Update AP helpers

This commit is contained in:
Daniel Supernault 2024-08-02 01:40:06 -06:00
parent 9847fbd898
commit 8fea821504
No known key found for this signature in database
GPG key ID: 23740873EE6F76A1
2 changed files with 193 additions and 160 deletions

View file

@ -25,6 +25,8 @@ use Cache;
use Carbon\Carbon;
use Illuminate\Support\Str;
use Illuminate\Validation\Rule;
use League\Uri\Exceptions\UriException;
use League\Uri\Uri;
use Purify;
use Validator;
@ -153,61 +155,74 @@ class Helpers
return in_array($url, $audience['to']) || in_array($url, $audience['cc']);
}
public static function validateUrl($url)
public static function validateUrl($url = null, $disableDNSCheck = false)
{
if (is_array($url)) {
if (is_array($url) && ! empty($url)) {
$url = $url[0];
}
if (! $url || strlen($url) === 0) {
return false;
}
try {
$uri = Uri::new($url);
$hash = hash('sha256', $url);
$key = "helpers:url:valid:sha256-{$hash}";
if (! $uri) {
return false;
}
if ($uri->getScheme() !== 'https') {
return false;
}
$host = $uri->getHost();
if (! $host || $host === '') {
return false;
}
if (! filter_var($host, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)) {
return false;
}
if (! str_contains($host, '.')) {
return false;
}
$valid = Cache::remember($key, 900, function () use ($url) {
$localhosts = [
'127.0.0.1', 'localhost', '::1',
'localhost',
'127.0.0.1',
'::1',
'broadcasthost',
'ip6-localhost',
'ip6-loopback',
];
if (strtolower(mb_substr($url, 0, 8)) !== 'https://') {
return false;
}
if (substr_count($url, '://') !== 1) {
return false;
}
if (mb_substr($url, 0, 8) !== 'https://') {
$url = 'https://'.substr($url, 8);
}
$valid = filter_var($url, FILTER_VALIDATE_URL);
if (! $valid) {
return false;
}
$host = parse_url($valid, PHP_URL_HOST);
if (in_array($host, $localhosts)) {
return false;
}
if (config('security.url.verify_dns')) {
if (DomainService::hasValidDns($host) === false) {
if ($disableDNSCheck !== true && app()->environment() === 'production' && (bool) config('security.url.verify_dns')) {
$hash = hash('sha256', $host);
$key = "helpers:url:valid-dns:sha256-{$hash}";
$domainValidDns = Cache::remember($key, 14440, function () use ($host) {
return DomainService::hasValidDns($host);
});
if (! $domainValidDns) {
return false;
}
}
if (app()->environment() === 'production') {
if ($disableDNSCheck !== true && app()->environment() === 'production') {
$bannedInstances = InstanceService::getBannedDomains();
if (in_array($host, $bannedInstances)) {
return false;
}
}
return $url;
});
return $valid;
return $uri->toString();
} catch (UriException $e) {
return false;
}
}
public static function validateLocalUrl($url)
@ -215,7 +230,12 @@ class Helpers
$url = self::validateUrl($url);
if ($url == true) {
$domain = config('pixelfed.domain.app');
$host = parse_url($url, PHP_URL_HOST);
$uri = Uri::new($url);
$host = $uri->getHost();
if (! $host || empty($host)) {
return false;
}
$url = strtolower($domain) === strtolower($host) ? $url : false;
return $url;

View file

@ -2,19 +2,20 @@
namespace App\Util\ActivityPub;
use Cache, Log;
use App\Models\InstanceActor;
use App\Profile;
use \DateTime;
class HttpSignature {
use Cache;
use DateTime;
class HttpSignature
{
/*
* source: https://github.com/aaronpk/Nautilus/blob/master/app/ActivityPub/HTTPSignature.php
* thanks aaronpk!
*/
public static function sign(Profile $profile, $url, $body = false, $addlHeaders = []) {
public static function sign(Profile $profile, $url, $body = false, $addlHeaders = [])
{
if ($body) {
$digest = self::_digest($body);
}
@ -56,7 +57,8 @@ class HttpSignature {
return $headers;
}
public static function parseSignatureHeader($signature) {
public static function parseSignatureHeader($signature)
{
$parts = explode(',', $signature);
$signatureData = [];
@ -68,26 +70,33 @@ class HttpSignature {
if (! isset($signatureData['keyId'])) {
return [
'error' => 'No keyId was found in the signature header. Found: '.implode(', ', array_keys($signatureData))
'error' => 'No keyId was found in the signature header. Found: '.implode(', ', array_keys($signatureData)),
];
}
if (! filter_var($signatureData['keyId'], FILTER_VALIDATE_URL)) {
return [
'error' => 'keyId is not a URL: '.$signatureData['keyId']
'error' => 'keyId is not a URL: '.$signatureData['keyId'],
];
}
if (! Helpers::validateUrl($signatureData['keyId'])) {
return [
'error' => 'keyId is not a URL: '.$signatureData['keyId'],
];
}
if (! isset($signatureData['headers']) || ! isset($signatureData['signature'])) {
return [
'error' => 'Signature is missing headers or signature parts'
'error' => 'Signature is missing headers or signature parts',
];
}
return $signatureData;
}
public static function verify($publicKey, $signatureData, $inputHeaders, $path, $body) {
public static function verify($publicKey, $signatureData, $inputHeaders, $path, $body)
{
$digest = 'SHA-256='.base64_encode(hash('sha256', $body, true));
$headersToSign = [];
foreach (explode(' ', $signatureData['headers']) as $h) {
@ -106,26 +115,31 @@ class HttpSignature {
return [$verified, $signingString];
}
private static function _headersToSigningString($headers) {
private static function _headersToSigningString($headers)
{
return implode("\n", array_map(function ($k, $v) {
return strtolower($k).': '.$v;
}, array_keys($headers), $headers));
}
private static function _headersToCurlArray($headers) {
private static function _headersToCurlArray($headers)
{
return array_map(function ($k, $v) {
return "$k: $v";
}, array_keys($headers), $headers);
}
private static function _digest($body) {
private static function _digest($body)
{
if (is_array($body)) {
$body = json_encode($body);
}
return base64_encode(hash('sha256', $body, true));
}
protected static function _headersToSign($url, $digest = false, $method = 'post') {
protected static function _headersToSign($url, $digest = false, $method = 'post')
{
$date = new DateTime('UTC');
if (! in_array($method, ['post', 'get'])) {
@ -143,5 +157,4 @@ class HttpSignature {
return $headers;
}
}