From 0da0cc80b94c1a8032b79e0a345378557019ff19 Mon Sep 17 00:00:00 2001
From: syuilo <Syuilotan@yahoo.co.jp>
Date: Wed, 8 Feb 2023 17:50:23 +0900
Subject: [PATCH] fix(server): validate url from ap to improve security

---
 .../backend/src/core/activitypub/models/ApImageService.ts     | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/packages/backend/src/core/activitypub/models/ApImageService.ts b/packages/backend/src/core/activitypub/models/ApImageService.ts
index d01817b0de..928ef1ae79 100644
--- a/packages/backend/src/core/activitypub/models/ApImageService.ts
+++ b/packages/backend/src/core/activitypub/models/ApImageService.ts
@@ -48,6 +48,10 @@ export class ApImageService {
 			throw new Error('invalid image: url not privided');
 		}
 
+		if (!image.url.startsWith('https://')) {
+			throw new Error('invalid image: unexpected shcema of url: ' + image.url);
+		}
+
 		this.logger.info(`Creating the Image: ${image.url}`);
 
 		const instance = await this.metaService.fetch();