From b2bd042b4ed22b8583889ebad6cdf61ba8dc6487 Mon Sep 17 00:00:00 2001
From: riku6460 <17585784+riku6460@users.noreply.github.com>
Date: Tue, 12 Sep 2023 02:56:51 +0900
Subject: [PATCH] =?UTF-8?q?deliver-delayed=20=E3=81=A7=20URL=20=E3=81=AE?=
 =?UTF-8?q?=E3=83=91=E3=83=BC=E3=82=B9=E3=81=AB=E5=A4=B1=E6=95=97=E3=81=97?=
 =?UTF-8?q?=E3=81=9F=E9=9A=9B=E3=81=AB=E5=85=A8=E3=81=A6=E3=81=8C=E3=82=B3?=
 =?UTF-8?q?=E3=82=B1=E3=82=8B=E5=95=8F=E9=A1=8C=E3=82=92=E4=BF=AE=E6=AD=A3?=
 =?UTF-8?q?=20(#164)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* deliver-delayed で URL のパースに失敗した際に全てがコケる問題を修正

* validateActor に inbox / sharedInbox のバリデーションを追加

* fix quote

* 念のため inbox-delayed も
---
 .../core/activitypub/models/ApPersonService.ts  | 15 +++++++++++++++
 .../endpoints/admin/queue/deliver-delayed.ts    | 17 ++++++++++++++---
 .../api/endpoints/admin/queue/inbox-delayed.ts  | 17 ++++++++++++++---
 3 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/packages/backend/src/core/activitypub/models/ApPersonService.ts b/packages/backend/src/core/activitypub/models/ApPersonService.ts
index 61d4ed8df9..e133ce5d70 100644
--- a/packages/backend/src/core/activitypub/models/ApPersonService.ts
+++ b/packages/backend/src/core/activitypub/models/ApPersonService.ts
@@ -153,6 +153,21 @@ export class ApPersonService implements OnModuleInit {
 			throw new Error('invalid Actor: wrong inbox');
 		}
 
+		try {
+			new URL(x.inbox);
+		} catch {
+			throw new Error('invalid Actor: wrong inbox');
+		}
+
+		const sharedInbox = x.sharedInbox ?? x.endpoints?.sharedInbox;
+		if (typeof sharedInbox === 'string') {
+			try {
+				new URL(sharedInbox);
+			} catch {
+				throw new Error('invalid Actor: wrong sharedInbox');
+			}
+		}
+
 		if (!(typeof x.preferredUsername === 'string' && x.preferredUsername.length > 0 && x.preferredUsername.length <= 128 && /^\w([\w-.]*\w)?$/.test(x.preferredUsername))) {
 			throw new Error('invalid Actor: wrong username');
 		}
diff --git a/packages/backend/src/server/api/endpoints/admin/queue/deliver-delayed.ts b/packages/backend/src/server/api/endpoints/admin/queue/deliver-delayed.ts
index 771fca6ca0..cef6424b29 100644
--- a/packages/backend/src/server/api/endpoints/admin/queue/deliver-delayed.ts
+++ b/packages/backend/src/server/api/endpoints/admin/queue/deliver-delayed.ts
@@ -7,6 +7,7 @@ import { URL } from 'node:url';
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { DeliverQueue } from '@/core/QueueModule.js';
+import { ApiLoggerService } from '@/server/api/ApiLoggerService.js';
 
 export const meta = {
 	tags: ['admin'],
@@ -49,6 +50,8 @@ export const paramDef = {
 export default class extends Endpoint<typeof meta, typeof paramDef> {
 	constructor(
 		@Inject('queue:deliver') public deliverQueue: DeliverQueue,
+
+		private apiLoggerService: ApiLoggerService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
 			const jobs = await this.deliverQueue.getJobs(['delayed']);
@@ -56,9 +59,17 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 			const res = [] as [string, number][];
 
 			for (const job of jobs) {
-				const host = new URL(job.data.to).host;
-				if (res.find(x => x[0] === host)) {
-					res.find(x => x[0] === host)![1]++;
+				let host: string;
+				try {
+					host = new URL(job.data.to).host;
+				} catch (e) {
+					this.apiLoggerService.logger.warn(`failed to parse url '${job.data.to}': ${e}`);
+					continue;
+				}
+
+				const found = res.find(x => x[0] === host);
+				if (found) {
+					found[1]++;
 				} else {
 					res.push([host, 1]);
 				}
diff --git a/packages/backend/src/server/api/endpoints/admin/queue/inbox-delayed.ts b/packages/backend/src/server/api/endpoints/admin/queue/inbox-delayed.ts
index 8e00aade3a..5413e215aa 100644
--- a/packages/backend/src/server/api/endpoints/admin/queue/inbox-delayed.ts
+++ b/packages/backend/src/server/api/endpoints/admin/queue/inbox-delayed.ts
@@ -7,6 +7,7 @@ import { URL } from 'node:url';
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { InboxQueue } from '@/core/QueueModule.js';
+import { ApiLoggerService } from '@/server/api/ApiLoggerService.js';
 
 export const meta = {
 	tags: ['admin'],
@@ -49,6 +50,8 @@ export const paramDef = {
 export default class extends Endpoint<typeof meta, typeof paramDef> {
 	constructor(
 		@Inject('queue:inbox') public inboxQueue: InboxQueue,
+
+		private apiLoggerService: ApiLoggerService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
 			const jobs = await this.inboxQueue.getJobs(['delayed']);
@@ -56,9 +59,17 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 			const res = [] as [string, number][];
 
 			for (const job of jobs) {
-				const host = new URL(job.data.signature.keyId).host;
-				if (res.find(x => x[0] === host)) {
-					res.find(x => x[0] === host)![1]++;
+				let host: string;
+				try {
+					host = new URL(job.data.signature.keyId).host;
+				} catch (e) {
+					this.apiLoggerService.logger.warn(`failed to parse url '${job.data.signature.keyId}': ${e}`);
+					continue;
+				}
+
+				const found = res.find(x => x[0] === host);
+				if (found) {
+					found[1]++;
 				} else {
 					res.push([host, 1]);
 				}