some validation fixes
- Mar 22, 2024
-
-
dakkar authored
`url.host` includes the port, `url.hostname` doesn't. `http://foo.example.com/something` and `http://foo.example.com:1234/something` are different resources served by different hosts, we should not confuse them note that `(new URL('http://localhost:80')).host` is `localhost` and `(new URL('https://localhost:443')).host` is also `localhost`: the default port gets correctly ignored this change should not really affect anything in "the real world", as we're all serving over https from port 443, but it may stop some impersonation attacks
028652e7 -
dakkar authored
if we are asked to fetch a URL that points to our own instance, but we can't resolve that from our database, the URL is bad and should be rejected this should also stop some SSRF attacks
4e4a1457 -
dakkar authored
when fetching an AP resource, the remote server may return HTTP 302 or similar, but it should never bounce us to a different host
5bef73b8 -
dakkar authored
so we can use it elsewhere
2967721e -
dakkar authored
this makes it harder for a malicious actor to pretend to be someone else
b0db1af6 -
dakkar authored
we already check that `id` matches the host, but collections must match too! otherwise a malicious actor could present us with someone else's collections
aff1dfd7
-