diff options
author | Claire <claire.github-309c@sitedethib.com> | 2024-02-16 11:56:12 +0100 |
---|---|---|
committer | Starfall <us@starfall.systems> | 2024-02-16 11:19:46 -0600 |
commit | 41a1757aecf7d894965b45abece8cbc408f8f99c (patch) | |
tree | 857a5c25e55a4cd7311ac32059c8ee597ff2335c /app | |
parent | 8f6a0c2cc87d4515ffa3be0ab8768ced5dcb5850 (diff) |
Merge pull request from GHSA-jhrq-qvrm-qr36 hotfix
* Fix insufficient Content-Type checking of fetched ActivityStreams objects * Allow JSON-LD documents with multiple profiles
Diffstat (limited to 'app')
-rw-r--r-- | app/helpers/jsonld_helper.rb | 14 | ||||
-rw-r--r-- | app/services/fetch_resource_service.rb | 2 |
2 files changed, 14 insertions, 2 deletions
diff --git a/app/helpers/jsonld_helper.rb b/app/helpers/jsonld_helper.rb index b81ca5b35..5da220cdf 100644 --- a/app/helpers/jsonld_helper.rb +++ b/app/helpers/jsonld_helper.rb @@ -174,7 +174,19 @@ module JsonLdHelper build_request(uri, on_behalf_of).perform do |response| raise Mastodon::UnexpectedResponseError, response unless response_successful?(response) || response_error_unsalvageable?(response) || !raise_on_temporary_error - body_to_json(response.body_with_limit) if response.code == 200 + body_to_json(response.body_with_limit) if response.code == 200 && valid_activitypub_content_type?(response) + end + end + + def valid_activitypub_content_type?(response) + return true if response.mime_type == 'application/activity+json' + + # When the mime type is `application/ld+json`, we need to check the profile, + # but `http.rb` does not parse it for us. + return false unless response.mime_type == 'application/ld+json' + + response.headers[HTTP::Headers::CONTENT_TYPE]&.split(';')&.map(&:strip)&.any? do |str| + str.start_with?('profile="') && str[9...-1].split.include?('https://www.w3.org/ns/activitystreams') end end diff --git a/app/services/fetch_resource_service.rb b/app/services/fetch_resource_service.rb index c6f382876..01b602124 100644 --- a/app/services/fetch_resource_service.rb +++ b/app/services/fetch_resource_service.rb @@ -43,7 +43,7 @@ class FetchResourceService < BaseService @response_code = response.code return nil if response.code != 200 - if ['application/activity+json', 'application/ld+json'].include?(response.mime_type) + if valid_activitypub_content_type?(response) body = response.body_with_limit json = body_to_json(body) |