diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 4c0b370146..abbbdcded7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -680,6 +680,7 @@ seems to do a decent job) * from `packages/backend/src/queue/processors/InboxProcessorService.ts` to `packages/backend/src/core/UpdateInstanceQueue.ts` where `updateInstanceQueue` is impacted + * from `verifyLink` in `packages/backend/src/core/activitypub/models/ApPersonService.ts` to `verifyFieldLink` in `packages/backend/src/misc/verify-field-link.ts` (if sensible) * if there have been any changes to the federated user data (the `renderPerson` function in `packages/backend/src/core/activitypub/ApRendererService.ts`), make diff --git a/packages/backend/src/core/activitypub/models/ApPersonService.ts b/packages/backend/src/core/activitypub/models/ApPersonService.ts index d624632612..fcc1f58bbc 100644 --- a/packages/backend/src/core/activitypub/models/ApPersonService.ts +++ b/packages/backend/src/core/activitypub/models/ApPersonService.ts @@ -41,6 +41,8 @@ import { DriveFileEntityService } from '@/core/entities/DriveFileEntityService.j import type { AccountMoveService } from '@/core/AccountMoveService.js'; import { ApUtilityService } from '@/core/activitypub/ApUtilityService.js'; import { MemoryKVCache } from '@/misc/cache.js'; +import { HttpRequestService } from '@/core/HttpRequestService.js'; +import { verifyFieldLinks } from '@/misc/verify-field-link.js'; import { getApId, getApType, isActor, isCollection, isCollectionOrOrderedCollection, isPropertyValue } from '../type.js'; import { extractApHashtags } from './tag.js'; import type { OnModuleInit } from '@nestjs/common'; @@ -112,6 +114,7 @@ export class ApPersonService implements OnModuleInit, OnApplicationShutdown { private roleService: RoleService, private readonly apUtilityService: ApUtilityService, + private httpRequestService: HttpRequestService, ) { } @@ -362,6 +365,8 @@ export class ApPersonService implements OnModuleInit, OnApplicationShutdown { const url = this.apUtilityService.findBestObjectUrl(person); + const verifiedLinks = url ? await verifyFieldLinks(fields, url, this.httpRequestService) : []; + // Create user let user: MiRemoteUser | null = null; let publicKey: MiUserPublickey | null = null; @@ -436,6 +441,7 @@ export class ApPersonService implements OnModuleInit, OnApplicationShutdown { followedMessage: person._misskey_followedMessage != null ? truncate(person._misskey_followedMessage, 256) : null, url, fields, + verifiedLinks, followingVisibility, followersVisibility, birthday: bday?.[0] ?? null, @@ -579,6 +585,8 @@ export class ApPersonService implements OnModuleInit, OnApplicationShutdown { const url = this.apUtilityService.findBestObjectUrl(person); + const verifiedLinks = url ? await verifyFieldLinks(fields, url, this.httpRequestService) : []; + const updates = { lastFetchedAt: new Date(), inbox: person.inbox, @@ -661,6 +669,7 @@ export class ApPersonService implements OnModuleInit, OnApplicationShutdown { await this.userProfilesRepository.update({ userId: exist.id }, { url, fields, + verifiedLinks, description: _description, followedMessage: person._misskey_followedMessage != null ? truncate(person._misskey_followedMessage, 256) : null, followingVisibility, diff --git a/packages/backend/src/misc/verify-field-link.ts b/packages/backend/src/misc/verify-field-link.ts new file mode 100644 index 0000000000..f519acfba0 --- /dev/null +++ b/packages/backend/src/misc/verify-field-link.ts @@ -0,0 +1,34 @@ +/* +* SPDX-FileCopyrightText: piuvas and other Sharkey contributors +* SPDX-License-Identifier: AGPL-3.0-only +*/ + +import { JSDOM } from 'jsdom'; +import type { HttpRequestService } from '@/core/HttpRequestService.js'; + +type Field = { name: string, value: string }; + +export async function verifyFieldLinks(fields: Field[], profile_url: string, httpRequestService: HttpRequestService): Promise { + const verified_links = []; + for (const field_url of fields + .filter(x => URL.canParse(x.value) && ['http:', 'https:'].includes((new URL(x.value).protocol)))) { + try { + const html = await httpRequestService.getHtml(field_url.value); + + const { window } = new JSDOM(html); + const doc: Document = window.document; + + const aEls = Array.from(doc.getElementsByTagName('a')); + const linkEls = Array.from(doc.getElementsByTagName('link')); + + const includesProfileLinks = [...aEls, ...linkEls].some(link => link.rel === 'me' && link.href === profile_url); + if (includesProfileLinks) { verified_links.push(field_url.value); } + + window.close(); + } catch (err) { + // don't do anything. + continue; + } + } + return verified_links; +} diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts index f1d201d081..3566941957 100644 --- a/packages/backend/src/server/api/endpoints/i/update.ts +++ b/packages/backend/src/server/api/endpoints/i/update.ts @@ -31,6 +31,7 @@ import { DriveFileEntityService } from '@/core/entities/DriveFileEntityService.j import { HttpRequestService } from '@/core/HttpRequestService.js'; import type { Config } from '@/config.js'; import { safeForSql } from '@/misc/safe-for-sql.js'; +import { verifyFieldLinks } from '@/misc/verify-field-link.js'; import { AvatarDecorationService } from '@/core/AvatarDecorationService.js'; import { notificationRecieveConfig } from '@/models/json-schema/user.js'; import { userUnsignedFetchOptions } from '@/const.js'; @@ -584,9 +585,11 @@ export default class extends Endpoint { // eslint- this.globalEventService.publishInternalEvent('localUserUpdated', { id: user.id }); } + const verified_links = await verifyFieldLinks(newFields, `${this.config.url}/@${user.username}`, this.httpRequestService); + await this.userProfilesRepository.update(user.id, { ...profileUpdates, - verifiedLinks: [], + verifiedLinks: verified_links, }); const iObj = await this.userEntityService.pack(user.id, user, { @@ -611,15 +614,11 @@ export default class extends Endpoint { // eslint- this.accountUpdateService.publishToFollowers(user.id); } - const urls = updatedProfile.fields.filter(x => x.value.startsWith('https://')); - for (const url of urls) { - this.verifyLink(url.value, user); - } - return iObj; }); } + // this function is superseded by '@/misc/verify-field-link.ts' private async verifyLink(url: string, user: MiLocalUser) { if (!safeForSql(url)) return;