requested changes to verifyFieldLinks

Co-authored-by: dakkar <dakkar@thenautilus.net>
2025-07-07 12:36:57 +00:00 · 2025-04-20 12:34:00 -03:00 · 2025-04-20 12:34:00 -03:00 · 46fa99fc28
commit 46fa99fc28
parent 20482888b0
3 changed files with 34 additions and 52 deletions
--- a/packages/backend/src/core/activitypub/models/ApPersonService.ts
+++ b/packages/backend/src/core/activitypub/models/ApPersonService.ts
@ -42,7 +42,7 @@ import type { AccountMoveService } from '@/core/AccountMoveService.js';
 import { ApUtilityService } from '@/core/activitypub/ApUtilityService.js';
 import { MemoryKVCache } from '@/misc/cache.js';
 import { HttpRequestService } from '@/core/HttpRequestService.js';
-import { verifyFieldLink } from '@/misc/verify-field-link.js';
+import { verifyFieldLinks } from '@/misc/verify-field-link.js';
 import { getApId, getApType, isActor, isCollection, isCollectionOrOrderedCollection, isPropertyValue } from '../type.js';
 import { extractApHashtags } from './tag.js';
 import type { OnModuleInit } from '@nestjs/common';
@ -337,7 +337,6 @@ export class ApPersonService implements OnModuleInit, OnApplicationShutdown {
 		this.logger.info(`Creating the Person: ${person.id}`);

 		const fields = this.analyzeAttachments(person.attachment ?? []);
-		const field_urls = fields.filter(x => x.value.startsWith('https://'));

 		const tags = extractApHashtags(person.tag).map(normalizeForSearch).splice(0, 32);

@ -366,15 +365,7 @@ export class ApPersonService implements OnModuleInit, OnApplicationShutdown {

 		const url = this.apUtilityService.findBestObjectUrl(person);

-		const verifiedLinks: string[] = [];
-		if (url) {
-			for (const field_url of field_urls) {
-				const includesProfileLinks = await verifyFieldLink(field_url.value, url, this.httpRequestService);
-				if (includesProfileLinks) {
-					verifiedLinks.push(field_url.value)
-				}
-			}
-		}
+		const verifiedLinks = url ? await verifyFieldLinks(fields, url, this.httpRequestService) : [];

 		// Create user
 		let user: MiRemoteUser | null = null;
@ -566,7 +557,6 @@ export class ApPersonService implements OnModuleInit, OnApplicationShutdown {
 		const emojiNames = emojis.map(emoji => emoji.name);

 		const fields = this.analyzeAttachments(person.attachment ?? []);
-		const field_urls = fields.filter(x => x.value.startsWith('https://'));

 		const tags = extractApHashtags(person.tag).map(normalizeForSearch).splice(0, 32);

@ -595,15 +585,7 @@ export class ApPersonService implements OnModuleInit, OnApplicationShutdown {

 		const url = this.apUtilityService.findBestObjectUrl(person);

-		const verifiedLinks: string[] = [];
-		if (url) {
-			for (const field_url of field_urls) {
-				const includesProfileLinks = await verifyFieldLink(field_url.value, url, this.httpRequestService);
-				if (includesProfileLinks) {
-					verifiedLinks.push(field_url.value)
-				}
-			}
-		}
+		const verifiedLinks = url ? await verifyFieldLinks(fields, url, this.httpRequestService) : [];

 		const updates = {
 			lastFetchedAt: new Date(),
--- a/packages/backend/src/misc/verify-field-link.ts
+++ b/packages/backend/src/misc/verify-field-link.ts
@ -5,28 +5,31 @@

 import { JSDOM } from 'jsdom';
 import { HttpRequestService } from '@/core/HttpRequestService.js';
-import { safeForSql } from './safe-for-sql.js';

+type Field = { name: string, value: string };

