fix (backend): hard code the @context value to avoid possible securit…

…y risks Co-authored-by: naskya <m@naskya.net>
sakura-tel · May 1, 2024 · f6579ad · f6579ad
1 parent 3dbda30
commit f6579ad
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 35 deletions.
diff --git a/src/queue/processors/inbox.ts b/src/queue/processors/inbox.ts
@@ -20,8 +20,8 @@ const logger = new Logger('inbox');
 
 // ユーザーのinboxにアクティビティが届いた時の処理
 export default async (job: Bull.Job<InboxJobData>): Promise<string> => {
-	const signature = job.data.signature;	// HTTP-signature
-	const activity = job.data.activity;
+	const signature = job.data.signature; // HTTP-signature
+	let activity = job.data.activity;
 
 	//#region Log
 	const info = Object.assign({}, activity);
@@ -100,6 +100,8 @@ export default async (job: Bull.Job<InboxJobData>): Promise<string> => {
 				return `skip: LD-Signatureの検証に失敗しました`;
 			}
 
+			activity = await ldSignature.compactToWellKnown(activity);
+
 			// もう一度actorチェック
 			if (authUser.user.uri !== activity.actor) {
 				return `skip: LD-Signature user(${authUser.user.uri}) !== activity.actor(${activity.actor})`;

diff --git a/src/remote/activitypub/misc/contexts.ts b/src/remote/activitypub/misc/contexts.ts
@@ -515,6 +515,39 @@ const activitystreams = {
   }
 };
 
+export const WellKnownContext = {
+	"@context": [
+		"https://www.w3.org/ns/activitystreams",
+		"https://w3id.org/security/v1",
+		{
+			// as non-standards
+			manuallyApprovesFollowers: "as:manuallyApprovesFollowers",
+			sensitive: "as:sensitive",
+			Hashtag: "as:Hashtag",
+			quoteUrl: "as:quoteUrl",
+			// Mastodon
+			toot: "http://joinmastodon.org/ns#",
+			Emoji: "toot:Emoji",
+			featured: "toot:featured",
+			discoverable: "toot:discoverable",
+			// schema
+			schema: "http://schema.org#",
+			PropertyValue: "schema:PropertyValue",
+			value: "schema:value",
+			// Misskey
+			misskey: "https://misskey-hub.net/ns#",
+			_misskey_content: "misskey:_misskey_content",
+			_misskey_quote: "misskey:_misskey_quote",
+			_misskey_reaction: "misskey:_misskey_reaction",
+			_misskey_votes: "misskey:_misskey_votes",
+			_misskey_talk: "misskey:_misskey_talk",
+			isCat: "misskey:isCat",
+			// vcard
+			vcard: "http://www.w3.org/2006/vcard/ns#",
+		},
+	],
+};
+
 export const CONTEXTS: Record<string, any> = {
   "https://w3id.org/identity/v1": id_v1,
   "https://w3id.org/security/v1": security_v1,

diff --git a/src/remote/activitypub/misc/ld-signature.ts b/src/remote/activitypub/misc/ld-signature.ts
@@ -1,6 +1,6 @@
 import * as crypto from 'crypto';
 import * as jsonld from 'jsonld';
-import { CONTEXTS } from './contexts';
+import { CONTEXTS, WellKnownContext } from './contexts';
 import fetch from 'node-fetch';
 import { httpAgent, httpsAgent } from '../../../misc/fetch';
 
@@ -83,6 +83,13 @@ export class LdSignature {
 		});
 	}
 
+	public async compactToWellKnown(data: any): Promise<any> {
+		const options = { documentLoader: this.getLoader() };
+		const context = WellKnownContext as any;
+		delete data["signature"];
+		return await jsonld.compact(data, context, options);
+	}
+
 	private getLoader() {
 		return async (url: string): Promise<any> => {
 			if (!url.match('^https?\:\/\/')) throw `Invalid URL ${url}`;

diff --git a/src/remote/activitypub/renderer/index.ts b/src/remote/activitypub/renderer/index.ts
@@ -5,6 +5,7 @@ import { LdSignature } from '../misc/ld-signature';
 import { ILocalUser } from '../../../models/entities/user';
 import { UserKeypairs } from '../../../models';
 import { ensure } from '../../../prelude/ensure';
+import { WellKnownContext } from '../misc/contexts';
 
 export const renderActivity = (x: any): IActivity | null => {
 	if (x == null) return null;
@@ -13,38 +14,7 @@ export const renderActivity = (x: any): IActivity | null => {
 		x.id = `${config.url}/${uuid()}`;
 	}
 
-	return Object.assign({
-		'@context': [
-			'https://www.w3.org/ns/activitystreams',
-			'https://w3id.org/security/v1',
-			{
-				// as non-standards
-				manuallyApprovesFollowers: 'as:manuallyApprovesFollowers',
-				sensitive: 'as:sensitive',
-				Hashtag: 'as:Hashtag',
-				quoteUrl: 'as:quoteUrl',
-				// Mastodon
-				toot: 'http://joinmastodon.org/ns#',
-				Emoji: 'toot:Emoji',
-				featured: 'toot:featured',
-				discoverable: 'toot:discoverable',
-				// schema
-				schema: 'http://schema.org#',
-				PropertyValue: 'schema:PropertyValue',
-				value: 'schema:value',
-				// Misskey
-				misskey: `https://misskey-hub.net/ns#`,
-				'_misskey_content': 'misskey:_misskey_content',
-				'_misskey_quote': 'misskey:_misskey_quote',
-				'_misskey_reaction': 'misskey:_misskey_reaction',
-				'_misskey_votes': 'misskey:_misskey_votes',
-				'_misskey_talk': 'misskey:_misskey_talk',
-				'isCat': 'misskey:isCat',
-				// vcard
-				vcard: 'http://www.w3.org/2006/vcard/ns#',
-			}
-		]
-	}, x);
+	return Object.assign({}, WellKnownContext, x);
 };
 
 export const attachLdSignature = async (activity: any, user: ILocalUser): Promise<IActivity | null> => {