mirror of
				https://codeberg.org/yeentown/barkey.git
				synced 2025-10-25 02:34:51 +00:00 
			
		
		
		
	* fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. [GHSA-6w2c-vf6f-xf26](https://github.com/misskey-dev/misskey/security/advisories/GHSA-6w2c-vf6f-xf26) Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * Enhance: Add configuration option to disable all external redirects when responding to an ActivityPub lookup (config.disallowExternalApRedirect) Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * fixup! fix(backend): Fix an issue where the origin of ActivityPub lookup response was not validated correctly. * docs & one edge case Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * apply suggestions Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * remove stale frontend reference to _responseInvalidIdHostNotMatch Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * apply suggestions Signed-off-by: eternal-flame-AD <yume@yumechi.jp> --------- Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
		
			
				
	
	
		
			342 lines
		
	
	
	
		
			10 KiB
		
	
	
	
		
			TypeScript
		
	
	
	
	
	
			
		
		
	
	
			342 lines
		
	
	
	
		
			10 KiB
		
	
	
	
		
			TypeScript
		
	
	
	
	
	
| /*
 | |
|  * SPDX-FileCopyrightText: syuilo and misskey-project
 | |
|  * SPDX-License-Identifier: AGPL-3.0-only
 | |
|  */
 | |
| 
 | |
| import * as fs from 'node:fs';
 | |
| import { fileURLToPath } from 'node:url';
 | |
| import { dirname, resolve } from 'node:path';
 | |
| import * as yaml from 'js-yaml';
 | |
| import * as Sentry from '@sentry/node';
 | |
| import type { RedisOptions } from 'ioredis';
 | |
| 
 | |
| type RedisOptionsSource = Partial<RedisOptions> & {
 | |
| 	host: string;
 | |
| 	port: number;
 | |
| 	family?: number;
 | |
| 	pass: string;
 | |
| 	db?: number;
 | |
| 	prefix?: string;
 | |
| };
 | |
| 
 | |
| /**
 | |
|  * 設定ファイルの型
 | |
|  */
 | |
| type Source = {
 | |
| 	url?: string;
 | |
| 	port?: number;
 | |
| 	socket?: string;
 | |
| 	chmodSocket?: string;
 | |
| 	disableHsts?: boolean;
 | |
| 	db: {
 | |
| 		host: string;
 | |
| 		port: number;
 | |
| 		db?: string;
 | |
| 		user?: string;
 | |
| 		pass?: string;
 | |
| 		disableCache?: boolean;
 | |
| 		extra?: { [x: string]: string };
 | |
| 	};
 | |
| 	dbReplications?: boolean;
 | |
| 	dbSlaves?: {
 | |
| 		host: string;
 | |
| 		port: number;
 | |
| 		db: string;
 | |
| 		user: string;
 | |
| 		pass: string;
 | |
| 	}[];
 | |
| 	redis: RedisOptionsSource;
 | |
| 	redisForPubsub?: RedisOptionsSource;
 | |
| 	redisForJobQueue?: RedisOptionsSource;
 | |
| 	redisForTimelines?: RedisOptionsSource;
 | |
| 	redisForReactions?: RedisOptionsSource;
 | |
| 	fulltextSearch?: {
 | |
| 		provider?: FulltextSearchProvider;
 | |
| 	};
 | |
| 	meilisearch?: {
 | |
| 		host: string;
 | |
| 		port: string;
 | |
| 		apiKey: string;
 | |
| 		ssl?: boolean;
 | |
| 		index: string;