-export async function verifyFieldLink(field_url: string, profile_url: string, httpRequestService: HttpRequestService): Promise<boolean | undefined> {
-	if (!safeForSql(field_url)) return;
+export async function verifyFieldLinks(fields: Field[], profile_url: string, httpRequestService: HttpRequestService): Promise<string[]> {
+	const verified_links = [];
+	for (const field_url of fields
+		.filter(x => URL.canParse(x.value) && ['http:', 'https:'].includes((new URL(x.value).protocol)))) {
+		console.log('fortnite ' + field_url);
+		try {
+			const html = await httpRequestService.getHtml(field_url.value);

-	try {
-		const html = await httpRequestService.getHtml(field_url);
+			const { window } = new JSDOM(html);
+			const doc: Document = window.document;

-		const { window } = new JSDOM(html);
-		const doc: Document = window.document;
+			const aEls = Array.from(doc.getElementsByTagName('a'));
+			const linkEls = Array.from(doc.getElementsByTagName('link'));

-		const aEls = Array.from(doc.getElementsByTagName('a'));
-		const linkEls = Array.from(doc.getElementsByTagName('link'));
+			const includesProfileLinks = [...aEls, ...linkEls].some(link => link.rel === 'me' && link.href === profile_url);
+			if (includesProfileLinks) { verified_links.push(field_url.value); }

-		const includesProfileLinks = [...aEls, ...linkEls].some(link => link.rel === 'me' && link.href === profile_url);
-
-		window.close();
-
-		return includesProfileLinks;
-	} catch (err) {
-		// なにもしない
-		return;
+			window.close();
+		} catch (err) {
+			// don't do anything.
+			continue;
+		}
 	}
+	return verified_links;
 }
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@ -31,7 +31,7 @@ import { DriveFileEntityService } from '@/core/entities/DriveFileEntityService.j
 import { HttpRequestService } from '@/core/HttpRequestService.js';
 import type { Config } from '@/config.js';
 import { safeForSql } from '@/misc/safe-for-sql.js';
-import { verifyFieldLink } from '@/misc/verify-field-link.js'
+import { verifyFieldLinks } from '@/misc/verify-field-link.js';
 import { AvatarDecorationService } from '@/core/AvatarDecorationService.js';
 import { notificationRecieveConfig } from '@/models/json-schema/user.js';
 import { userUnsignedFetchOptions } from '@/const.js';
@ -585,9 +585,11 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				this.globalEventService.publishInternalEvent('localUserUpdated', { id: user.id });
 			}

+			const verified_links = await verifyFieldLinks(newFields, `${this.config.url}/@${user.username}`, this.httpRequestService);
+
 			await this.userProfilesRepository.update(user.id, {
 				...profileUpdates,
-				verifiedLinks: [],
+				verifiedLinks: verified_links,
 			});

 			const iObj = await this.userEntityService.pack(user.id, user, {
@ -612,18 +614,13 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				this.accountUpdateService.publishToFollowers(user.id);
 			}

-			const urls = updatedProfile.fields.filter(x => x.value.startsWith('https://'));
-			for (const url of urls) {
-				// this is a different, broader implementation so we can support remote users.
-				const includesProfileLinks = await verifyFieldLink(url.value, `${this.config.url}/@${user.username}`, this.httpRequestService);
-				if (includesProfileLinks) {
-					await userProfilesRepository.createQueryBuilder('profile').update()
-						.where('userId = :userId', { userId: user.id })
-						.set({
-							verifiedLinks: () => `array_append("verifiedLinks", '${url}')`, // ここでSQLインジェクションされそうなのでとりあえず safeForSql で弾いている
-						})
-						.execute();
-				}
+			if (verified_links.length > 0) {
+				await userProfilesRepository.createQueryBuilder('profile').update()
+					.where('userId = :userId', { userId: user.id })
+					.set({
+						verifiedLinks: verified_links.filter(x => safeForSql(x)), // ここでSQLインジェクションされそうなのでとりあえず safeForSql で弾いている
+					})
+					.execute();
 			}

 			return iObj;