From 1208deafc880e0bd8b905e630897e9757d124c03 Mon Sep 17 00:00:00 2001
From: Felix Ableitner <me@nutomic.com>
Date: Mon, 13 Jan 2025 10:08:16 +0100
Subject: [PATCH] Dont allow redirect for webfinger

---
 src/fetch/mod.rs       |  2 +-
 src/fetch/webfinger.rs | 16 ++++++++++++----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/fetch/mod.rs b/src/fetch/mod.rs
index c226fc1..cb23319 100644
--- a/src/fetch/mod.rs
+++ b/src/fetch/mod.rs
@@ -74,7 +74,7 @@ pub async fn fetch_object_http<T: Clone, Kind: DeserializeOwned>(
     // Ensure id field matches final url after redirect
     if res.object_id.as_ref() != Some(&res.url) {
         if let Some(res_object_id) = res.object_id {
-        data.config.verify_url_valid(&res_object_id).await?;
+            data.config.verify_url_valid(&res_object_id).await?;
             // If id is different but still on the same domain, attempt to request object
             // again from url in id field.
             if res_object_id.domain() == res.url.domain() {
diff --git a/src/fetch/webfinger.rs b/src/fetch/webfinger.rs
index 2140392..edc884e 100644
--- a/src/fetch/webfinger.rs
+++ b/src/fetch/webfinger.rs
@@ -26,6 +26,9 @@ pub enum WebFingerError {
     /// The wefinger object did not contain any link to an activitypub item
     #[error("The webfinger object did not contain any link to an activitypub item")]
     NoValidLink,
+    /// Webfinger request was redirected which is not allowed
+    #[error("Webfinger request was redirected which is not allowed")]
+    RedirectNotAllowed,
 }
 
 impl WebFingerError {
@@ -68,16 +71,21 @@ where
         format!("{protocol}://{domain}/.well-known/webfinger?resource=acct:{identifier}");
     debug!("Fetching webfinger url: {}", &fetch_url);
 
-    let res: Webfinger = fetch_object_http_with_accept(
+    let res = fetch_object_http_with_accept(
         &Url::parse(&fetch_url).map_err(Error::UrlParse)?,
         data,
         &WEBFINGER_CONTENT_TYPE,
     )
-    .await?
-    .object;
+    .await?;
+    if res.url != fetch_url {
+        return Err(Error::WebfingerResolveFailed(
+            WebFingerError::RedirectNotAllowed,
+        ));
+    }
 
-    debug_assert_eq!(res.subject, format!("acct:{identifier}"));
+    debug_assert_eq!(res.object.subject, format!("acct:{identifier}"));
     let links: Vec<Url> = res
+        .object
         .links
         .iter()
         .filter(|link| {