 | |
| 		scope?: 'local' | 'global' | string[];
 | |
| 	};
 | |
| 	sentryForBackend?: { options: Partial<Sentry.NodeOptions>; enableNodeProfiling: boolean; };
 | |
| 	sentryForFrontend?: { options: Partial<Sentry.NodeOptions> };
 | |
| 
 | |
| 	publishTarballInsteadOfProvideRepositoryUrl?: boolean;
 | |
| 
 | |
| 	setupPassword?: string;
 | |
| 
 | |
| 	proxy?: string;
 | |
| 	proxySmtp?: string;
 | |
| 	proxyBypassHosts?: string[];
 | |
| 
 | |
| 	allowedPrivateNetworks?: string[];
 | |
| 	disallowExternalApRedirect?: boolean;
 | |
| 
 | |
| 	maxFileSize?: number;
 | |
| 
 | |
| 	clusterLimit?: number;
 | |
| 
 | |
| 	id: string;
 | |
| 
 | |
| 	outgoingAddress?: string;
 | |
| 	outgoingAddressFamily?: 'ipv4' | 'ipv6' | 'dual';
 | |
| 
 | |
| 	deliverJobConcurrency?: number;
 | |
| 	inboxJobConcurrency?: number;
 | |
| 	relationshipJobConcurrency?: number;
 | |
| 	deliverJobPerSec?: number;
 | |
| 	inboxJobPerSec?: number;
 | |
| 	relationshipJobPerSec?: number;
 | |
| 	deliverJobMaxAttempts?: number;
 | |
| 	inboxJobMaxAttempts?: number;
 | |
| 
 | |
| 	mediaProxy?: string;
 | |
| 	proxyRemoteFiles?: boolean;
 | |
| 	videoThumbnailGenerator?: string;
 | |
| 
 | |
| 	signToActivityPubGet?: boolean;
 | |
| 
 | |
| 	perChannelMaxNoteCacheCount?: number;
 | |
| 	perUserNotificationsMaxCount?: number;
 | |
| 	deactivateAntennaThreshold?: number;
 | |
| 	pidFile: string;
 | |
| 
 | |
| 	logging?: {
 | |
| 		sql?: {
 | |
| 			disableQueryTruncation?: boolean,
 | |
| 			enableQueryParamLogging?: boolean,
 | |
| 		}
 | |
| 	}
 | |
| };
 | |
| 
 | |
| export type Config = {
 | |
| 	url: string;
 | |
| 	port: number;
 | |
| 	socket: string | undefined;
 | |
| 	chmodSocket: string | undefined;
 | |
| 	disableHsts: boolean | undefined;
 | |
| 	db: {
 | |
| 		host: string;
 | |
| 		port: number;
 | |
| 		db: string;
 | |
| 		user: string;
 | |
| 		pass: string;
 | |
| 		disableCache?: boolean;
 | |
| 		extra?: { [x: string]: string };
 | |
| 	};
 | |
| 	dbReplications: boolean | undefined;
 | |
| 	dbSlaves: {
 | |
| 		host: string;
 | |
| 		port: number;
 | |
| 		db: string;
 | |
| 		user: string;
 | |
| 		pass: string;
 | |
| 	}[] | undefined;
 | |
| 	fulltextSearch?: {
 | |
| 		provider?: FulltextSearchProvider;
 | |
| 	};
 | |
| 	meilisearch: {
 | |
| 		host: string;
 | |
| 		port: string;
 | |
| 		apiKey: string;
 | |
| 		ssl?: boolean;
 | |
| 		index: string;
 | |
| 		scope?: 'local' | 'global' | string[];
 | |
| 	} | undefined;
 | |
| 	proxy: string | undefined;
 | |
| 	proxySmtp: string | undefined;
 | |
| 	proxyBypassHosts: string[] | undefined;
 | |
| 	allowedPrivateNetworks: string[] | undefined;
 | |
| 	disallowExternalApRedirect: boolean;
 | |
| 	maxFileSize: number;
 | |
| 	clusterLimit: number | undefined;
 | |
| 	id: string;
 | |
| 	outgoingAddress: string | undefined;
 | |
| 	outgoingAddressFamily: 'ipv4' | 'ipv6' | 'dual' | undefined;
