Update ActivityPubFetchService, enforce stricter Content-Type validation

pixelfed · Feb 16, 2024 · 1232cfc · 1232cfc
1 parent 4c6ec20
commit 1232cfc
Showing 1 changed file with 54 additions and 31 deletions.
diff --git a/app/Services/ActivityPubFetchService.php b/app/Services/ActivityPubFetchService.php
@@ -11,38 +11,61 @@
 
 class ActivityPubFetchService
 {
-	public static function get($url, $validateUrl = true)
-	{
+    public static function get($url, $validateUrl = true)
+    {
         if($validateUrl === true) {
-    		if(!Helpers::validateUrl($url)) {
-    			return 0;
-    		}
+            if(!Helpers::validateUrl($url)) {
+                return 0;
+            }
         }
 
-		$baseHeaders = [
-			'Accept' => 'application/activity+json, application/ld+json',
-		];
-
-		$headers = HttpSignature::instanceActorSign($url, false, $baseHeaders, 'get');
-		$headers['Accept'] = 'application/activity+json, application/ld+json';
-		$headers['User-Agent'] = 'PixelFedBot/1.0.0 (Pixelfed/'.config('pixelfed.version').'; +'.config('app.url').')';
-
-		try {
-			$res = Http::withOptions(['allow_redirects' => false])->withHeaders($headers)
-				->timeout(30)
-				->connectTimeout(5)
-				->retry(3, 500)
-				->get($url);
-		} catch (RequestException $e) {
-			return;
-		} catch (ConnectionException $e) {
-			return;
-		} catch (Exception $e) {
-			return;
-		}
-		if(!$res->ok()) {
-			return;
-		}
-		return $res->body();
-	}
+        $baseHeaders = [
+            'Accept' => 'application/activity+json, application/ld+json',
+        ];
+
+        $headers = HttpSignature::instanceActorSign($url, false, $baseHeaders, 'get');
+        $headers['Accept'] = 'application/activity+json, application/ld+json';
+        $headers['User-Agent'] = 'PixelFedBot/1.0.0 (Pixelfed/'.config('pixelfed.version').'; +'.config('app.url').')';
+
+        try {
+            $res = Http::withOptions(['allow_redirects' => false])
+                ->withHeaders($headers)
+                ->timeout(30)
+                ->connectTimeout(5)
+                ->retry(3, 500)
+                ->get($url);
+        } catch (RequestException $e) {
+            return;
+        } catch (ConnectionException $e) {
+            return;
+        } catch (Exception $e) {
+            return;
+        }
+
+        if(!$res->ok()) {
+            return;
+        }
+
+        if(!$res->hasHeader('Content-Type')) {
+            return;
+        }
+
+        $acceptedTypes = [
+            'application/activity+json; charset=utf-8',
+            'application/activity+json',
+            'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'
+        ];
+
+        $contentType = $res->getHeader('Content-Type')[0];
+
+        if(!$contentType) {
+            return;
+        }
+
+        if(!in_array($contentType, $acceptedTypes)) {
+            return;
+        }
+
+        return $res->body();
+    }
 }