Merge pull request from GHSA-3p3p-cgj7-vgw3

* fix: SSRF in /m4/:id?/:category* * fix: allow /mastodon/acct/ to any domain when MASTODON_API_HOST is set * fix: add missing import for isValidHost
DIYgod · Mar 5, 2024 · a429472 · a429472
1 parent 4c4d68e
commit a429472
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 7 deletions.
diff --git a/lib/routes/m4/index.ts b/lib/routes/m4/index.ts
@@ -4,6 +4,7 @@ const __dirname = getCurrentPath(import.meta.url);
 
 import cache from '@/utils/cache';
 import got from '@/utils/got';
+import { isValidHost } from '@/utils/valid-host';
 import { load } from 'cheerio';
 import timezone from '@/utils/timezone';
 import { parseDate } from '@/utils/parse-date';
@@ -12,6 +13,9 @@ import * as path from 'node:path';
 
 export default async (ctx) => {
     const { id = 'news', category = 'china' } = ctx.req.param();
+    if (!isValidHost(id)) {
+        throw new Error('Invalid id');
+    }
     const limit = ctx.req.query('limit') ? Number.parseInt(ctx.req.query('limit'), 10) : 30;
 
     const rootUrl = `http://${id}.m4.cn`;

diff --git a/lib/routes/mastodon/acct.ts b/lib/routes/mastodon/acct.ts
@@ -1,14 +1,8 @@
 const utils = require('./utils');
-import { config } from '@/config';
 
 export default async (ctx) => {
     const acct = ctx.req.param('acct');
     const only_media = ctx.req.param('only_media') ? 'true' : 'false';
-    const acctSite = acct.split('@').filter(Boolean)[1];
-
-    if (!config.feature.allow_user_supply_unsafe_domain && !utils.allowSiteList.includes(acctSite)) {
-        throw new Error(`This RSS is disabled unless 'ALLOW_USER_SUPPLY_UNSAFE_DOMAIN' is set to 'true'.`);
-    }
 
     const { site, account_id } = await utils.getAccountIdByAcct(acct);
 

diff --git a/lib/routes/mastodon/utils.ts b/lib/routes/mastodon/utils.ts
@@ -4,7 +4,7 @@ import got from '@/utils/got';
 import { parseDate } from '@/utils/parse-date';
 import { config } from '@/config';
 
-const allowSiteList = ['mastodon.social', 'pawoo.net', config.mastodon.apiHost];
+const allowSiteList = ['mastodon.social', 'pawoo.net', config.mastodon.apiHost].filter(Boolean);
 
 const apiHeaders = (site) => {
     const { accessToken, apiHost } = config.mastodon;
@@ -96,6 +96,9 @@ async function getAccountIdByAcct(acct) {
     if (!(site && acctDomain)) {
         throw new Error('Mastodon RSS is disabled due to the lack of <a href="https://docs.rsshub.app/en/install/#configuration-route-specific-configurations">relevant config</a>');
     }
+    if (!config.feature.allow_user_supply_unsafe_domain && !allowSiteList.includes(site)) {
+        throw new Error(`RSS for this domain is disabled unless 'ALLOW_USER_SUPPLY_UNSAFE_DOMAIN' is set to 'true' or 'MASTODON_API_HOST' is set.`);
+    }
 
     const search_url = `https://${site}/api/v2/search`;
     const cacheUid = `mastodon_acct_id/${site}/${acct}`;