 | |
| 	deliverJobConcurrency: number | undefined;
 | |
| 	inboxJobConcurrency: number | undefined;
 | |
| 	relationshipJobConcurrency: number | undefined;
 | |
| 	deliverJobPerSec: number | undefined;
 | |
| 	inboxJobPerSec: number | undefined;
 | |
| 	relationshipJobPerSec: number | undefined;
 | |
| 	deliverJobMaxAttempts: number | undefined;
 | |
| 	inboxJobMaxAttempts: number | undefined;
 | |
| 	proxyRemoteFiles: boolean | undefined;
 | |
| 	signToActivityPubGet: boolean | undefined;
 | |
| 	logging?: {
 | |
| 		sql?: {
 | |
| 			disableQueryTruncation?: boolean,
 | |
| 			enableQueryParamLogging?: boolean,
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	version: string;
 | |
| 	publishTarballInsteadOfProvideRepositoryUrl: boolean;
 | |
| 	setupPassword: string | undefined;
 | |
| 	host: string;
 | |
| 	hostname: string;
 | |
| 	scheme: string;
 | |
| 	wsScheme: string;
 | |
| 	apiUrl: string;
 | |
| 	wsUrl: string;
 | |
| 	authUrl: string;
 | |
| 	driveUrl: string;
 | |
| 	userAgent: string;
 | |
| 	frontendEntry: string;
 | |
| 	frontendManifestExists: boolean;
 | |
| 	frontendEmbedEntry: string;
 | |
| 	frontendEmbedManifestExists: boolean;
 | |
| 	mediaProxy: string;
 | |
| 	externalMediaProxyEnabled: boolean;
 | |
| 	videoThumbnailGenerator: string | null;
 | |
| 	redis: RedisOptions & RedisOptionsSource;
 | |
| 	redisForPubsub: RedisOptions & RedisOptionsSource;
 | |
| 	redisForJobQueue: RedisOptions & RedisOptionsSource;
 | |
| 	redisForTimelines: RedisOptions & RedisOptionsSource;
 | |
| 	redisForReactions: RedisOptions & RedisOptionsSource;
 | |
| 	sentryForBackend: { options: Partial<Sentry.NodeOptions>; enableNodeProfiling: boolean; } | undefined;
 | |
| 	sentryForFrontend: { options: Partial<Sentry.NodeOptions> } | undefined;
 | |
| 	perChannelMaxNoteCacheCount: number;
 | |
| 	perUserNotificationsMaxCount: number;
 | |
| 	deactivateAntennaThreshold: number;
 | |
| 	pidFile: string;
 | |
| };
 | |
| 
 | |
| export type FulltextSearchProvider = 'sqlLike' | 'sqlPgroonga' | 'meilisearch';
 | |
| 
 | |
| const _filename = fileURLToPath(import.meta.url);
 | |
| const _dirname = dirname(_filename);
 | |
| 
 | |
| /**
 | |
|  * Path of configuration directory
 | |
|  */
 | |
| const dir = `${_dirname}/../../../.config`;
 | |
| 
 | |
| /**
 | |
|  * Path of configuration file
 | |
|  */
 | |
| const path = process.env.MISSKEY_CONFIG_YML
 | |
| 	? resolve(dir, process.env.MISSKEY_CONFIG_YML)
 | |
| 	: process.env.NODE_ENV === 'test'
 | |
| 		? resolve(dir, 'test.yml')
 | |
| 		: resolve(dir, 'default.yml');
 | |
| 
 | |
| export function loadConfig(): Config {
 | |
| 	const meta = JSON.parse(fs.readFileSync(`${_dirname}/../../../built/meta.json`, 'utf-8'));
 | |
| 
 | |
| 	const frontendManifestExists = fs.existsSync(_dirname + '/../../../built/_frontend_vite_/manifest.json');
 | |
