hotfix(backend): GHSA-qqrm-9grj-6v32 (MisskeyIO#460)

* hotfix(backend): GHSA-qqrm-9grj-6v32

Cherry-picked from 9a70ce8f5e

Co-authored-by: tamaina <tamaina@hotmail.co.jp>

* security fix: regexp

Co-authored-by: Ry0taK <49341894+Ry0taK@users.noreply.github.com>

---------

Co-authored-by: tamaina <tamaina@hotmail.co.jp>
Co-authored-by: Ry0taK <49341894+Ry0taK@users.noreply.github.com>

packages/backend/test/utils.ts

@@ -15,6 +15,7 @@ import { JSDOM } from 'jsdom';
 import * as Redis from 'ioredis';
 import { DEFAULT_POLICIES } from '@/core/RoleService.js';
 import { Packed } from '@/misc/json-schema.js';
+import { validateContentTypeSetAsActivityPub } from '@/core/activitypub/misc/validator.js';
 import { entities } from '@/postgres.js';
 import { loadConfig } from '@/config.js';
 import type * as misskey from 'misskey-js';
@@ -328,7 +329,6 @@ export const uploadFile = async (user?: UserToken, { path, name, blob }: UploadO
 	});
 
 	const body = res.status !== 204 ? await res.json() as misskey.Endpoints['drive/files/create']['res'] : null;
-
 	return {
 		status: res.status,
 		headers: res.headers,
@@ -477,6 +477,14 @@ export const simpleGet = async (path: string, accept = '*/*', cookie: any = unde
 		'text/html; charset=utf-8',
 	];
 
+	if (res.ok && (
+		accept.startsWith('application/activity+json') ||
+		(accept.startsWith('application/ld+json') && accept.includes('https://www.w3.org/ns/activitystreams'))
+	)) {
+		// validateContentTypeSetAsActivityPubのテストを兼ねる
+		validateContentTypeSetAsActivityPub(res);
+	}
+
 	const body =
 		jsonTypes.includes(res.headers.get('content-type') ?? '') ? await res.json() :
 		htmlTypes.includes(res.headers.get('content-type') ?? '') ? new JSDOM(await res.text()) :