bad Activity: neither id(${activity?.id}) nor url(${JSON.stringify(activity?.url)}) match location(${urls})`);
|
||||||
}
|
}
|
||||||
|
51
packages/backend/test/unit/misc/check-against-url.ts
Normal file
51
packages/backend/test/unit/misc/check-against-url.ts
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
/*
|
||||||
|
* SPDX-FileCopyrightText: dakkar and sharkey-project
|
||||||
|
* SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
*/
|
||||||
|
|
||||||
|
import type { IObject } from '@/core/activitypub/type.js';
|
||||||
|
import { describe, expect, test } from '@jest/globals';
|
||||||
|
import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js';
|
||||||
|
|
||||||
|
function assertOne(activity: IObject) {
|
||||||
|
// return a function so we can use `.toThrow`
|
||||||
|
return () => assertActivityMatchesUrls(activity, ['good']);
|
||||||
|
}
|
||||||
|
|
||||||
|
describe('assertActivityMatchesUrls', () => {
|
||||||
|
test('id', () => {
|
||||||
|
expect(assertOne({ id: 'bad' })).toThrow(/bad Activity/);
|
||||||
|
expect(assertOne({ id: 'good' })).not.toThrow();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('simple url', () => {
|
||||||
|
expect(assertOne({ url: 'bad' })).toThrow(/bad Activity/);
|
||||||
|
expect(assertOne({ url: 'good' })).not.toThrow();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('array of urls', () => {
|
||||||
|
expect(assertOne({ url: ['bad'] })).toThrow(/bad Activity/);
|
||||||
|
expect(assertOne({ url: ['bad', 'other'] })).toThrow(/bad Activity/);
|
||||||
|
expect(assertOne({ url: ['good'] })).not.toThrow();
|
||||||
|
expect(assertOne({ url: ['bad', 'good'] })).not.toThrow();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('array of objects', () => {
|
||||||
|
expect(assertOne({ url: [{ href: 'bad' }] })).toThrow(/bad Activity/);
|
||||||
|
expect(assertOne({ url: [{ href: 'bad' }, { href: 'other' }] })).toThrow(/bad Activity/);
|
||||||
|
expect(assertOne({ url: [{ href: 'good' }] })).not.toThrow();
|
||||||
|
expect(assertOne({ url: [{ href: 'bad' }, { href: 'good' }] })).not.toThrow();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('mixed array', () => {
|
||||||
|
expect(assertOne({ url: [{ href: 'bad' }, 'other'] })).toThrow(/bad Activity/);
|
||||||
|
expect(assertOne({ url: [{ href: 'bad' }, 'good'] })).not.toThrow();
|
||||||
|
expect(assertOne({ url: ['bad', { href: 'good' }] })).not.toThrow();
|
||||||
|
});
|
||||||
|
|
||||||
|
test('id and url', () => {
|
||||||
|
expect(assertOne({ id: 'other', url: 'bad' })).toThrow(/bad Activity/);
|
||||||
|
expect(assertOne({ id: 'bad', url: 'good' })).not.toThrow();
|
||||||
|
expect(assertOne({ id: 'good', url: 'bad' })).not.toThrow();
|
||||||
|
});
|
||||||
|
});
|
Loading…
Reference in New Issue
Block a user