1
0
Fork 0

Update ActivityPubFetchService, enforce stricter Content-Type validation

This commit is contained in:
Daniel Supernault 2024-02-15 21:22:41 -07:00
parent 4c6ec20e36
commit 1232cfc86a
No known key found for this signature in database
GPG Key ID: 23740873EE6F76A1
1 changed files with 52 additions and 29 deletions

View File

@ -11,38 +11,61 @@ use Illuminate\Http\Client\RequestException;
class ActivityPubFetchService class ActivityPubFetchService
{ {
public static function get($url, $validateUrl = true) public static function get($url, $validateUrl = true)
{ {
if($validateUrl === true) { if($validateUrl === true) {
if(!Helpers::validateUrl($url)) { if(!Helpers::validateUrl($url)) {
return 0; return 0;
} }
} }
$baseHeaders = [ $baseHeaders = [
'Accept' => 'application/activity+json, application/ld+json', 'Accept' => 'application/activity+json, application/ld+json',
]; ];
$headers = HttpSignature::instanceActorSign($url, false, $baseHeaders, 'get'); $headers = HttpSignature::instanceActorSign($url, false, $baseHeaders, 'get');
$headers['Accept'] = 'application/activity+json, application/ld+json'; $headers['Accept'] = 'application/activity+json, application/ld+json';
$headers['User-Agent'] = 'PixelFedBot/1.0.0 (Pixelfed/'.config('pixelfed.version').'; +'.config('app.url').')'; $headers['User-Agent'] = 'PixelFedBot/1.0.0 (Pixelfed/'.config('pixelfed.version').'; +'.config('app.url').')';
try { try {
$res = Http::withOptions(['allow_redirects' => false])->withHeaders($headers) $res = Http::withOptions(['allow_redirects' => false])
->timeout(30) ->withHeaders($headers)
->connectTimeout(5) ->timeout(30)
->retry(3, 500) ->connectTimeout(5)
->get($url); ->retry(3, 500)
} catch (RequestException $e) { ->get($url);
return; } catch (RequestException $e) {
} catch (ConnectionException $e) { return;
return; } catch (ConnectionException $e) {
} catch (Exception $e) { return;
return; } catch (Exception $e) {
} return;
if(!$res->ok()) { }
return;
} if(!$res->ok()) {
return $res->body(); return;
} }
if(!$res->hasHeader('Content-Type')) {
return;
}
$acceptedTypes = [
'application/activity+json; charset=utf-8',
'application/activity+json',
'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'
];
$contentType = $res->getHeader('Content-Type')[0];
if(!$contentType) {
return;
}
if(!in_array($contentType, $acceptedTypes)) {
return;
}
return $res->body();
}
} }