[bugfix] add stricter checks during all stages of dereferencing remote AS objects (#2639)

* add stricter checks during all stages of dereferencing remote AS objects * a comment
author: kim <89579420+NyaaaWhatsUpDoc@users.noreply.github.com> 2024-02-14 11:13:38 +0000
committer: GitHub <noreply@github.com> 2024-02-14 12:13:38 +0100
commit: 2bafd7daf542d985ee76d9079a30a602cb7be827 (patch)
tree: 8817fe6f202155d660d75c17cd78ff5dae3d4530 /internal/transport/dereference.go
parent: [feature] Add metrics for instance user count, statuses count and federating ... (diff)
download: gotosocial-2bafd7daf542d985ee76d9079a30a602cb7be827.tar.xz
1 files changed, 7 insertions, 0 deletions
diff --git a/internal/transport/dereference.go b/internal/transport/dereference.go
index e1702f9f4..3a33a81ad 100644
--- a/internal/transport/dereference.go
+++ b/internal/transport/dereference.go
@@ -64,9 +64,16 @@ func (t *transport) Dereference(ctx context.Context, iri *url.URL) ([]byte, erro
 	}
 	defer rsp.Body.Close()
 
+	// Ensure a non-error status response.
 	if rsp.StatusCode != http.StatusOK {
 		return nil, gtserror.NewFromResponse(rsp)
 	}
 
+	// Ensure that the incoming request content-type is expected.
+	if ct := rsp.Header.Get("Content-Type"); !apiutil.ASContentType(ct) {
+		err := gtserror.Newf("non activity streams response: %s", ct)
+		return nil, gtserror.SetMalformed(err)
+	}
+
 	return io.ReadAll(rsp.Body)
 }
author	kim <89579420+NyaaaWhatsUpDoc@users.noreply.github.com>	2024-02-14 11:13:38 +0000
committer	GitHub <noreply@github.com>	2024-02-14 12:13:38 +0100
commit	2bafd7daf542d985ee76d9079a30a602cb7be827 (patch)
tree	8817fe6f202155d660d75c17cd78ff5dae3d4530 /internal/transport/dereference.go
parent	[feature] Add metrics for instance user count, statuses count and federating ... (diff)
download	gotosocial-2bafd7daf542d985ee76d9079a30a602cb7be827.tar.xz