RubyGems - activitypub - Versions diffs - 0.5.0 → 0.5.2 - Mend

activitypub 0.5.0 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/activitypub/resolvers.rb +10 -2
data/lib/activitypub/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3d306bc2763af88f633f0645a032d1e0ed47e5a790b140ad566e6a53fdf9aeea
-  data.tar.gz: 2f12fc9aa91aa64fedd909b68b6182ae2ed352e2bb06e80e60a65ee0f6ad4e6e
+  metadata.gz: e338ac7d0c5af88a4737eb2b6eaecbd528769917a08676d734f0878b5ed6b1ef
+  data.tar.gz: 691352bc4144612c077ad07cc846ab4914c93405588c615542d18ccf4acd9c02
 SHA512:
-  metadata.gz: b154f2bcf3cb03386947ea1f137f55b53461c0dcaa0a6fde15c5098b276c809620fe3f94f90d110b416dd29b31a9ff75a5f5376d1cdaefaa98e5e9f713fd4c4c
-  data.tar.gz: 44ca4b68aa880bed6a62a92e757c4e48ead8afb5f4b71fb300c8156729062d79f9ac15333ba38e2e776c52c89dc03701070ef84040e8b5033ead9d7cac03eb25
+  metadata.gz: 1e0b8f96fda04e91edbd1b3c16a5510547b57f1790072fe97d1aae88a03cbc66061196f64b3c16927e969e07d00e001a4a76d5f39be81b57ae09ed5053a34c3b
+  data.tar.gz: bceecaf4662e651e702c027b369b28de0178da5ee07a899c2fd746a940b69b8986a37b6dea8c70b5428c5038f98916336a9b2a11f0b58426db4c3e3210113fae

data/lib/activitypub/resolvers.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 require 'uri'
 require 'faraday'
+require 'socket'
 # Classes to resolve URI's into objects.
@@ -9,6 +10,12 @@ module ActivityPub
   class WebResolver
     def self.call(path)
+      uri = URI(path)
+      if uri.host == "localhost" || ((IPSocket.getaddress(uri.host) =~ /127.*/) == 0)
+        raise "Local access denied"
+      end
       response = Faraday.get(path, {}, {"Accept": "application/activity+json"})
       if response.status == 200
         ActivityPub.from_json(response.body)
@@ -31,11 +38,12 @@ module ActivityPub
   #
   class UnsafeResolver
     def initialize(base)
-      @base = base
+      @base = File.expand_path(base)
     end
     def call(path)
-      path = File.expand_path(File.join(@base, path))
+      path = File.expand_path(path,@base)
+      raise "Illegal path" if path[0...@base.length] != @base
       if File.exist?(path)
         data = File.read(path)
         return ActivityPub.from_json(data)

data/lib/activitypub/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module ActivityPub
-  VERSION = "0.5.0"
+  VERSION = "0.5.2"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activitypub
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.5.2
 platform: ruby
 authors:
 - Vidar Hokstad
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-07-19 00:00:00.000000000 Z
+date: 2024-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: webfinger