diff --git a/packages/backend/src/core/FeaturedService.ts b/packages/backend/src/core/FeaturedService.ts index b3335e38da..cdfda0aee3 100644 --- a/packages/backend/src/core/FeaturedService.ts +++ b/packages/backend/src/core/FeaturedService.ts @@ -12,7 +12,7 @@ import { bindThis } from '@/decorators.js'; const GLOBAL_NOTES_RANKING_WINDOW = 1000 * 60 * 60 * 24 * 3; // 3日ごと export const GALLERY_POSTS_RANKING_WINDOW = 1000 * 60 * 60 * 24 * 3; // 3日ごと const PER_USER_NOTES_RANKING_WINDOW = 1000 * 60 * 60 * 24 * 7; // 1週間ごと -const HASHTAG_RANKING_WINDOW = 1000 * 60 * 60; // 1時間ごと +const HASHTAG_RANKING_WINDOW = 1000 * 60 * 60 * 48; // 48時間ごと const featuredEpoc = new Date('2023-01-01T00:00:00Z').getTime(); diff --git a/packages/backend/src/core/HttpRequestService.ts b/packages/backend/src/core/HttpRequestService.ts index 7f3cac7c58..bea5dee6ab 100644 --- a/packages/backend/src/core/HttpRequestService.ts +++ b/packages/backend/src/core/HttpRequestService.ts @@ -15,6 +15,7 @@ import type { Config } from '@/config.js'; import { StatusError } from '@/misc/status-error.js'; import { bindThis } from '@/decorators.js'; import { validateContentTypeSetAsActivityPub } from '@/core/activitypub/misc/validator.js'; +import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js'; import type { IObject } from '@/core/activitypub/type.js'; import type { Response } from 'node-fetch'; import type { URL } from 'node:url'; @@ -125,7 +126,12 @@ export class HttpRequestService { validators: [validateContentTypeSetAsActivityPub], }); - return await res.json() as IObject; + const finalUrl = res.url; // redirects may have been involved + const activity = await res.json() as IObject; + + assertActivityMatchesUrls(activity, [url, finalUrl]); + + return activity; } @bindThis diff --git a/packages/backend/src/core/activitypub/misc/check-against-url.ts b/packages/backend/src/core/activitypub/misc/check-against-url.ts new file mode 100644 index 0000000000..ec3dcf3aae --- /dev/null +++ b/packages/backend/src/core/activitypub/misc/check-against-url.ts @@ -0,0 +1,46 @@ +/* + * SPDX-FileCopyrightText: dakkar and sharkey-project and yumechi + * SPDX-License-Identifier: AGPL-3.0-only + */ +import { metricCounter } from '@/server/api/MetricsService.js'; +import type { IObject } from '../type.js'; + +const mFetchBadActivityUrl = metricCounter({ + name: 'misskey_ap_fetch_bad_activity_url', + help: 'Fetches that failed because the activity URL did not match the expected Host', + labelNames: ['host_received', 'host_expected'], +}); + +function getHrefFrom(one: IObject|string): string | undefined { + if (typeof(one) === 'string') return one; + return one.href; +} + +export function assertActivityMatchesUrls(activity: IObject, urls: string[]) { + const idOk = activity.id !== undefined && urls.includes(activity.id); + if (idOk) return; + + const url = activity.url; + if (url) { + // `activity.url` can be an `ApObject = IObject | string | (IObject + // | string)[]`, we have to look inside it + const activityUrls = Array.isArray(url) ? url.map(getHrefFrom) : [getHrefFrom(url)]; + const goodUrl = activityUrls.find(u => u && urls.includes(u)); + + if (goodUrl) return; + } + + const hosts = urls.map(u => { + try { + return new URL(u).host; + } catch (e) { + return '[invalid]'; + } + }); + + const sortDedup = (arr: string[]) => Array.from(new Set(arr)).sort(); + + mFetchBadActivityUrl?.inc({ host_received: sortDedup(hosts).join('|'), host_expected: sortDedup(urls).join('|') }); + + throw new Error(`bad Activity: neither id(${activity?.id}) nor url(${JSON.stringify(activity?.url)}) match location(${urls})`); +} diff --git a/packages/backend/src/models/DriveFile.ts b/packages/backend/src/models/DriveFile.ts index 7b03e3e494..14dabf2b0c 100644 --- a/packages/backend/src/models/DriveFile.ts +++ b/packages/backend/src/models/DriveFile.ts @@ -61,7 +61,7 @@ export class MiDriveFile { public size: number; @Column('varchar', { - length: 512, nullable: true, + length: 32768, nullable: true, comment: 'The comment of the DriveFile.', }) public comment: string | null;