Merge pull request from GHSA-f7g9-xhcq-5ww6

mei23 · web-flow · commit 0b7b4a3efcee · 2024-04-27T00:29:17.000+09:00
diff --git a/package.json b/package.json
@@ -90,7 +90,7 @@
 		"jsdom": "20.0.3",
 		"json5": "2.2.3",
 		"json5-loader": "4.0.1",
-		"jsonld": "5.2.0",
+		"jsonld": "8.3.2",
 		"katex": "0.16.10",
 		"koa": "2.15.2",
 		"koa-bodyparser": "4.4.1",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/queue/processors/inbox.ts b/src/queue/processors/inbox.ts
@@ -37,7 +37,7 @@ type ApContext = {
 
 export const tryProcessInbox = async (data: InboxJobData, ctx?: ApContext): Promise<string> => {
 	const signature = data.signature;
-	const activity = data.activity;
+	let activity = data.activity;
 
 	const resolver = ctx?.resolver || new Resolver();
 
@@ -121,6 +121,11 @@ export const tryProcessInbox = async (data: InboxJobData, ctx?: ApContext): Prom
 			if (await isBlockedHost(ldHost)) {
 				return `skip: Blocked instance: ${ldHost}`;
 			}
+
+			const activity2 = JSON.parse(JSON.stringify(activity));
+			delete activity2.signature;
+			const compacted = await ldSignature.compact(activity2);
+			activity = compacted as any;
 		} else {
 			return `skip: http-signature verification failed and ${config.ignoreApForwarded ? 'ignoreApForwarded' : 'no LD-Signature'}. keyId=${signature.keyId}`;
 		}
diff --git a/src/remote/activitypub/misc/ld-signature.ts b/src/remote/activitypub/misc/ld-signature.ts
@@ -103,6 +103,13 @@ export class LdSignature {
 		});
 	}
 
+	public async compact(data: any) {
+		const customLoader = this.getLoader();
+		return await jsonld.compact(data, data['@context'], {
+			documentLoader: customLoader
+		});
+	}
+
 	private getLoader() {
 		return async (url: string): Promise<any> => {
 			if (!url.match('^https?\:\/\/')) throw `Invalid URL ${url}`;
