From a42947231104a9ec3436fc52cedb31740c9a7069 Mon Sep 17 00:00:00 2001
From: Yufan You <ouuansteve@gmail.com>
Date: Tue, 5 Mar 2024 17:27:51 +0800
Subject: [PATCH] Merge pull request from GHSA-3p3p-cgj7-vgw3

* fix: SSRF in /m4/:id?/:category*

* fix: allow /mastodon/acct/ to any domain when MASTODON_API_HOST is set

* fix: add missing import for isValidHost
---
 lib/routes/m4/index.ts       | 4 ++++
 lib/routes/mastodon/acct.ts  | 6 ------
 lib/routes/mastodon/utils.ts | 5 ++++-
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/lib/routes/m4/index.ts b/lib/routes/m4/index.ts
index 8e48ebcc40945c..1230dc7119282a 100644
--- a/lib/routes/m4/index.ts
+++ b/lib/routes/m4/index.ts
@@ -4,6 +4,7 @@ const __dirname = getCurrentPath(import.meta.url);
 
 import cache from '@/utils/cache';
 import got from '@/utils/got';
+import { isValidHost } from '@/utils/valid-host';
 import { load } from 'cheerio';
 import timezone from '@/utils/timezone';
 import { parseDate } from '@/utils/parse-date';
@@ -12,6 +13,9 @@ import * as path from 'node:path';
 
 export default async (ctx) => {
     const { id = 'news', category = 'china' } = ctx.req.param();
+    if (!isValidHost(id)) {
+        throw new Error('Invalid id');
+    }
     const limit = ctx.req.query('limit') ? Number.parseInt(ctx.req.query('limit'), 10) : 30;
 
     const rootUrl = `http://${id}.m4.cn`;
diff --git a/lib/routes/mastodon/acct.ts b/lib/routes/mastodon/acct.ts
index 1e0f36725d3a69..57ac3a6a711411 100644
--- a/lib/routes/mastodon/acct.ts
+++ b/lib/routes/mastodon/acct.ts
@@ -1,14 +1,8 @@
 const utils = require('./utils');
-import { config } from '@/config';
 
 export default async (ctx) => {
     const acct = ctx.req.param('acct');
     const only_media = ctx.req.param('only_media') ? 'true' : 'false';
-    const acctSite = acct.split('@').filter(Boolean)[1];
-
-    if (!config.feature.allow_user_supply_unsafe_domain && !utils.allowSiteList.includes(acctSite)) {
-        throw new Error(`This RSS is disabled unless 'ALLOW_USER_SUPPLY_UNSAFE_DOMAIN' is set to 'true'.`);
-    }
 
     const { site, account_id } = await utils.getAccountIdByAcct(acct);
 
diff --git a/lib/routes/mastodon/utils.ts b/lib/routes/mastodon/utils.ts
index 2d4d9193bd6d52..9910a28b72901c 100644
--- a/lib/routes/mastodon/utils.ts
+++ b/lib/routes/mastodon/utils.ts
@@ -4,7 +4,7 @@ import got from '@/utils/got';
 import { parseDate } from '@/utils/parse-date';
 import { config } from '@/config';
 
-const allowSiteList = ['mastodon.social', 'pawoo.net', config.mastodon.apiHost];
+const allowSiteList = ['mastodon.social', 'pawoo.net', config.mastodon.apiHost].filter(Boolean);
 
 const apiHeaders = (site) => {
     const { accessToken, apiHost } = config.mastodon;
@@ -96,6 +96,9 @@ async function getAccountIdByAcct(acct) {
     if (!(site && acctDomain)) {
         throw new Error('Mastodon RSS is disabled due to the lack of <a href="https://docs.rsshub.app/en/install/#configuration-route-specific-configurations">relevant config</a>');
     }
+    if (!config.feature.allow_user_supply_unsafe_domain && !allowSiteList.includes(site)) {
+        throw new Error(`RSS for this domain is disabled unless 'ALLOW_USER_SUPPLY_UNSAFE_DOMAIN' is set to 'true' or 'MASTODON_API_HOST' is set.`);
+    }
 
     const search_url = `https://${site}/api/v2/search`;
     const cacheUid = `mastodon_acct_id/${site}/${acct}`;