Skip to content

Commit

Permalink
fix (backend): hard code the @context value to avoid possible securit…
Browse files Browse the repository at this point in the history
…y risks

Co-authored-by: naskya <m@naskya.net>
  • Loading branch information
2 people authored and atsu1125 committed May 1, 2024
1 parent 3dbda30 commit f6579ad
Show file tree
Hide file tree
Showing 4 changed files with 47 additions and 35 deletions.
6 changes: 4 additions & 2 deletions src/queue/processors/inbox.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ const logger = new Logger('inbox');

// ユーザーのinboxにアクティビティが届いた時の処理
export default async (job: Bull.Job<InboxJobData>): Promise<string> => {
const signature = job.data.signature; // HTTP-signature
const activity = job.data.activity;
const signature = job.data.signature; // HTTP-signature
let activity = job.data.activity;

//#region Log
const info = Object.assign({}, activity);
Expand Down Expand Up @@ -100,6 +100,8 @@ export default async (job: Bull.Job<InboxJobData>): Promise<string> => {
return `skip: LD-Signatureの検証に失敗しました`;
}

activity = await ldSignature.compactToWellKnown(activity);

// もう一度actorチェック
if (authUser.user.uri !== activity.actor) {
return `skip: LD-Signature user(${authUser.user.uri}) !== activity.actor(${activity.actor})`;
Expand Down
33 changes: 33 additions & 0 deletions src/remote/activitypub/misc/contexts.ts
Original file line number Diff line number Diff line change
Expand Up @@ -515,6 +515,39 @@ const activitystreams = {
}
};

export const WellKnownContext = {
"@context": [
"https://www.w3.org/ns/activitystreams",
"https://w3id.org/security/v1",
{
// as non-standards
manuallyApprovesFollowers: "as:manuallyApprovesFollowers",
sensitive: "as:sensitive",
Hashtag: "as:Hashtag",
quoteUrl: "as:quoteUrl",
// Mastodon
toot: "http://joinmastodon.org/ns#",
Emoji: "toot:Emoji",
featured: "toot:featured",
discoverable: "toot:discoverable",
// schema
schema: "http://schema.org#",
PropertyValue: "schema:PropertyValue",
value: "schema:value",
// Misskey
misskey: "https://misskey-hub.net/ns#",
_misskey_content: "misskey:_misskey_content",
_misskey_quote: "misskey:_misskey_quote",
_misskey_reaction: "misskey:_misskey_reaction",
_misskey_votes: "misskey:_misskey_votes",
_misskey_talk: "misskey:_misskey_talk",
isCat: "misskey:isCat",
// vcard
vcard: "http://www.w3.org/2006/vcard/ns#",
},
],
};

export const CONTEXTS: Record<string, any> = {
"https://w3id.org/identity/v1": id_v1,
"https://w3id.org/security/v1": security_v1,
Expand Down
9 changes: 8 additions & 1 deletion src/remote/activitypub/misc/ld-signature.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import * as crypto from 'crypto';
import * as jsonld from 'jsonld';
import { CONTEXTS } from './contexts';
import { CONTEXTS, WellKnownContext } from './contexts';
import fetch from 'node-fetch';
import { httpAgent, httpsAgent } from '../../../misc/fetch';

Expand Down Expand Up @@ -83,6 +83,13 @@ export class LdSignature {
});
}

public async compactToWellKnown(data: any): Promise<any> {
const options = { documentLoader: this.getLoader() };
const context = WellKnownContext as any;
delete data["signature"];
return await jsonld.compact(data, context, options);
}

private getLoader() {
return async (url: string): Promise<any> => {
if (!url.match('^https?\:\/\/')) throw `Invalid URL ${url}`;
Expand Down
34 changes: 2 additions & 32 deletions src/remote/activitypub/renderer/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import { LdSignature } from '../misc/ld-signature';
import { ILocalUser } from '../../../models/entities/user';
import { UserKeypairs } from '../../../models';
import { ensure } from '../../../prelude/ensure';
import { WellKnownContext } from '../misc/contexts';

export const renderActivity = (x: any): IActivity | null => {
if (x == null) return null;
Expand All @@ -13,38 +14,7 @@ export const renderActivity = (x: any): IActivity | null => {
x.id = `${config.url}/${uuid()}`;
}

return Object.assign({
'@context': [
'https://www.w3.org/ns/activitystreams',
'https://w3id.org/security/v1',
{
// as non-standards
manuallyApprovesFollowers: 'as:manuallyApprovesFollowers',
sensitive: 'as:sensitive',
Hashtag: 'as:Hashtag',
quoteUrl: 'as:quoteUrl',
// Mastodon
toot: 'http://joinmastodon.org/ns#',
Emoji: 'toot:Emoji',
featured: 'toot:featured',
discoverable: 'toot:discoverable',
// schema
schema: 'http://schema.org#',
PropertyValue: 'schema:PropertyValue',
value: 'schema:value',
// Misskey
misskey: `https://misskey-hub.net/ns#`,
'_misskey_content': 'misskey:_misskey_content',
'_misskey_quote': 'misskey:_misskey_quote',
'_misskey_reaction': 'misskey:_misskey_reaction',
'_misskey_votes': 'misskey:_misskey_votes',
'_misskey_talk': 'misskey:_misskey_talk',
'isCat': 'misskey:isCat',
// vcard
vcard: 'http://www.w3.org/2006/vcard/ns#',
}
]
}, x);
return Object.assign({}, WellKnownContext, x);
};

export const attachLdSignature = async (activity: any, user: ILocalUser): Promise<IActivity | null> => {
Expand Down

0 comments on commit f6579ad

Please sign in to comment.