| 	const frontendEmbedManifestExists = fs.existsSync(_dirname + '/../../../built/_frontend_embed_vite_/manifest.json');
 | |
| 	const frontendManifest = frontendManifestExists ?
 | |
| 		JSON.parse(fs.readFileSync(`${_dirname}/../../../built/_frontend_vite_/manifest.json`, 'utf-8'))
 | |
| 		: { 'src/_boot_.ts': { file: 'src/_boot_.ts' } };
 | |
| 	const frontendEmbedManifest = frontendEmbedManifestExists ?
 | |
| 		JSON.parse(fs.readFileSync(`${_dirname}/../../../built/_frontend_embed_vite_/manifest.json`, 'utf-8'))
 | |
| 		: { 'src/boot.ts': { file: 'src/boot.ts' } };
 | |
| 
 | |
| 	const config = yaml.load(fs.readFileSync(path, 'utf-8')) as Source;
 | |
| 
 | |
| 	const url = tryCreateUrl(config.url ?? process.env.MISSKEY_URL ?? '');
 | |
| 	const version = meta.version;
 | |
| 	const host = url.host;
 | |
| 	const hostname = url.hostname;
 | |
| 	const scheme = url.protocol.replace(/:$/, '');
 | |
| 	const wsScheme = scheme.replace('http', 'ws');
 | |
| 
 | |
| 	const dbDb = config.db.db ?? process.env.DATABASE_DB ?? '';
 | |
| 	const dbUser = config.db.user ?? process.env.DATABASE_USER ?? '';
 | |
| 	const dbPass = config.db.pass ?? process.env.DATABASE_PASSWORD ?? '';
 | |
| 
 | |
| 	const externalMediaProxy = config.mediaProxy ?
 | |
| 		config.mediaProxy.endsWith('/') ? config.mediaProxy.substring(0, config.mediaProxy.length - 1) : config.mediaProxy
 | |
| 		: null;
 | |
| 	const internalMediaProxy = `${scheme}://${host}/proxy`;
 | |
| 	const redis = convertRedisOptions(config.redis, host);
 | |
| 
 | |
| 	return {
 | |
| 		version,
 | |
| 		publishTarballInsteadOfProvideRepositoryUrl: !!config.publishTarballInsteadOfProvideRepositoryUrl,
 | |
| 		setupPassword: config.setupPassword,
 | |
| 		url: url.origin,
 | |
| 		port: config.port ?? parseInt(process.env.PORT ?? '', 10),
 | |
| 		socket: config.socket,
 | |
| 		chmodSocket: config.chmodSocket,
 | |
| 		disableHsts: config.disableHsts,
 | |
| 		host,
 | |
| 		hostname,
 | |
| 		scheme,
 | |
| 		wsScheme,
 | |
| 		wsUrl: `${wsScheme}://${host}`,
 | |
| 		apiUrl: `${scheme}://${host}/api`,
 | |
| 		authUrl: `${scheme}://${host}/auth`,
 | |
| 		driveUrl: `${scheme}://${host}/files`,
 | |
| 		db: { ...config.db, db: dbDb, user: dbUser, pass: dbPass },
 | |
| 		dbReplications: config.dbReplications,
 | |
| 		dbSlaves: config.dbSlaves,
 | |
| 		fulltextSearch: config.fulltextSearch,
 | |
| 		meilisearch: config.meilisearch,
 | |
| 		redis,
 | |
| 		redisForPubsub: config.redisForPubsub ? convertRedisOptions(config.redisForPubsub, host) : redis,
 | |
| 		redisForJobQueue: config.redisForJobQueue ? convertRedisOptions(config.redisForJobQueue, host) : redis,
 | |
| 		redisForTimelines: config.redisForTimelines ? convertRedisOptions(config.redisForTimelines, host) : redis,
 | |
| 		redisForReactions: config.redisForReactions ? convertRedisOptions(config.redisForReactions, host) : redis,
