fix(backend): fix type error(s) in security fixes (misskey-dev#15009)

kakkokari-gtyih · K4rakara · web-flow · commit 3a6c2aa83563 · 2024-11-21T12:10:02.000+09:00
* Fix type error in security fixes (cherry picked from commit fa3cf6c) * Fix error in test function calls (cherry picked from commit 1758f29) * Fix style error (cherry picked from commit 23c4aa2) * Fix another style error (cherry picked from commit 36af07a) * Fix `.punyHost` misuse (cherry picked from commit 6027b51) * attempt to fix test: make yaml valid --------- Co-authored-by: Julia Johannesen <julia@insertdomain.name>
diff --git a/packages/backend/src/core/HttpRequestService.ts b/packages/backend/src/core/HttpRequestService.ts
@@ -54,19 +54,19 @@ class HttpRequestServiceAgent extends http.Agent {
 				}
 			});
 		return socket;
-	};
+	}
 
 	@bindThis
 	private isPrivateIp(ip: string): boolean {
 		const parsedIp = ipaddr.parse(ip);
-	
+
 		for (const net of this.config.allowedPrivateNetworks ?? []) {
 			const cidr = ipaddr.parseCIDR(net);
 			if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {
 				return false;
 			}
 		}
-	
+
 		return parsedIp.range() !== 'unicast';
 	}
 }
@@ -93,19 +93,19 @@ class HttpsRequestServiceAgent extends https.Agent {
 				}
 			});
 		return socket;
-	};
+	}
 
 	@bindThis
 	private isPrivateIp(ip: string): boolean {
 		const parsedIp = ipaddr.parse(ip);
-	
+
 		for (const net of this.config.allowedPrivateNetworks ?? []) {
 			const cidr = ipaddr.parseCIDR(net);
 			if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {
 				return false;
 			}
 		}
-	
+
 		return parsedIp.range() !== 'unicast';
 	}
 }
diff --git a/packages/backend/src/core/RemoteUserResolveService.ts b/packages/backend/src/core/RemoteUserResolveService.ts
@@ -54,7 +54,7 @@ export class RemoteUserResolveService {
 			}) as MiLocalUser;
 		}
 
-		host = this.utilityService.punyHost(host);
+		host = this.utilityService.toPuny(host);
 
 		if (host === this.utilityService.toPuny(this.config.host)) {
 			this.logger.info(`return local user: ${usernameLower}`);
diff --git a/packages/backend/src/core/activitypub/models/ApPersonService.ts b/packages/backend/src/core/activitypub/models/ApPersonService.ts
@@ -163,13 +163,16 @@ export class ApPersonService implements OnModuleInit {
 		}
 
 		for (const collection of ['outbox', 'followers', 'following'] as (keyof IActor)[]) {
-			const collectionUri = getApId((x as IActor)[collection]);
-			if (typeof collectionUri === 'string' && collectionUri.length > 0) {
-				if (this.utilityService.punyHost(collectionUri) !== expectHost) {
-					throw new Error(`invalid Actor: ${collection} has different host`);
+			const xCollection = (x as IActor)[collection];
+			if (xCollection != null) {
+				const collectionUri = getApId(xCollection);
+				if (typeof collectionUri === 'string' && collectionUri.length > 0) {
+					if (this.utilityService.punyHost(collectionUri) !== expectHost) {
+						throw new Error(`invalid Actor: ${collection} has different host`);
+					}
+				} else if (collectionUri != null) {
+					throw new Error(`invalid Actor: wrong ${collection}`);
 				}
-			} else if (collectionUri != null) {
-				throw new Error(`invalid Actor: wrong ${collection}`);
 			}
 		}
 
diff --git a/packages/backend/test-federation/.config/example.default.yml b/packages/backend/test-federation/.config/example.default.yml
@@ -19,7 +19,6 @@ proxyBypassHosts:
   - challenges.cloudflare.com
 proxyRemoteFiles: true
 signToActivityPubGet: true
-allowedPrivateNetworks: [
-  '127.0.0.1/32',
-  '172.20.0.0/16'
-]
+allowedPrivateNetworks:
+  - 127.0.0.1/32
+  - 172.20.0.0/16
diff --git a/packages/backend/test/unit/activitypub.ts b/packages/backend/test/unit/activitypub.ts
@@ -176,7 +176,7 @@ describe('ActivityPub', () => {
 			resolver.register(actor.id, actor);
 			resolver.register(post.id, post);
 
