Update AP helpers

2024-08-02 01:40:06 -06:00 · 2024-08-02 01:40:06 -06:00 · 8fea821504
parent 9847fbd898
commit 8fea821504
2 changed files with 193 additions and 160 deletions
--- a/app/Util/ActivityPub/Helpers.php
+++ b/app/Util/ActivityPub/Helpers.php
@ -25,6 +25,8 @@ use Cache;
 use Carbon\Carbon;
 use Illuminate\Support\Str;
 use Illuminate\Validation\Rule;
+use League\Uri\Exceptions\UriException;
+use League\Uri\Uri;
 use Purify;
 use Validator;

@ -153,61 +155,74 @@ class Helpers
        return in_array($url, $audience['to']) || in_array($url, $audience['cc']);
    }

-    public static function validateUrl($url)
+    public static function validateUrl($url = null, $disableDNSCheck = false)
    {
-        if (is_array($url)) {
+        if (is_array($url) && ! empty($url)) {
            $url = $url[0];
        }
+        if (! $url || strlen($url) === 0) {
+            return false;
+        }
+        try {
+            $uri = Uri::new($url);

-        $hash = hash('sha256', $url);
-        $key = "helpers:url:valid:sha256-{$hash}";
+            if (! $uri) {
+                return false;
+            }
+
+            if ($uri->getScheme() !== 'https') {
+                return false;
+            }
+
+            $host = $uri->getHost();
+
+            if (! $host || $host === '') {
+                return false;
+            }
+
+            if (! filter_var($host, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)) {
+                return false;
+            }
+
+            if (! str_contains($host, '.')) {
+                return false;
+            }

-        $valid = Cache::remember($key, 900, function () use ($url) {
            $localhosts = [
-                '127.0.0.1', 'localhost', '::1',
+                'localhost',
+                '127.0.0.1',
+                '::1',
+                'broadcasthost',
+                'ip6-localhost',
+                'ip6-loopback',
            ];

-            if (strtolower(mb_substr($url, 0, 8)) !== 'https://') {
-                return false;
-            }
-
-            if (substr_count($url, '://') !== 1) {
-                return false;
-            }
-
-            if (mb_substr($url, 0, 8) !== 'https://') {
-                $url = 'https://'.substr($url, 8);
-            }
-
-            $valid = filter_var($url, FILTER_VALIDATE_URL);
-
-            if (! $valid) {
-                return false;
-            }
-
-            $host = parse_url($valid, PHP_URL_HOST);
-
            if (in_array($host, $localhosts)) {
                return false;
            }

-            if (config('security.url.verify_dns')) {
-                if (DomainService::hasValidDns($host) === false) {
+            if ($disableDNSCheck !== true && app()->environment() === 'production' && (bool) config('security.url.verify_dns')) {
+                $hash = hash('sha256', $host);
+                $key = "helpers:url:valid-dns:sha256-{$hash}";
+                $domainValidDns = Cache::remember($key, 14440, function () use ($host) {
+                    return DomainService::hasValidDns($host);
+                });
+                if (! $domainValidDns) {
                    return false;
                }
            }

-            if (app()->environment() === 'production') {
+            if ($disableDNSCheck !== true && app()->environment() === 'production') {
                $bannedInstances = InstanceService::getBannedDomains();
                if (in_array($host, $bannedInstances)) {
                    return false;
                }
            }

-            return $url;
-        });
-
-        return $valid;
+            return $uri->toString();
+        } catch (UriException $e) {
+            return false;
+        }
    }

    public static function validateLocalUrl($url)
@ -215,7 +230,12 @@ class Helpers
        $url = self::validateUrl($url);
        if ($url == true) {
            $domain = config('pixelfed.domain.app');
-            $host = parse_url($url, PHP_URL_HOST);
+
+            $uri = Uri::new($url);
+            $host = $uri->getHost();
+            if (! $host || empty($host)) {
+                return false;
+            }
            $url = strtolower($domain) === strtolower($host) ? $url : false;

            return $url;
--- a/app/Util/ActivityPub/HttpSignature.php
+++ b/app/Util/ActivityPub/HttpSignature.php
@ -2,19 +2,20 @@

 namespace App\Util\ActivityPub;

-use Cache, Log;
 use App\Models\InstanceActor;
 use App\Profile;
-use \DateTime;
-
-class HttpSignature {
+use Cache;
+use DateTime;

+class HttpSignature
+{
    /*
     * source: https://github.com/aaronpk/Nautilus/blob/master/app/ActivityPub/HTTPSignature.php
     * thanks aaronpk!
     */

-  public static function sign(Profile $profile, $url, $body = false, $addlHeaders = []) {
+    public static function sign(Profile $profile, $url, $body = false, $addlHeaders = [])
+    {
        if ($body) {
            $digest = self::_digest($body);
        }
@ -56,7 +57,8 @@ class HttpSignature {
        return $headers;
    }

-  public static function parseSignatureHeader($signature) {
+    public static function parseSignatureHeader($signature)
+    {
        $parts = explode(',', $signature);
        $signatureData = [];

@ -68,26 +70,33 @@ class HttpSignature {

        if (! isset($signatureData['keyId'])) {
            return [
-        'error' => 'No keyId was found in the signature header. Found: '.implode(', ', array_keys($signatureData))
+                'error' => 'No keyId was found in the signature header. Found: '.implode(', ', array_keys($signatureData)),
            ];
        }

        if (! filter_var($signatureData['keyId'], FILTER_VALIDATE_URL)) {
            return [
-        'error' => 'keyId is not a URL: '.$signatureData['keyId']
+                'error' => 'keyId is not a URL: '.$signatureData['keyId'],
+            ];
+        }
+
+        if (! Helpers::validateUrl($signatureData['keyId'])) {
+            return [
+                'error' => 'keyId is not a URL: '.$signatureData['keyId'],
            ];
        }

        if (! isset($signatureData['headers']) || ! isset($signatureData['signature'])) {
            return [
-        'error' => 'Signature is missing headers or signature parts'
+                'error' => 'Signature is missing headers or signature parts',
            ];
        }

        return $signatureData;
    }

-  public static function verify($publicKey, $signatureData, $inputHeaders, $path, $body) {
+    public static function verify($publicKey, $signatureData, $inputHeaders, $path, $body)
+    {
        $digest = 'SHA-256='.base64_encode(hash('sha256', $body, true));
        $headersToSign = [];
        foreach (explode(' ', $signatureData['headers']) as $h) {
@ -106,26 +115,31 @@ class HttpSignature {
        return [$verified, $signingString];
    }

-  private static function _headersToSigningString($headers) {
+    private static function _headersToSigningString($headers)
+    {
        return implode("\n", array_map(function ($k, $v) {
            return strtolower($k).': '.$v;
        }, array_keys($headers), $headers));
    }

-  private static function _headersToCurlArray($headers) {
+    private static function _headersToCurlArray($headers)
+    {
        return array_map(function ($k, $v) {
            return "$k: $v";
        }, array_keys($headers), $headers);
    }

-  private static function _digest($body) {
+    private static function _digest($body)
+    {
        if (is_array($body)) {
            $body = json_encode($body);
        }
+
        return base64_encode(hash('sha256', $body, true));
    }

-  protected static function _headersToSign($url, $digest = false, $method = 'post') {
+    protected static function _headersToSign($url, $digest = false, $method = 'post')
+    {
        $date = new DateTime('UTC');

        if (! in_array($method, ['post', 'get'])) {
@ -143,5 +157,4 @@ class HttpSignature {

        return $headers;
    }
-
 }