Prevent webfinger spoofing

2023-08-23 13:10:19 -05:00 · 2023-08-23 13:10:19 -05:00 · 364f6e1620
commit 364f6e1620
parent 29b968ce20
4 changed files with 71 additions and 15 deletions
--- a/lib/pleroma/web/web_finger.ex
+++ b/lib/pleroma/web/web_finger.ex
@ -216,10 +216,26 @@ defmodule Pleroma.Web.WebFinger do
        _ ->
          {:error, {:content_type, nil}}
      end
+      |> case do
+        {:ok, data} -> validate_webfinger(address, data)
+        error -> error
+      end
    else
      error ->
        Logger.debug("Couldn't finger #{account}: #{inspect(error)}")
        error
    end
  end
+
+  defp validate_webfinger(url, %{"subject" => "acct:" <> acct} = data) do
+    with %URI{host: request_host} <- URI.parse(url),
+         [_name, acct_host] <- String.split(acct, "@"),
+         {_, true} <- {:hosts_match, acct_host == request_host} do
+      {:ok, data}
+    else
+      _ -> {:error, {:webfinger_invalid, url, data}}
+    end
+  end
+
+  defp validate_webfinger(url, data), do: {:error, {:webfinger_invalid, url, data}}
 end