object検証でisRelatedUrisを使用

packages/backend/src/core/HttpRequestService.ts

@@ -13,10 +13,10 @@ import { HttpProxyAgent, HttpsProxyAgent } from 'hpagent';
 import { Inject, Injectable } from '@nestjs/common';
 import { DI } from '@/di-symbols.js';
 import type { Config } from '@/config.js';
+import { UtilityService } from '@/core/UtilityService.js';
 import { StatusError } from '@/misc/status-error.js';
 import { bindThis } from '@/decorators.js';
 import { validateContentTypeSetAsActivityPub } from '@/core/activitypub/misc/validator.js';
-import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js';
 import type { IObject } from '@/core/activitypub/type.js';
 import type { Response } from 'node-fetch';
 import type { URL } from 'node:url';
@@ -145,6 +145,8 @@ export class HttpRequestService {
 	constructor(
 		@Inject(DI.config)
 		private config: Config,
+
+		private utilityService: UtilityService,
 	) {
 		const cache = new CacheableLookup({
 			maxTtl: 3600,	// 1hours
@@ -232,7 +234,7 @@ export class HttpRequestService {
 		const finalUrl = res.url; // redirects may have been involved
 		const activity = await res.json() as IObject;
 
-		assertActivityMatchesUrls(activity, [finalUrl]);
+		this.utilityService.assertActivityMatchesUrl(activity, finalUrl);
 
 		return activity;
 	}

packages/backend/src/core/UtilityService.ts

@@ -12,6 +12,8 @@ import { Inject, Injectable } from '@nestjs/common';
 import { DI } from '@/di-symbols.js';
 import type { Config } from '@/config.js';
 import { bindThis } from '@/decorators.js';
+import { getApId } from '@/core/activitypub/type.js';
+import type { IObject } from '@/core/activitypub/type.js';
 
 @Injectable()
 export class UtilityService {
@@ -175,4 +177,21 @@ export class UtilityService {
 
 		return this.isRelatedHosts(hostA, hostB);
 	}
+
+	@bindThis
+	public assertActivityMatchesUrl(activity: IObject, url: string): void {
+		if (activity.id && this.isRelatedUris(activity.id, url)) return;
+
+		if (activity.url) {
+			if (!Array.isArray(activity.url)) {
+				if (typeof(activity.url) === 'string' && this.isRelatedUris(activity.url, url)) return;
+				if (typeof(activity.url) === 'object' && activity.url.href && this.isRelatedUris(activity.url.href, url)) return;
+			} else {
+				if (activity.url.some(x => typeof(x) === 'string' && this.isRelatedUris(x, url))) return;
+				if (activity.url.some(x => typeof(x) === 'object' && x.href && this.isRelatedUris(x.href, url))) return;
+			}
+		}
+
+		throw new Error(`Invalid object: neither id(${activity.id}) nor url(${activity.url}) related to ${url}`);
+	}
 }

packages/backend/src/core/activitypub/ApRequestService.ts

@@ -17,7 +17,6 @@ import { LoggerService } from '@/core/LoggerService.js';
 import { bindThis } from '@/decorators.js';
 import type Logger from '@/logger.js';
 import { validateContentTypeSetAsActivityPub } from '@/core/activitypub/misc/validator.js';
-import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js';
 import type { IObject } from './type.js';
 
 type Request = {
@@ -182,6 +181,7 @@ export class ApRequestService {
 	 * Get AP object with http-signature
 	 * @param user http-signature user
 	 * @param url URL to fetch
+	 * @param followAlternate If true, follow alternate link tag in HTML
 	 */
 	@bindThis
 	public async signedGet(url: string, user: { id: MiUser['id'] }, followAlternate?: boolean): Promise<unknown> {
@@ -234,7 +234,7 @@ export class ApRequestService {
 		const finalUrl = res.url; // redirects may have been involved
 		const activity = await res.json() as IObject;
 
-		assertActivityMatchesUrls(activity, [finalUrl]);
+		this.utilityService.assertActivityMatchesUrl(activity, finalUrl);
 
 		return activity;
 	}