fix: refuse proxying valid json documents
this to avoid impersonation. this should usually be a cheap check, as most media won't be starting with valid json characters, so from_slice() should just check 1 byte most of the times
This commit is contained in:
parent
ab46e23ef9
commit
d9d7acbe98
1 changed files with 9 additions and 5 deletions
|
@ -3,7 +3,7 @@ use axum::{extract::{Path, Query, State}, http::HeaderMap, response::{IntoRespon
|
|||
use reqwest::Method;
|
||||
use upub::{traits::{Cloaker, Fetcher}, Context};
|
||||
|
||||
use crate::{builders::JsonLD, ApiError, AuthIdentity, Identity};
|
||||
use crate::{builders::JsonLD, ApiError, ApiResult, AuthIdentity, Identity};
|
||||
|
||||
|
||||
pub async fn view(
|
||||
|
@ -87,8 +87,12 @@ pub async fn cloak_proxy(
|
|||
.await?
|
||||
.error_for_status()?;
|
||||
|
||||
Ok((
|
||||
resp.headers().clone(),
|
||||
resp.bytes().await?.to_vec(),
|
||||
))
|
||||
let headers = resp.headers().clone();
|
||||
let body = resp.bytes().await?.to_vec();
|
||||
|
||||
if serde_json::from_slice::<serde_json::Value>(&body).is_ok() {
|
||||
return Err(ApiError::forbidden());
|
||||
}
|
||||
|
||||
Ok((headers, body))
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue