From 797d05bdd99b63104522051d0f61f1e0f003e780 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Thu, 12 Nov 2020 10:42:25 +0100 Subject: Force signed headers in http signatures Thanks Roger --- server/middlewares/activitypub.ts | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'server/middlewares') diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index 580606a68..d00594059 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts @@ -63,7 +63,16 @@ async function checkHttpSignature (req: Request, res: Response) { const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '') - const parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) + let parsed: any + + try { + parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS) + } catch (err) { + logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err }) + + res.status(403).json({ error: err.message }) + return false + } const keyId = parsed.keyId if (!keyId) { -- cgit v1.2.3