yume/yumechi-no-kuni
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

do not use media proxy if emoji is local
Some checks failed
Lint / lint (backend) (push) Blocked by required conditions
Details
Lint / lint (frontend) (push) Blocked by required conditions
Details
Lint / lint (frontend-embed) (push) Blocked by required conditions
Details
Lint / lint (frontend-shared) (push) Blocked by required conditions
Details
Lint / lint (misskey-bubble-game) (push) Blocked by required conditions
Details
Lint / lint (misskey-js) (push) Blocked by required conditions
Details
Lint / lint (misskey-reversi) (push) Blocked by required conditions
Details
Lint / lint (sw) (push) Blocked by required conditions
Details
Lint / typecheck (backend) (push) Blocked by required conditions
Details
Lint / typecheck (misskey-js) (push) Blocked by required conditions
Details
Lint / typecheck (sw) (push) Blocked by required conditions
Details
Test (production install and build) / production (22.11.0) (push) Waiting to run
Details
Lint / pnpm_install (push) Successful in 1m49s
Details
Publish Docker image / Build (push) Has been cancelled
Details
Test (backend) / e2e (22.11.0) (push) Has been cancelled
Details
Test (backend) / unit (22.11.0) (push) Has been cancelled
Details

Browse source 
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
This commit is contained in:
ゆめ 2024-11-20 12:53:29 -06:00
parent 95d3fb08f4
commit 88e8a7a854
No known key found for this signature in database
1 changed files with 28 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
packages/backend/src/server/ServerService.ts
View file

@ -110,6 +110,11 @@ const mLastSuccessfulRequest = metricGauge({
labelNames: [],
});
// This function is used to determine if a path is safe to redirect to.
function redirectSafePath(path: string): boolean {
return ['/files/', '/identicon/', '/proxy/', '/static-assets/', '/vite/', '/embed_vite/'].some(path.startsWith);
}
@Injectable()
export class ServerService implements OnApplicationShutdown {
private logger: Logger;
@ -348,7 +353,7 @@ export class ServerService implements OnApplicationShutdown {
name: name,
});
reply.header('Content-Security-Policy', 'default-src \'none\'; style-src \'unsafe-inline\'');
reply.header('Content-Security-Policy', 'default-src \'none\'');
if (emoji == null) {
if ('fallback' in request.query) {
@ -359,16 +364,26 @@ export class ServerService implements OnApplicationShutdown {
}
}
const dbUrl = emoji?.publicUrl || emoji?.originalUrl;
const dbUrlParsed = new URL(dbUrl);
const instanceUrl = new URL(this.config.url);
if (dbUrlParsed.origin === instanceUrl.origin) {
if (!redirectSafePath(dbUrlParsed.pathname)) {
return await reply.status(508);
}
return await reply.redirect(dbUrl, 301);
}
let url: URL;
if ('badge' in request.query) {
url = new URL(`${this.config.mediaProxy}/emoji.png`);
// || emoji.originalUrl してるのは後方互換性のためpublicUrlはstringなので??はだめ)
url.searchParams.set('url', emoji.publicUrl || emoji.originalUrl);
url.searchParams.set('url', dbUrl);
url.searchParams.set('badge', '1');
} else {
url = new URL(`${this.config.mediaProxy}/emoji.webp`);
// || emoji.originalUrl してるのは後方互換性のためpublicUrlはstringなので??はだめ)
url.searchParams.set('url', emoji.publicUrl || emoji.originalUrl);
url.searchParams.set('url', dbUrl);
url.searchParams.set('emoji', '1');
if ('static' in request.query) url.searchParams.set('static', '1');
}
@ -392,6 +407,16 @@ export class ServerService implements OnApplicationShutdown {
reply.header('Cache-Control', 'public, max-age=86400');
if (user) {
const dbUrl = user?.avatarUrl ?? this.userEntityService.getIdenticonUrl(user);
const dbUrlParsed = new URL(dbUrl);
const instanceUrl = new URL(this.config.url);
if (dbUrlParsed.origin === instanceUrl.origin) {
if (!redirectSafePath(dbUrlParsed.pathname)) {
return await reply.status(508);
}
return await reply.redirect(dbUrl, 301);
}
reply.redirect(user.avatarUrl ?? this.userEntityService.getIdenticonUrl(user));
} else {
reply.redirect('/static-assets/user-unknown.png');