From 00b45ad726579604cc7f0d4bb772a4324af244fe Mon Sep 17 00:00:00 2001 From: naskya Date: Fri, 21 Apr 2023 01:50:47 +0000 Subject: [PATCH] security: validate image url (#9882) It looks like url validations are added in https://codeberg.org/calckey/calckey/commit/f7564d87b0b8ad50d6ba462feeac9e96725c71e1, but I found another validation commit not applied in Calckey, so I cherry-picked https://github.com/misskey-dev/misskey/commit/0da0cc80b94c1a8032b79e0a345378557019ff19 from [Misskey](https://github.com/misskey-dev/misskey). Co-authored-by: syuilo Co-authored-by: naskya Reviewed-on: https://codeberg.org/calckey/calckey/pulls/9882 Co-authored-by: naskya Co-committed-by: naskya --- packages/backend/src/remote/activitypub/models/image.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/packages/backend/src/remote/activitypub/models/image.ts b/packages/backend/src/remote/activitypub/models/image.ts index 415f7c4006..211aa3931e 100644 --- a/packages/backend/src/remote/activitypub/models/image.ts +++ b/packages/backend/src/remote/activitypub/models/image.ts @@ -29,6 +29,10 @@ export async function createImage( throw new Error("invalid image: url not privided"); } + if (!image.url.startsWith("https://") && !image.url.startsWith("http://")) { + throw new Error("invalid image: unexpected shcema of url: " + image.url); + } + logger.info(`Creating the Image: ${image.url}`); const instance = await fetchMeta();