fix(backend): fix type error(s) in security fixes (#15009)

* Fix type error in security fixes

(cherry picked from commit fa3cf6c2996741e642955c5e2fca8ad785e83205)

* Fix error in test function calls

(cherry picked from commit 1758f29364eca3cbd13dbb5c84909c93712b3b3b)

* Fix style error

(cherry picked from commit 23c4aa25714af145098baa7edd74c1d217e51c1a)

* Fix another style error

(cherry picked from commit 36af07abe28bec670aaebf9f5af5694bb582c29a)

* Fix `.punyHost` misuse

(cherry picked from commit 6027b516e1c82324d55d6e54d0e17cbd816feb42)

* attempt to fix test: make yaml valid

---------

Co-authored-by: Julia Johannesen <julia@insertdomain.name>
This commit is contained in:
かっこかり 2024-11-21 12:10:02 +09:00 committed by GitHub
parent 53e827b18c
commit 3a6c2aa835
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 21 additions and 19 deletions

View File

@ -54,19 +54,19 @@ class HttpRequestServiceAgent extends http.Agent {
} }
}); });
return socket; return socket;
}; }
@bindThis @bindThis
private isPrivateIp(ip: string): boolean { private isPrivateIp(ip: string): boolean {
const parsedIp = ipaddr.parse(ip); const parsedIp = ipaddr.parse(ip);
for (const net of this.config.allowedPrivateNetworks ?? []) { for (const net of this.config.allowedPrivateNetworks ?? []) {
const cidr = ipaddr.parseCIDR(net); const cidr = ipaddr.parseCIDR(net);
if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) { if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {
return false; return false;
} }
} }
return parsedIp.range() !== 'unicast'; return parsedIp.range() !== 'unicast';
} }
} }
@ -93,19 +93,19 @@ class HttpsRequestServiceAgent extends https.Agent {
} }
}); });
return socket; return socket;
}; }
@bindThis @bindThis
private isPrivateIp(ip: string): boolean { private isPrivateIp(ip: string): boolean {
const parsedIp = ipaddr.parse(ip); const parsedIp = ipaddr.parse(ip);
for (const net of this.config.allowedPrivateNetworks ?? []) { for (const net of this.config.allowedPrivateNetworks ?? []) {
const cidr = ipaddr.parseCIDR(net); const cidr = ipaddr.parseCIDR(net);
if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) { if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {
return false; return false;
} }
} }
return parsedIp.range() !== 'unicast'; return parsedIp.range() !== 'unicast';
} }
} }

View File

@ -54,7 +54,7 @@ export class RemoteUserResolveService {
}) as MiLocalUser; }) as MiLocalUser;
} }
host = this.utilityService.punyHost(host); host = this.utilityService.toPuny(host);
if (host === this.utilityService.toPuny(this.config.host)) { if (host === this.utilityService.toPuny(this.config.host)) {
this.logger.info(`return local user: ${usernameLower}`); this.logger.info(`return local user: ${usernameLower}`);

View File

@ -163,13 +163,16 @@ export class ApPersonService implements OnModuleInit {
} }
for (const collection of ['outbox', 'followers', 'following'] as (keyof IActor)[]) { for (const collection of ['outbox', 'followers', 'following'] as (keyof IActor)[]) {
const collectionUri = getApId((x as IActor)[collection]); const xCollection = (x as IActor)[collection];
if (typeof collectionUri === 'string' && collectionUri.length > 0) { if (xCollection != null) {
if (this.utilityService.punyHost(collectionUri) !== expectHost) { const collectionUri = getApId(xCollection);
throw new Error(`invalid Actor: ${collection} has different host`); if (typeof collectionUri === 'string' && collectionUri.length > 0) {
if (this.utilityService.punyHost(collectionUri) !== expectHost) {
throw new Error(`invalid Actor: ${collection} has different host`);
}
} else if (collectionUri != null) {
throw new Error(`invalid Actor: wrong ${collection}`);
} }
} else if (collectionUri != null) {
throw new Error(`invalid Actor: wrong ${collection}`);
} }
} }

View File

@ -19,7 +19,6 @@ proxyBypassHosts:
- challenges.cloudflare.com - challenges.cloudflare.com
proxyRemoteFiles: true proxyRemoteFiles: true
signToActivityPubGet: true signToActivityPubGet: true
allowedPrivateNetworks: [ allowedPrivateNetworks:
'127.0.0.1/32', - 127.0.0.1/32
'172.20.0.0/16' - 172.20.0.0/16
]

View File

@ -176,7 +176,7 @@ describe('ActivityPub', () => {
resolver.register(actor.id, actor); resolver.register(actor.id, actor);
resolver.register(post.id, post); resolver.register(post.id, post);
const note = await noteService.createNote(post.id, resolver, true); const note = await noteService.createNote(post.id, undefined, resolver, true);
assert.deepStrictEqual(note?.uri, post.id); assert.deepStrictEqual(note?.uri, post.id);
assert.deepStrictEqual(note.visibility, 'public'); assert.deepStrictEqual(note.visibility, 'public');
@ -336,7 +336,7 @@ describe('ActivityPub', () => {
resolver.register(actor.featured, featured); resolver.register(actor.featured, featured);
resolver.register(firstNote.id, firstNote); resolver.register(firstNote.id, firstNote);
const note = await noteService.createNote(firstNote.id as string, resolver); const note = await noteService.createNote(firstNote.id as string, undefined, resolver);
assert.strictEqual(note?.uri, firstNote.id); assert.strictEqual(note?.uri, firstNote.id);
}); });
}); });