Check Content-Type header when fetching entities

Cargo.toml

@@ -1,8 +1,3 @@
-[profile.dev.package.backtrace]
-opt-level = 3
-
-[profile.dev.package.num-bigint-dig]
-opt-level = 3
 
 [profile.release]
 codegen-units = 1

crates/kitsune-core/Cargo.toml

@@ -50,6 +50,7 @@ kitsune-storage = { path = "../kitsune-storage" }
 kitsune-type = { path = "../kitsune-type" }
 mime = "0.3.17"
 mime_guess = { version = "2.0.4", default-features = false }
+once_cell = "1.18.0"
 password-hash = { version = "0.5.0", features = ["std"] }
 pkcs8 = { version = "0.10.2", features = ["std"] }
 post-process = { path = "../../lib/post-process" }

crates/kitsune-core/src/activitypub/fetcher.rs

@@ -12,7 +12,7 @@ use async_recursion::async_recursion;
 use autometrics::autometrics;
 use diesel::{ExpressionMethods, OptionalExtension, QueryDsl, SelectableHelper};
 use diesel_async::RunQueryDsl;
-use http::HeaderValue;
+use http::{header::CONTENT_TYPE, HeaderValue};
 use kitsune_cache::{ArcCache, CacheBackend};
 use kitsune_db::{
     model::{
@@ -25,8 +25,12 @@ use kitsune_db::{
 use kitsune_embed::Client as EmbedClient;
 use kitsune_http_client::Client;
 use kitsune_search::{SearchBackend, SearchService};
-use kitsune_type::ap::{actor::Actor, Object};
+use kitsune_type::{
+    ap::{actor::Actor, Object},
+    jsonld::RdfNode,
+};
 use scoped_futures::ScopedFutureExt;
+use serde::de::DeserializeOwned;
 use typed_builder::TypedBuilder;
 use url::Url;
 
@@ -88,6 +92,27 @@ pub struct Fetcher {
 }
 
 impl Fetcher {
+    async fn fetch_ap_resource<T>(&self, url: &str) -> Result<T>
+    where
+        T: DeserializeOwned + RdfNode,
+    {
+        let response = self.client.get(url).await?;
+        let content_type = response
+            .headers()
+            .get(CONTENT_TYPE)
+            .map(HeaderValue::to_str)
+            .transpose()?;
+
+        if content_type
+            != Some("application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"")
+            || content_type != Some("application/activity+json")
+        {
+            return Err(ApiError::BadRequest.into());
+        }
+
+        Ok(response.jsonld().await?)
+    }
+
     /// Fetch an ActivityPub actor
     ///
     /// # Panics
@@ -127,7 +152,7 @@ impl Fetcher {
             return Err(ApiError::Unauthorised.into());
         }
 
-        let mut actor: Actor = self.client.get(url.as_str()).await?.jsonld().await?;
+        let mut actor: Actor = self.fetch_ap_resource(url.as_str()).await?;
 
         let mut domain = url.host_str().unwrap();
         let domain_buf;
@@ -292,7 +317,7 @@ impl Fetcher {
         }
 
         let url = Url::parse(url)?;
-        let object: Object = self.client.get(url.as_str()).await?.jsonld().await?;
+        let object: Object = self.fetch_ap_resource(url.as_str()).await?;
 
         let process_data = ProcessNewObject::builder()
             .call_depth(call_depth)

crates/kitsune-core/src/error.rs

@@ -98,6 +98,9 @@ pub enum Error {
     #[error(transparent)]
     HttpClient(#[from] kitsune_http_client::Error),
 
+    #[error(transparent)]
+    HttpHeaderToStr(#[from] http::header::ToStrError),
+
     #[error(transparent)]
     JobQueue(#[from] athena::Error),