From 0da0cc80b94c1a8032b79e0a345378557019ff19 Mon Sep 17 00:00:00 2001 From: syuilo Date: Wed, 8 Feb 2023 17:50:23 +0900 Subject: [PATCH] fix(server): validate url from ap to improve security --- .../backend/src/core/activitypub/models/ApImageService.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/packages/backend/src/core/activitypub/models/ApImageService.ts b/packages/backend/src/core/activitypub/models/ApImageService.ts index d01817b0de..928ef1ae79 100644 --- a/packages/backend/src/core/activitypub/models/ApImageService.ts +++ b/packages/backend/src/core/activitypub/models/ApImageService.ts @@ -48,6 +48,10 @@ export class ApImageService { throw new Error('invalid image: url not privided'); } + if (!image.url.startsWith('https://')) { + throw new Error('invalid image: unexpected shcema of url: ' + image.url); + } + this.logger.info(`Creating the Image: ${image.url}`); const instance = await this.metaService.fetch();