Handle scenario when webfinger response subject is missing host value (#28088)

2023-11-28 13:37:54 -05:00
parent b9492d84a0
commit 6b46bf9953
2 changed files with 16 additions and 1 deletions
--- a/app/services/resolve_account_service.rb
+++ b/app/services/resolve_account_service.rb
@@ -100,7 +100,9 @@ class ResolveAccountService < BaseService
  end

  def split_acct(acct)
-    acct.delete_prefix('acct:').split('@')
+    acct.delete_prefix('acct:').split('@').tap do |parts|
+      raise Webfinger::Error, 'Webfinger response is missing user or host value' unless parts.size == 2
+    end
  end

  def fetch_account!
--- a/spec/services/resolve_account_service_spec.rb
+++ b/spec/services/resolve_account_service_spec.rb
@@ -144,6 +144,19 @@ RSpec.describe ResolveAccountService, type: :service do
    end
  end

+  context 'with webfinger response subject missing a host value' do
+    let(:body) { Oj.dump({ subject: 'user@' }) }
+    let(:url) { 'https://host.example/.well-known/webfinger?resource=acct:user@host.example' }
+
+    before do
+      stub_request(:get, url).to_return(status: 200, body: body)
+    end
+
+    it 'returns nil with incomplete subject in response' do
+      expect(subject.call('user@host.example')).to be_nil
+    end
+  end
+
  context 'with an ActivityPub account' do
    it 'returns new remote account' do
      account = subject.call('foo@ap.example.com')