Fix insufficient Content-Type checking of fetched ActivityStreams objects

2025-12-14 08:19:05 +00:00 · 2024-02-08 13:32:28 +01:00
parent 4216779759
commit e6e43b642a
12 changed files with 50 additions and 42 deletions
--- a/app/helpers/jsonld_helper.rb
+++ b/app/helpers/jsonld_helper.rb
@@ -174,10 +174,18 @@ module JsonLdHelper
    build_request(uri, on_behalf_of).perform do |response|
      raise Mastodon::UnexpectedResponseError, response unless response_successful?(response) || response_error_unsalvageable?(response) || !raise_on_temporary_error

-      body_to_json(response.body_with_limit) if response.code == 200
+      body_to_json(response.body_with_limit) if response.code == 200 && valid_activitypub_content_type?(response)
    end
  end

+  def valid_activitypub_content_type?(response)
+    return true if response.mime_type == 'application/activity+json'
+
+    # When the mime type is `application/ld+json`, we need to check the profile,
+    # but `http.rb` does not parse it for us.
+    response.mime_type == 'application/ld+json' && response.headers[HTTP::Headers::CONTENT_TYPE]&.split(';')&.map(&:strip)&.include?('profile="https://www.w3.org/ns/activitystreams"')
+  end
+
  def body_to_json(body, compare_id: nil)
    json = body.is_a?(String) ? Oj.load(body, mode: :strict) : body