security: validate image url (#9882)

It looks like url validations are added in f7564d87b0, but I found another validation commit not applied in Calckey, so I cherry-picked 0da0cc80b9 from [Misskey](https://github.com/misskey-dev/misskey).

Co-authored-by: syuilo <Syuilotan@yahoo.co.jp>
Co-authored-by: naskya <m@naskya.net>
Reviewed-on: https://codeberg.org/calckey/calckey/pulls/9882
Co-authored-by: naskya <naskya@noreply.codeberg.org>
Co-committed-by: naskya <naskya@noreply.codeberg.org>
This commit is contained in:
naskya 2023-04-21 01:50:47 +00:00 committed by Kainoa Kanter
parent def5075bb5
commit 36b88c7286

View File

@ -29,6 +29,10 @@ export async function createImage(
throw new Error("invalid image: url not privided"); throw new Error("invalid image: url not privided");
} }
if (!image.url.startsWith("https://") && !image.url.startsWith("http://")) {
throw new Error("invalid image: unexpected shcema of url: " + image.url);
}
logger.info(`Creating the Image: ${image.url}`); logger.info(`Creating the Image: ${image.url}`);
const instance = await fetchMeta(); const instance = await fetchMeta();