refactor function placement

This commit is contained in:
Johann150 2024-03-30 14:30:28 +01:00
parent ac1ef641f5
commit e2311a6f4b
Signed by: Johann150
GPG key ID: 9EE6577A2A06F8F1

View file

@ -54,6 +54,39 @@ export async function request(user: { id: User['id'] }, url: string, object: any
} }
} }
// Determine that the content type actually is an activitypub object.
//
// This defends against the possibility of a user of a remote instance uploading
// something that looks like an ActivityPub object and thus masquerading as any
// other user on that same instance. It in turn depends on the server not
// returning that content as an ActivityPub MIME type.
//
// Ref: GHSA-jhrq-qvrm-qr36
function isActivitypub(_contentType: string): boolean {
const contentType = _contentType.toLowerCase()
if (contentType.startsWith('application/activity+json')) {
return true;
}
if (contentType.startsWith('application/ld+json')) {
// oh lord, actually parsing the MIME type
// Ref: <urn:ietf:rfc:2045> § 5.1
// Ref: <https://www.iana.org/assignments/media-types/application/ld+json>
let start = contentType.indexOf('profile="');
if (start === -1) return false; // profile is required for our purposes
start += 'profile="'.length;
let end = contentType.indexOf('"', start);
if (end === -1) return false; // malformed MIME type
let profiles = contentType.substring(start, end).split(/\s+/);
if (profiles.includes('https://www.w3.org/ns/activitystreams')) {
return true;
}
}
return false;
};
/** /**
* Get AP object with http-signature * Get AP object with http-signature
* @param user http-signature user * @param user http-signature user
@ -87,39 +120,6 @@ export async function signedGet(_url: string, user: { id: User['id'] }): Promise
// Use Location header and fetched URL as the base URL. // Use Location header and fetched URL as the base URL.
url = new URL(res.headers.get('Location'), url).href; url = new URL(res.headers.get('Location'), url).href;
} else { } else {
// Determine that the content type we got back actually is an activitypub object.
//
// This defends against the possibility of a user of a remote instance uploading
// something that looks like an ActivityPub object and thus masquerading as any
// other user on that same instance. It in turn depends on the server not
// returning that content as an ActivityPub MIME type.
//
// Ref: GHSA-jhrq-qvrm-qr36
const isActivitypub = (_contentType) => {
const contentType = _contentType.toLowerCase()
if (contentType.startsWith('application/activity+json')) {
return true;
}
if (contentType.startsWith('application/ld+json')) {
// oh lord, actually parsing the MIME type
// Ref: <urn:ietf:rfc:2045> § 5.1
// Ref: <https://www.iana.org/assignments/media-types/application/ld+json>
let start = contentType.indexOf('profile="');
if (start === -1) return false; // profile is required for our purposes
start += 'profile="'.length;
let end = contentType.indexOf('"', start);
if (end === -1) return false; // malformed MIME type
let profiles = contentType.substring(start, end).split(/\s+/);
if (profiles.includes('https://www.w3.org/ns/activitystreams')) {
return true;
}
}
return false;
};
if (!isActivitypub(res.headers.get('Content-Type'))) { if (!isActivitypub(res.headers.get('Content-Type'))) {
throw new Error('invalid response content type'); throw new Error('invalid response content type');
} }