Merge pull request from GHSA-3f39-6537-3cgc
This commit implements HTTP header and body validation to fix [SIF-2023-002](https://advisory.silicon.moe/advisory/sif-2023-002/) Signed-off-by: perillamint <perillamint@silicon.moe> Co-authored-by: perillamint <perillamint@silicon.moe> Co-authored-by: yunochi <yuno@yunochi.com>
This commit is contained in:
		| @@ -9,6 +9,7 @@ import { fileURLToPath } from 'node:url'; | ||||
| import { Inject, Injectable, OnApplicationShutdown } from '@nestjs/common'; | ||||
| import Fastify, { FastifyInstance } from 'fastify'; | ||||
| import fastifyStatic from '@fastify/static'; | ||||
| import fastifyRawBody from 'fastify-raw-body'; | ||||
| import { IsNull } from 'typeorm'; | ||||
| import { GlobalEventService } from '@/core/GlobalEventService.js'; | ||||
| import type { Config } from '@/config.js'; | ||||
| @@ -86,6 +87,13 @@ export class ServerService implements OnApplicationShutdown { | ||||
| 			}); | ||||
| 		} | ||||
|  | ||||
| 		// Register raw-body parser for ActivityPub HTTP signature validation. | ||||
| 		fastify.register(fastifyRawBody, { | ||||
| 			global: false, | ||||
| 			encoding: 'utf-8', | ||||
| 			runFirst: true, | ||||
| 		}); | ||||
|  | ||||
| 		// Register non-serving static server so that the child services can use reply.sendFile. | ||||
| 		// `root` here is just a placeholder and each call must use its own `rootPath`. | ||||
| 		fastify.register(fastifyStatic, { | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 syuilo
					syuilo