[bugfix] add stricter checks during all stages of dereferencing remote AS objects (#2639)

* add stricter checks during all stages of dereferencing remote AS objects

* a comment

1 files changed, 14 insertions, 0 deletions

diff --git a/internal/transport/finger.go b/internal/transport/finger.go
index 385af5e1c..9bcb0fa7e 100644
--- a/internal/transport/finger.go
+++ b/internal/transport/finger.go
@@ -98,9 +98,17 @@ func (t *transport) Finger(ctx context.Context, targetUsername string, targetDom
 			// again here to renew the TTL
 			t.controller.state.Caches.GTS.Webfinger.Set(targetDomain, url)
 		}
+
 		if rsp.StatusCode == http.StatusGone {
 			return nil, fmt.Errorf("account has been deleted/is gone")
 		}
+
+		// Ensure that the incoming request content-type is expected.
+		if ct := rsp.Header.Get("Content-Type"); !apiutil.JSONJRDContentType(ct) {
+			err := gtserror.Newf("non webfinger type response: %s", ct)
+			return nil, gtserror.SetMalformed(err)
+		}
+
 		return io.ReadAll(rsp.Body)
 	}
 
@@ -193,6 +201,12 @@ func (t *transport) webfingerFromHostMeta(ctx context.Context, targetDomain stri
 		return "", fmt.Errorf("GET request for %s failed: %s", req.URL.String(), rsp.Status)
 	}
 
+	// Ensure that the incoming request content-type is expected.
+	if ct := rsp.Header.Get("Content-Type"); !apiutil.XMLXRDContentType(ct) {
+		err := gtserror.Newf("non host-meta type response: %s", ct)
+		return "", gtserror.SetMalformed(err)
+	}
+
 	e := xml.NewDecoder(rsp.Body)
 	var hm apimodel.HostMeta
 	if err := e.Decode(&hm); err != nil {