fix(backend): fix type error(s) in security fixes (#15009)
* Fix type error in security fixes (cherry picked from commit fa3cf6c2996741e642955c5e2fca8ad785e83205) * Fix error in test function calls (cherry picked from commit 1758f29364eca3cbd13dbb5c84909c93712b3b3b) * Fix style error (cherry picked from commit 23c4aa25714af145098baa7edd74c1d217e51c1a) * Fix another style error (cherry picked from commit 36af07abe28bec670aaebf9f5af5694bb582c29a) * Fix `.punyHost` misuse (cherry picked from commit 6027b516e1c82324d55d6e54d0e17cbd816feb42) * attempt to fix test: make yaml valid --------- Co-authored-by: Julia Johannesen <julia@insertdomain.name>
This commit is contained in:
parent
53e827b18c
commit
3a6c2aa835
|
@ -54,19 +54,19 @@ class HttpRequestServiceAgent extends http.Agent {
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
return socket;
|
return socket;
|
||||||
};
|
}
|
||||||
|
|
||||||
@bindThis
|
@bindThis
|
||||||
private isPrivateIp(ip: string): boolean {
|
private isPrivateIp(ip: string): boolean {
|
||||||
const parsedIp = ipaddr.parse(ip);
|
const parsedIp = ipaddr.parse(ip);
|
||||||
|
|
||||||
for (const net of this.config.allowedPrivateNetworks ?? []) {
|
for (const net of this.config.allowedPrivateNetworks ?? []) {
|
||||||
const cidr = ipaddr.parseCIDR(net);
|
const cidr = ipaddr.parseCIDR(net);
|
||||||
if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {
|
if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return parsedIp.range() !== 'unicast';
|
return parsedIp.range() !== 'unicast';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -93,19 +93,19 @@ class HttpsRequestServiceAgent extends https.Agent {
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
return socket;
|
return socket;
|
||||||
};
|
}
|
||||||
|
|
||||||
@bindThis
|
@bindThis
|
||||||
private isPrivateIp(ip: string): boolean {
|
private isPrivateIp(ip: string): boolean {
|
||||||
const parsedIp = ipaddr.parse(ip);
|
const parsedIp = ipaddr.parse(ip);
|
||||||
|
|
||||||
for (const net of this.config.allowedPrivateNetworks ?? []) {
|
for (const net of this.config.allowedPrivateNetworks ?? []) {
|
||||||
const cidr = ipaddr.parseCIDR(net);
|
const cidr = ipaddr.parseCIDR(net);
|
||||||
if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {
|
if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return parsedIp.range() !== 'unicast';
|
return parsedIp.range() !== 'unicast';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -54,7 +54,7 @@ export class RemoteUserResolveService {
|
||||||
}) as MiLocalUser;
|
}) as MiLocalUser;
|
||||||
}
|
}
|
||||||
|
|
||||||
host = this.utilityService.punyHost(host);
|
host = this.utilityService.toPuny(host);
|
||||||
|
|
||||||
if (host === this.utilityService.toPuny(this.config.host)) {
|
if (host === this.utilityService.toPuny(this.config.host)) {
|
||||||
this.logger.info(`return local user: ${usernameLower}`);
|
this.logger.info(`return local user: ${usernameLower}`);
|
||||||
|
|
|
@ -163,13 +163,16 @@ export class ApPersonService implements OnModuleInit {
|
||||||
}
|
}
|
||||||
|
|
||||||
for (const collection of ['outbox', 'followers', 'following'] as (keyof IActor)[]) {
|
for (const collection of ['outbox', 'followers', 'following'] as (keyof IActor)[]) {
|
||||||
const collectionUri = getApId((x as IActor)[collection]);
|
const xCollection = (x as IActor)[collection];
|
||||||
if (typeof collectionUri === 'string' && collectionUri.length > 0) {
|
if (xCollection != null) {
|
||||||
if (this.utilityService.punyHost(collectionUri) !== expectHost) {
|
const collectionUri = getApId(xCollection);
|
||||||
throw new Error(`invalid Actor: ${collection} has different host`);
|
if (typeof collectionUri === 'string' && collectionUri.length > 0) {
|
||||||
|
if (this.utilityService.punyHost(collectionUri) !== expectHost) {
|
||||||
|
throw new Error(`invalid Actor: ${collection} has different host`);
|
||||||
|
}
|
||||||
|
} else if (collectionUri != null) {
|
||||||
|
throw new Error(`invalid Actor: wrong ${collection}`);
|
||||||
}
|
}
|
||||||
} else if (collectionUri != null) {
|
|
||||||
throw new Error(`invalid Actor: wrong ${collection}`);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -19,7 +19,6 @@ proxyBypassHosts:
|
||||||
- challenges.cloudflare.com
|
- challenges.cloudflare.com
|
||||||
proxyRemoteFiles: true
|
proxyRemoteFiles: true
|
||||||
signToActivityPubGet: true
|
signToActivityPubGet: true
|
||||||
allowedPrivateNetworks: [
|
allowedPrivateNetworks:
|
||||||
'127.0.0.1/32',
|
- 127.0.0.1/32
|
||||||
'172.20.0.0/16'
|
- 172.20.0.0/16
|
||||||
]
|
|
||||||
|
|
|
@ -176,7 +176,7 @@ describe('ActivityPub', () => {
|
||||||
resolver.register(actor.id, actor);
|
resolver.register(actor.id, actor);
|
||||||
resolver.register(post.id, post);
|
resolver.register(post.id, post);
|
||||||
|
|
||||||
const note = await noteService.createNote(post.id, resolver, true);
|
const note = await noteService.createNote(post.id, undefined, resolver, true);
|
||||||
|
|
||||||
assert.deepStrictEqual(note?.uri, post.id);
|
assert.deepStrictEqual(note?.uri, post.id);
|
||||||
assert.deepStrictEqual(note.visibility, 'public');
|
assert.deepStrictEqual(note.visibility, 'public');
|
||||||
|
@ -336,7 +336,7 @@ describe('ActivityPub', () => {
|
||||||
resolver.register(actor.featured, featured);
|
resolver.register(actor.featured, featured);
|
||||||
resolver.register(firstNote.id, firstNote);
|
resolver.register(firstNote.id, firstNote);
|
||||||
|
|
||||||
const note = await noteService.createNote(firstNote.id as string, resolver);
|
const note = await noteService.createNote(firstNote.id as string, undefined, resolver);
|
||||||
assert.strictEqual(note?.uri, firstNote.id);
|
assert.strictEqual(note?.uri, firstNote.id);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
Loading…
Reference in New Issue