From 4f48f3065c1e5117411cb051db060b02f3bbc3c4 Mon Sep 17 00:00:00 2001
From: FineArchs <133759614+FineArchs@users.noreply.github.com>
Date: Sun, 15 Oct 2023 19:57:12 +0900
Subject: [PATCH] make apiExternal reject unknown servers

---
 packages/frontend/src/scripts/api.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/packages/frontend/src/scripts/api.ts b/packages/frontend/src/scripts/api.ts
index 080977e5e4..78be5c8954 100644
--- a/packages/frontend/src/scripts/api.ts
+++ b/packages/frontend/src/scripts/api.ts
@@ -54,6 +54,8 @@ export function api<E extends keyof Misskey.Endpoints, P extends Misskey.Endpoin
 export function apiExternal<E extends keyof Misskey.Endpoints, P extends Misskey.Endpoints[E]['req']>(hostUrl: string, endpoint: E, data: P = {} as any, token?: string | null | undefined, signal?: AbortSignal): Promise<Misskey.Endpoints[E]['res']> {
 	if (!/^https?:\/\//.test(hostUrl)) throw new Error('invalid host name');
 	if (endpoint.includes('://')) throw new Error('invalid endpoint');
+	const knownUrls = (await api('federation/instances', { blocked: false })).map(v => v.host);
+	if (!knownUrls.includes(URL(hostUrl).host)) throw new Error(hostname + 'is blocked by or not known to this server.');
 	pendingApiRequestsCount.value++;
 
 	const onFinally = () => {