Refuse all remote AP redirects

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
2025-02-14 06:12:49 -06:00 · 2025-02-14 06:12:49 -06:00 · b78fdb15db
commit b78fdb15db
parent 6f5ca40037
1 changed files with 29 additions and 0 deletions
--- a/packages/backend/src/server/ServerService.ts
+++ b/packages/backend/src/server/ServerService.ts
@ -290,6 +290,35 @@ export class ServerService implements OnApplicationShutdown {
 			done();
 		});

+		fastify.addHook('onSend', (request, reply, payload, done) => {
+			if (reply.statusCode >= 300 && reply.statusCode < 400) {
+				const isAp = ["application/activity+json", "application/ld+json"].some(type => request.headers.accept?.includes(type));
+			
+				if (isAp) {
+					const location = reply.getHeader('location');
+
+					// the only acceptable redirect is to our own domain
+					if (typeof location === 'string') {
+						// allow http in development
+						const normalizedLocation = process.env.NODE_ENV !== 'production' ?
+							location.replace(/^http:\/\//, 'https://') : location;
+
+						if ([`https://${this.config.host}/`, `https://${this.config.hostname}/`].some(host => normalizedLocation.startsWith(host))) {
+							done(null, payload);
+							return;
+						}
+					}
+					
+					reply.code(406);
+					reply.removeHeader('location');
+					done(null, null);
+					return;
+				}
+			}
+			
+			done(null, payload);
+		});
+
 		// CSP
 		if (process.env.NODE_ENV === 'production' && !this.config.browserSandboxing.csp?.disable) {
 			console.debug('cspPrerenderedContent', this.config.cspPrerenderedContent);