[bugfix] add stricter checks during all stages of dereferencing remote AS objects (#2639)

* add stricter checks during all stages of dereferencing remote AS objects * a comment
2025-11-24 03:23:31 -06:00 · 2024-02-14 11:13:38 +00:00 · 2024-02-14 11:13:38 +00:00 · b9013a8ab3
commit b9013a8ab3
parent a3aa6042d7
15 changed files with 351 additions and 167 deletions
--- a/internal/transport/finger.go
+++ b/internal/transport/finger.go
@ -97,9 +97,17 @@ func (t *transport) Finger(ctx context.Context, targetUsername string, targetDom
 			// again here to renew the TTL
 			t.controller.state.Caches.GTS.Webfinger().Set(targetDomain, url)
 		}
+
 		if rsp.StatusCode == http.StatusGone {
 			return nil, fmt.Errorf("account has been deleted/is gone")
 		}
+
+		// Ensure that the incoming request content-type is expected.
+		if ct := rsp.Header.Get("Content-Type"); !apiutil.JSONJRDContentType(ct) {
+			err := gtserror.Newf("non webfinger type response: %s", ct)
+			return nil, gtserror.SetMalformed(err)
+		}
+
 		return io.ReadAll(rsp.Body)
 	}

@ -192,6 +200,12 @@ func (t *transport) webfingerFromHostMeta(ctx context.Context, targetDomain stri
 		return "", fmt.Errorf("GET request for %s failed: %s", req.URL.String(), rsp.Status)
 	}

+	// Ensure that the incoming request content-type is expected.
+	if ct := rsp.Header.Get("Content-Type"); !apiutil.XMLXRDContentType(ct) {
+		err := gtserror.Newf("non host-meta type response: %s", ct)
+		return "", gtserror.SetMalformed(err)
+	}
+
 	e := xml.NewDecoder(rsp.Body)
 	var hm apimodel.HostMeta
 	if err := e.Decode(&hm); err != nil {