image URLs now are checked before sending (fixes #4)
This commit is contained in:
Grant
parent
d8a66b7d45
commit
a8dfbaf8ea
|
|
@ -5,6 +5,7 @@
|
|||
import { NodeInfo } from "../../types/nodeinfo.js";
|
||||
import { safe_fetch } from "../fetch.js";
|
||||
import { getNodeInfo } from "../nodeinfo.js";
|
||||
import { getSafeURL } from "../utils.js";
|
||||
|
||||
export interface IInstance {
|
||||
software: {
|
||||
|
|
@ -18,10 +19,12 @@ export interface IInstance {
|
|||
/**
|
||||
* Untrusted URL
|
||||
*/
|
||||
logo_uri?: string;
|
||||
raw_logo_uri?: string;
|
||||
/**
|
||||
* Untrusted URL
|
||||
*/
|
||||
raw_banner_uri?: string;
|
||||
logo_uri?: string;
|
||||
banner_uri?: string;
|
||||
name?: string;
|
||||
};
|
||||
|
|
@ -87,7 +90,7 @@ export const getInstanceMeta = async (
|
|||
if (!metaRes) throw new Error();
|
||||
|
||||
instance.name = typeof metaRes.title === "string" && metaRes.title;
|
||||
instance.banner_uri =
|
||||
instance.raw_banner_uri =
|
||||
typeof metaRes?.thumbnail?.url === "string" && metaRes.thumbnail.url;
|
||||
break;
|
||||
}
|
||||
|
|
@ -104,10 +107,10 @@ export const getInstanceMeta = async (
|
|||
instance.name =
|
||||
typeof metaRes.site_view?.site?.name === "string" &&
|
||||
metaRes.site_view.site.name;
|
||||
instance.logo_uri =
|
||||
instance.raw_logo_uri =
|
||||
typeof metaRes.site_view?.site?.icon === "string" &&
|
||||
metaRes.site_view.site.icon;
|
||||
instance.banner_uri =
|
||||
instance.raw_banner_uri =
|
||||
typeof metaRes.site_view?.site?.banner === "string" &&
|
||||
metaRes.site_view.site.banner;
|
||||
break;
|
||||
|
|
@ -117,6 +120,11 @@ export const getInstanceMeta = async (
|
|||
// ignore meta if failed
|
||||
}
|
||||
|
||||
if (instance.raw_banner_uri)
|
||||
instance.banner_uri = getSafeURL(instance.raw_banner_uri);
|
||||
if (instance.raw_logo_uri)
|
||||
instance.logo_uri = getSafeURL(instance.raw_logo_uri);
|
||||
|
||||
return {
|
||||
software,
|
||||
instance,
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
import { safe_fetch } from "../fetch.js";
|
||||
import { getSafeURL } from "../utils.js";
|
||||
|
||||
/**
|
||||
* Matches as close as possible to standard OpenID claims
|
||||
|
|
@ -25,6 +26,11 @@ export interface IProfile {
|
|||
*/
|
||||
profile?: string;
|
||||
|
||||
/**
|
||||
* Raw URL to profile picture
|
||||
*/
|
||||
raw_picture?: string;
|
||||
|
||||
/**
|
||||
* URL to profile picture
|
||||
*/
|
||||
|
|
@ -92,7 +98,8 @@ export const getUserMeta = async (
|
|||
return {
|
||||
sub: user.join("@"),
|
||||
name: apData.name,
|
||||
picture: apData.icon?.url,
|
||||
raw_picture: apData.icon?.url,
|
||||
picture: getSafeURL(apData.icon?.url),
|
||||
preferred_username: apData.preferredUsername,
|
||||
profile: profilePage,
|
||||
};
|
||||
|
|
|
|||
|
|
@ -55,3 +55,19 @@ export const isInstanceDomainValid = async (
|
|||
|
||||
return nodeinfo.protocols.indexOf("activitypub") > -1;
|
||||
};
|
||||
|
||||
/**
|
||||
* Get a safe URL
|
||||
*
|
||||
* This restricts the protocol and that's basically it
|
||||
*
|
||||
* This could be improved to proxy all requests
|
||||
*
|
||||
* @param unsafe_url
|
||||
* @returns
|
||||
*/
|
||||
export const getSafeURL = (unsafe_url: string): string | undefined => {
|
||||
if (unsafe_url.indexOf("https://") !== 0) return undefined;
|
||||
|
||||
return unsafe_url;
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in New Issue