FoundKeyGang/FoundKey
FoundKeyGang/FoundKey
7
19
Fork 22
Code Issues 37 Pull requests 4 Releases Activity

activitypub: disallow cross-origin redirects

Browse source 
Changelog: Security
This commit is contained in:
Johann150 2024-03-30 15:05:12 +01:00
parent 7e37a8fd88
commit 01f8c5d7da
Signed by: Johann150
GPG key ID: 9EE6577A2A06F8F1
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
packages/backend/src/remote/activitypub/request.ts
View file

@ -118,7 +118,12 @@ export async function signedGet(_url: string, user: { id: User['id'] }): Promise
if (res.status >= 300 && res.status < 400) {
// Have been redirected, need to make a new signature.
// Use Location header and fetched URL as the base URL.
url = new URL(res.headers.get('Location'), url).href;
let newUrl = new URL(res.headers.get('Location'), url);
// Check that we have not been redirected to a different host.
if (newUrl.host !== new URL(url).host) {
throw new Error('cross-origin redirect not allowed');
}
url = newUrl.href;
} else {
if (!isActivitypub(res.headers.get('Content-Type'))) {
throw new Error('invalid response content type');