-			const note = await noteService.createNote(post.id, resolver, true);
+			const note = await noteService.createNote(post.id, undefined, resolver, true);
 
 			assert.deepStrictEqual(note?.uri, post.id);
 			assert.deepStrictEqual(note.visibility, 'public');
@@ -336,7 +336,7 @@ describe('ActivityPub', () => {
 			resolver.register(actor.featured, featured);
 			resolver.register(firstNote.id, firstNote);
 
-			const note = await noteService.createNote(firstNote.id as string, resolver);
+			const note = await noteService.createNote(firstNote.id as string, undefined, resolver);
 			assert.strictEqual(note?.uri, firstNote.id);
 		});
 	});

Original file line number	Diff line number	Diff line change
`@@ -54,19 +54,19 @@ class HttpRequestServiceAgent extends http.Agent {`
`54`	`54`	`}`
`55`	`55`	`});`
`56`	`56`	`return socket;`
`57`		`- };`
	`57`	`+ }`
`58`	`58`
`59`	`59`	`@bindThis`
`60`	`60`	`private isPrivateIp(ip: string): boolean {`
`61`	`61`	`const parsedIp = ipaddr.parse(ip);`
`62`		`-`
	`62`	`+`
`63`	`63`	`for (const net of this.config.allowedPrivateNetworks ?? []) {`
`64`	`64`	`const cidr = ipaddr.parseCIDR(net);`
`65`	`65`	`if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {`
`66`	`66`	`return false;`
`67`	`67`	`}`
`68`	`68`	`}`
`69`		`-`
	`69`	`+`
`70`	`70`	`return parsedIp.range() !== 'unicast';`
`71`	`71`	`}`
`72`	`72`	`}`
`@@ -93,19 +93,19 @@ class HttpsRequestServiceAgent extends https.Agent {`
`93`	`93`	`}`
`94`	`94`	`});`
`95`	`95`	`return socket;`
`96`		`- };`
	`96`	`+ }`
`97`	`97`
`98`	`98`	`@bindThis`
`99`	`99`	`private isPrivateIp(ip: string): boolean {`
`100`	`100`	`const parsedIp = ipaddr.parse(ip);`
`101`		`-`
	`101`	`+`
`102`	`102`	`for (const net of this.config.allowedPrivateNetworks ?? []) {`
`103`	`103`	`const cidr = ipaddr.parseCIDR(net);`
`104`	`104`	`if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {`
`105`	`105`	`return false;`
`106`	`106`	`}`
`107`	`107`	`}`
`108`		`-`
	`108`	`+`
`109`	`109`	`return parsedIp.range() !== 'unicast';`
`110`	`110`	`}`
`111`	`111`	`}`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ export class RemoteUserResolveService {`
`54`	`54`	`}) as MiLocalUser;`
`55`	`55`	`}`
`56`	`56`
`57`		`- host = this.utilityService.punyHost(host);`
	`57`	`+ host = this.utilityService.toPuny(host);`
`58`	`58`
`59`	`59`	`if (host === this.utilityService.toPuny(this.config.host)) {`
`60`	`60`	this.logger.info(`return local user: ${usernameLower}`);
Original file line number	Diff line number	Diff line change
`@@ -163,13 +163,16 @@ export class ApPersonService implements OnModuleInit {`
`163`	`163`	`}`
`164`	`164`
`165`	`165`	`for (const collection of ['outbox', 'followers', 'following'] as (keyof IActor)[]) {`
`166`		`- const collectionUri = getApId((x as IActor)[collection]);`
`167`		`- if (typeof collectionUri === 'string' && collectionUri.length > 0) {`
`168`		`- if (this.utilityService.punyHost(collectionUri) !== expectHost) {`
`169`		- throw new Error(`invalid Actor: ${collection} has different host`);
	`166`	`+ const xCollection = (x as IActor)[collection];`
	`167`	`+ if (xCollection != null) {`
	`168`	`+ const collectionUri = getApId(xCollection);`
	`169`	`+ if (typeof collectionUri === 'string' && collectionUri.length > 0) {`
	`170`	`+ if (this.utilityService.punyHost(collectionUri) !== expectHost) {`
	`171`	+ throw new Error(`invalid Actor: ${collection} has different host`);
	`172`	`+ }`
	`173`	`+ } else if (collectionUri != null) {`
	`174`	+ throw new Error(`invalid Actor: wrong ${collection}`);
`170`	`175`	`}`
`171`		`- } else if (collectionUri != null) {`
`172`		- throw new Error(`invalid Actor: wrong ${collection}`);
`173`	`176`	`}`
`174`	`177`	`}`
`175`	`178`