alemi/upub
alemi/upub
1
0
Fork 1
Code Issues 4 Pull requests Projects Releases Packages 1 Wiki Activity Actions

fix: refuse proxying valid json documents

Browse source 
this to avoid impersonation. this should usually be a cheap check, as
most media won't be starting with valid json characters, so from_slice()
should just check 1 byte most of the times
This commit is contained in:
əlemi 2024-07-17 18:08:15 +02:00
parent ab46e23ef9
commit d9d7acbe98
Signed by: alemi
GPG key ID: A4895B84D311642C
1 changed files with 9 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
upub/routes/src/activitypub/application.rs
View file

@ -3,7 +3,7 @@ use axum::{extract::{Path, Query, State}, http::HeaderMap, response::{IntoRespon
use reqwest::Method;
use upub::{traits::{Cloaker, Fetcher}, Context};
use crate::{builders::JsonLD, ApiError, AuthIdentity, Identity};
use crate::{builders::JsonLD, ApiError, ApiResult, AuthIdentity, Identity};
pub async fn view(
@ -87,8 +87,12 @@ pub async fn cloak_proxy(
.await?
.error_for_status()?;
Ok((
resp.headers().clone(),
resp.bytes().await?.to_vec(),
))
let headers = resp.headers().clone();
let body = resp.bytes().await?.to_vec();
if serde_json::from_slice::<serde_json::Value>(&body).is_ok() {
return Err(ApiError::forbidden());
}
Ok((headers, body))
}