 | |
| 		sentryForBackend: config.sentryForBackend,
 | |
| 		sentryForFrontend: config.sentryForFrontend,
 | |
| 		id: config.id,
 | |
| 		proxy: config.proxy,
 | |
| 		proxySmtp: config.proxySmtp,
 | |
| 		proxyBypassHosts: config.proxyBypassHosts,
 | |
| 		allowedPrivateNetworks: config.allowedPrivateNetworks,
 | |
| 		disallowExternalApRedirect: config.disallowExternalApRedirect ?? false,
 | |
| 		maxFileSize: config.maxFileSize ?? 262144000,
 | |
| 		clusterLimit: config.clusterLimit,
 | |
| 		outgoingAddress: config.outgoingAddress,
 | |
| 		outgoingAddressFamily: config.outgoingAddressFamily,
 | |
| 		deliverJobConcurrency: config.deliverJobConcurrency,
 | |
| 		inboxJobConcurrency: config.inboxJobConcurrency,
 | |
| 		relationshipJobConcurrency: config.relationshipJobConcurrency,
 | |
| 		deliverJobPerSec: config.deliverJobPerSec,
 | |
| 		inboxJobPerSec: config.inboxJobPerSec,
 | |
| 		relationshipJobPerSec: config.relationshipJobPerSec,
 | |
| 		deliverJobMaxAttempts: config.deliverJobMaxAttempts,
 | |
| 		inboxJobMaxAttempts: config.inboxJobMaxAttempts,
 | |
| 		proxyRemoteFiles: config.proxyRemoteFiles,
 | |
| 		signToActivityPubGet: config.signToActivityPubGet ?? true,
 | |
| 		mediaProxy: externalMediaProxy ?? internalMediaProxy,
 | |
| 		externalMediaProxyEnabled: externalMediaProxy !== null && externalMediaProxy !== internalMediaProxy,
 | |
| 		videoThumbnailGenerator: config.videoThumbnailGenerator ?
 | |
| 			config.videoThumbnailGenerator.endsWith('/') ? config.videoThumbnailGenerator.substring(0, config.videoThumbnailGenerator.length - 1) : config.videoThumbnailGenerator
 | |
| 			: null,
 | |
| 		userAgent: `Misskey/${version} (${config.url})`,
 | |
| 		frontendEntry: frontendManifest['src/_boot_.ts'],
 | |
| 		frontendManifestExists: frontendManifestExists,
 | |
| 		frontendEmbedEntry: frontendEmbedManifest['src/boot.ts'],
 | |
| 		frontendEmbedManifestExists: frontendEmbedManifestExists,
 | |
| 		perChannelMaxNoteCacheCount: config.perChannelMaxNoteCacheCount ?? 1000,
 | |
| 		perUserNotificationsMaxCount: config.perUserNotificationsMaxCount ?? 500,
 | |
| 		deactivateAntennaThreshold: config.deactivateAntennaThreshold ?? (1000 * 60 * 60 * 24 * 7),
 | |
| 		pidFile: config.pidFile,
 | |
| 		logging: config.logging,
 | |
| 	};
 | |
| }
 | |
| 
 | |
| function tryCreateUrl(url: string) {
 | |
| 	try {
 | |
| 		return new URL(url);
 | |
| 	} catch (e) {
 | |
| 		throw new Error(`url="${url}" is not a valid URL.`);
 | |
| 	}
 | |
| }
 | |
| 
 | |
| function convertRedisOptions(options: RedisOptionsSource, host: string): RedisOptions & RedisOptionsSource {
 | |
| 	return {
 | |
| 		...options,
 | |
| 		password: options.pass,
 | |
| 		prefix: options.prefix ?? host,
 | |
| 		family: options.family ?? 0,
 | |
| 		keyPrefix: `${options.prefix ?? host}:`,
 | |
| 		db: options.db ?? 0,
 | |
| 	};
 | |
| }
 |