Merge pull request #2547 from mei23/mei-0830-httpsignature

HTTP Signature 周辺の修正
This commit is contained in:
syuilo 2018-08-30 21:11:43 +09:00 committed by GitHub
commit 5e202c3def
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 67 additions and 3 deletions

View File

@ -6,6 +6,8 @@ import parseAcct from '../../../misc/acct/parse';
import User, { IRemoteUser } from '../../../models/user';
import perform from '../../../remote/activitypub/perform';
import { resolvePerson } from '../../../remote/activitypub/models/person';
import { toUnicode } from 'punycode';
import { URL } from 'url';
const log = debug('misskey:queue:inbox');
@ -32,6 +34,15 @@ export default async (job: bq.Job, done: any): Promise<void> => {
return;
}
// アクティビティ内のホストの検証
try {
ValidateActivity(activity, host);
} catch (e) {
console.warn(e);
done();
return;
}
user = await User.findOne({ usernameLower: username, host: host.toLowerCase() }) as IRemoteUser;
// アクティビティを送信してきたユーザーがまだMisskeyサーバーに登録されていなかったら登録する
@ -39,6 +50,16 @@ export default async (job: bq.Job, done: any): Promise<void> => {
user = await resolvePerson(activity.actor) as IRemoteUser;
}
} else {
// アクティビティ内のホストの検証
const host = toUnicode(new URL(signature.keyId).hostname.toLowerCase());
try {
ValidateActivity(activity, host);
} catch (e) {
console.warn(e);
done();
return;
}
user = await User.findOne({
host: { $ne: null },
'publicKey.id': signature.keyId
@ -69,3 +90,37 @@ export default async (job: bq.Job, done: any): Promise<void> => {
done(e);
}
};
/**
* Validate host in activity
* @param activity Activity
* @param host Expect host
*/
function ValidateActivity(activity: any, host: string) {
// id (if exists)
if (typeof activity.id === 'string') {
const uriHost = toUnicode(new URL(activity.id).hostname.toLowerCase());
if (host !== uriHost) throw new Error('activity.id has different host');
}
// actor (if exists)
if (typeof activity.actor === 'string') {
const uriHost = toUnicode(new URL(activity.actor).hostname.toLowerCase());
if (host !== uriHost) throw new Error('activity.actor has different host');
}
// For Create activity
if (activity.type === 'Create' && activity.object) {
// object.id (if exists)
if (typeof activity.object.id === 'string') {
const uriHost = toUnicode(new URL(activity.object.id).hostname.toLowerCase());
if (host !== uriHost) throw new Error('activity.object.id has different host');
}
// object.attributedTo (if exists)
if (typeof activity.object.attributedTo === 'string') {
const uriHost = toUnicode(new URL(activity.object.attributedTo).hostname.toLowerCase());
if (host !== uriHost) throw new Error('activity.object.attributedTo has different host');
}
}
}

View File

@ -2,6 +2,7 @@ import { request } from 'https';
const { sign } = require('http-signature');
import { URL } from 'url';
import * as debug from 'debug';
const crypto = require('crypto');
import config from '../../config';
import { ILocalUser } from '../../models/user';
@ -13,6 +14,12 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso
const { protocol, hostname, port, pathname, search } = new URL(url);
const data = JSON.stringify(object);
const sha256 = crypto.createHash('sha256');
sha256.update(data);
const hash = sha256.digest('base64');
const req = request({
protocol,
hostname,
@ -20,7 +27,8 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso
method: 'POST',
path: pathname + search,
headers: {
'Content-Type': 'application/activity+json'
'Content-Type': 'application/activity+json',
'Digest': `SHA-256=${hash}`
}
}, res => {
log(`${url} --> ${res.statusCode}`);
@ -35,7 +43,8 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso
sign(req, {
authorizationHeaderName: 'Signature',
key: user.keypair,
keyId: `${config.url}/users/${user._id}/publickey`
keyId: `${config.url}/users/${user._id}/publickey`,
headers: ['date', 'host', 'digest']
});
// Signature: Signature ... => Signature: ...
@ -43,5 +52,5 @@ export default (user: ILocalUser, url: string, object: any) => new Promise((reso
sig = sig.replace(/^Signature /, '');
req.setHeader('Signature', sig);
req.end(JSON.stringify(object));
req.end(data);
});