NoLog.cz/gancio-upstream
6
0
Fork 0
mirror of https://framagit.org/les/gancio.git synced 2025-01-31 16:42:22 +01:00
Code Issues Projects Releases Packages Wiki Activity

fix: do not verify AP /inbox POST for wrong actor

Browse source
This commit is contained in:
lesion 2025-01-20 17:05:28 +01:00
parent 40f1f91937
commit 642babad94
No known key found for this signature in database
GPG key ID: 352918250B012177
1 changed files with 12 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
server/federation/helpers.js
View file

@ -1,3 +1,4 @@
const escape = require('lodash/escape')
const axios = require('axios') const axios = require('axios')
const crypto = require('crypto') const crypto = require('crypto')
const config = require('../config') const config = require('../config')
@ -495,9 +496,19 @@ const Helpers = {
*/ */
async verifySignature (req, res, next) { async verifySignature (req, res, next) {
const name = req.params.name
const actor_url = req?.body?.actor const actor_url = req?.body?.actor
const isDelete = req?.body?.type === 'Delete' const isDelete = req?.body?.type === 'Delete'
const settings = settingsController.settings
if (!name) {
log.info('[AP] Bad /inbox request')
return res.status(400).send('Bad request.')
}
if (name !== settings.instance_name) {
log.info(`[FEDI] No record found for ${name} (applicationActor is ${settings.instance_name})`)
return res.status(404).send(`No record found for ${escape(name)}`)
}
// do we have an actor? // do we have an actor?
if (!actor_url) { if (!actor_url) {