Prevent webfinger spoofing

author: Alex Gleason <alex@alexgleason.me> 2023-08-23 13:10:19 -0500
committer: Lain Soykaf <lain@lain.com> 2024-05-22 12:57:45 +0400
commit: b15f8b06425edbfc3a7cef2a55c609b12ee14377 (patch)
tree: 4bea5907cf9fbd0c2023f966d9d5729e580c445e /lib
parent: d1b053f3ba4170021c511b0d06a41405d3ab07d3 (diff)
download: pleroma-b15f8b06425edbfc3a7cef2a55c609b12ee14377.tar.gz
pleroma-b15f8b06425edbfc3a7cef2a55c609b12ee14377.zip
1 files changed, 16 insertions, 0 deletions
diff --git a/lib/pleroma/web/web_finger.ex b/lib/pleroma/web/web_finger.ex
index 26fb8af84..a84a4351b 100644
--- a/lib/pleroma/web/web_finger.ex
+++ b/lib/pleroma/web/web_finger.ex
@@ -216,10 +216,26 @@ defmodule Pleroma.Web.WebFinger do
         _ ->
           {:error, {:content_type, nil}}
       end
+      |> case do
+        {:ok, data} -> validate_webfinger(address, data)
+        error -> error
+      end
     else
       error ->
         Logger.debug("Couldn't finger #{account}: #{inspect(error)}")
         error
     end
   end
+
+  defp validate_webfinger(url, %{"subject" => "acct:" <> acct} = data) do
+    with %URI{host: request_host} <- URI.parse(url),
+         [_name, acct_host] <- String.split(acct, "@"),
+         {_, true} <- {:hosts_match, acct_host == request_host} do
+      {:ok, data}
+    else
+      _ -> {:error, {:webfinger_invalid, url, data}}
+    end
+  end
+
+  defp validate_webfinger(url, data), do: {:error, {:webfinger_invalid, url, data}}
 end
author	Alex Gleason <alex@alexgleason.me>	2023-08-23 13:10:19 -0500
committer	Lain Soykaf <lain@lain.com>	2024-05-22 12:57:45 +0400
commit	b15f8b06425edbfc3a7cef2a55c609b12ee14377 (patch)
tree	4bea5907cf9fbd0c2023f966d9d5729e580c445e /lib
parent	d1b053f3ba4170021c511b0d06a41405d3ab07d3 (diff)
download	pleroma-b15f8b06425edbfc3a7cef2a55c609b12ee14377.tar.gz pleroma-b15f8b06425edbfc3a7cef2a55c609b12ee14377.zip