mirrors/barkey
1
0
Fork 0
mirror of https://codeberg.org/yeentown/barkey.git synced 2025-08-21 18:43:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

validate more URLs in UrlPreviewService.ts

Browse source
This commit is contained in:
Hazelnoot 2025-05-05 09:43:40 -04:00
parent 23267a3a96
commit d6c2140821
2 changed files with 47 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
packages/backend/src/core/UtilityService.ts
View file

@ -176,4 +176,14 @@ export class UtilityService {
const host = this.extractDbHost(uri); const host = this.extractDbHost(uri);
return this.isFederationAllowedHost(host); return this.isFederationAllowedHost(host);
} }
@bindThis
public getUrlScheme(url: string): string {
try {
// Returns in the format "https:" or an empty string
return new URL(url).protocol;
} catch {
return '';
}
}
} }

45
packages/backend/src/server/web/UrlPreviewService.ts
View file

@ -140,6 +140,8 @@ export class UrlPreviewService {
? await this.fetchSummaryFromProxy(url, this.meta, lang) ? await this.fetchSummaryFromProxy(url, this.meta, lang)
: await this.fetchSummary(url, this.meta, lang); : await this.fetchSummary(url, this.meta, lang);
this.validateUrls(summary);
// Repeat check, since redirects are allowed. // Repeat check, since redirects are allowed.
if (this.utilityService.isBlockedHost(this.meta.blockedHosts, new URL(summary.url).host)) { if (this.utilityService.isBlockedHost(this.meta.blockedHosts, new URL(summary.url).host)) {
reply.code(403); reply.code(403);
@ -154,14 +156,6 @@ export class UrlPreviewService {
this.logger.info(`Got preview of ${url} in ${lang}: ${summary.title}`); this.logger.info(`Got preview of ${url} in ${lang}: ${summary.title}`);
if (!(summary.url.startsWith('http://') || summary.url.startsWith('https://'))) {
throw new Error('unsupported schema included');
}
if (summary.player.url && !(summary.player.url.startsWith('http://') || summary.player.url.startsWith('https://'))) {
throw new Error('unsupported schema included');
}
summary.icon = this.wrap(summary.icon); summary.icon = this.wrap(summary.icon);
summary.thumbnail = this.wrap(summary.thumbnail); summary.thumbnail = this.wrap(summary.thumbnail);
@ -228,6 +222,41 @@ export class UrlPreviewService {
return this.httpRequestService.getJson<LocalSummalyResult>(`${proxy}?${queryStr}`, 'application/json, */*', undefined, true); return this.httpRequestService.getJson<LocalSummalyResult>(`${proxy}?${queryStr}`, 'application/json, */*', undefined, true);
} }
private validateUrls(summary: LocalSummalyResult) {
const urlScheme = this.utilityService.getUrlScheme(summary.url);
if (urlScheme !== 'http:' && urlScheme !== 'https:') {
throw new Error(`unsupported scheme in preview URL: "${urlScheme}"`);
}
if (summary.player.url) {
const playerScheme = this.utilityService.getUrlScheme(summary.player.url);
if (playerScheme !== 'http:' && playerScheme !== 'https:') {
throw new Error(`unsupported scheme in player URL: "${playerScheme}"`);
}
}
if (summary.icon) {
const iconScheme = this.utilityService.getUrlScheme(summary.icon);
if (iconScheme !== 'http:' && iconScheme !== 'https:') {
throw new Error(`unsupported scheme in icon URL: "${iconScheme}"`);
}
}
if (summary.thumbnail) {
const thumbnailScheme = this.utilityService.getUrlScheme(summary.thumbnail);
if (thumbnailScheme !== 'http:' && thumbnailScheme !== 'https:') {
throw new Error(`unsupported scheme in thumbnail URL: "${thumbnailScheme}"`);
}
}
if (summary.activityPub) {
const activityPubScheme = this.utilityService.getUrlScheme(summary.activityPub);
if (activityPubScheme !== 'http:' && activityPubScheme !== 'https:') {
throw new Error(`unsupported scheme in ActivityPub URL: "${activityPubScheme}"`);
}
}
}
private async inferActivityPubLink(summary: LocalSummalyResult) { private async inferActivityPubLink(summary: LocalSummalyResult) {
// Match canonical URI first. // Match canonical URI first.
// This covers local and remote links. // This covers local and remote links.