refactor function placement
This commit is contained in:
parent
ac1ef641f5
commit
e2311a6f4b
1 changed files with 33 additions and 33 deletions
|
@ -54,6 +54,39 @@ export async function request(user: { id: User['id'] }, url: string, object: any
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Determine that the content type actually is an activitypub object.
|
||||||
|
//
|
||||||
|
// This defends against the possibility of a user of a remote instance uploading
|
||||||
|
// something that looks like an ActivityPub object and thus masquerading as any
|
||||||
|
// other user on that same instance. It in turn depends on the server not
|
||||||
|
// returning that content as an ActivityPub MIME type.
|
||||||
|
//
|
||||||
|
// Ref: GHSA-jhrq-qvrm-qr36
|
||||||
|
function isActivitypub(_contentType: string): boolean {
|
||||||
|
const contentType = _contentType.toLowerCase()
|
||||||
|
if (contentType.startsWith('application/activity+json')) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if (contentType.startsWith('application/ld+json')) {
|
||||||
|
// oh lord, actually parsing the MIME type
|
||||||
|
// Ref: <urn:ietf:rfc:2045> § 5.1
|
||||||
|
// Ref: <https://www.iana.org/assignments/media-types/application/ld+json>
|
||||||
|
let start = contentType.indexOf('profile="');
|
||||||
|
if (start === -1) return false; // profile is required for our purposes
|
||||||
|
|
||||||
|
start += 'profile="'.length;
|
||||||
|
let end = contentType.indexOf('"', start);
|
||||||
|
if (end === -1) return false; // malformed MIME type
|
||||||
|
|
||||||
|
let profiles = contentType.substring(start, end).split(/\s+/);
|
||||||
|
if (profiles.includes('https://www.w3.org/ns/activitystreams')) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get AP object with http-signature
|
* Get AP object with http-signature
|
||||||
* @param user http-signature user
|
* @param user http-signature user
|
||||||
|
@ -87,39 +120,6 @@ export async function signedGet(_url: string, user: { id: User['id'] }): Promise
|
||||||
// Use Location header and fetched URL as the base URL.
|
// Use Location header and fetched URL as the base URL.
|
||||||
url = new URL(res.headers.get('Location'), url).href;
|
url = new URL(res.headers.get('Location'), url).href;
|
||||||
} else {
|
} else {
|
||||||
// Determine that the content type we got back actually is an activitypub object.
|
|
||||||
//
|
|
||||||
// This defends against the possibility of a user of a remote instance uploading
|
|
||||||
// something that looks like an ActivityPub object and thus masquerading as any
|
|
||||||
// other user on that same instance. It in turn depends on the server not
|
|
||||||
// returning that content as an ActivityPub MIME type.
|
|
||||||
//
|
|
||||||
// Ref: GHSA-jhrq-qvrm-qr36
|
|
||||||
const isActivitypub = (_contentType) => {
|
|
||||||
const contentType = _contentType.toLowerCase()
|
|
||||||
if (contentType.startsWith('application/activity+json')) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
if (contentType.startsWith('application/ld+json')) {
|
|
||||||
// oh lord, actually parsing the MIME type
|
|
||||||
// Ref: <urn:ietf:rfc:2045> § 5.1
|
|
||||||
// Ref: <https://www.iana.org/assignments/media-types/application/ld+json>
|
|
||||||
let start = contentType.indexOf('profile="');
|
|
||||||
if (start === -1) return false; // profile is required for our purposes
|
|
||||||
|
|
||||||
start += 'profile="'.length;
|
|
||||||
let end = contentType.indexOf('"', start);
|
|
||||||
if (end === -1) return false; // malformed MIME type
|
|
||||||
|
|
||||||
let profiles = contentType.substring(start, end).split(/\s+/);
|
|
||||||
if (profiles.includes('https://www.w3.org/ns/activitystreams')) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return false;
|
|
||||||
};
|
|
||||||
|
|
||||||
if (!isActivitypub(res.headers.get('Content-Type'))) {
|
if (!isActivitypub(res.headers.get('Content-Type'))) {
|
||||||
throw new Error('invalid response content type');
|
throw new Error('invalid response content type');
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue