mirror/ditto
mirror/ditto
1
0
Fork 0
mirror of https://gitlab.com/soapbox-pub/ditto.git synced 2025-12-06 03:19:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove precheck.ts, perform check in DittoConf constructor

Browse source
This commit is contained in:
Alex Gleason 2025-02-26 16:16:40 -06:00
parent 7256b5dcf8
commit f650541b23
No known key found for this signature in database
GPG key ID: 7211D1F99744FBB7
4 changed files with 39 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
packages/conf/DittoConf.test.ts
View file

@ -29,3 +29,26 @@ Deno.test('DittoConfig defaults', async (t) => {
assertEquals(config.port, 4036); assertEquals(config.port, 4036);
}); });
}); });
Deno.test('DittoConfig with insecure media host', () => {
const env = new Map<string, string>([
['LOCAL_DOMAIN', 'https://ditto.test'],
['MEDIA_DOMAIN', 'https://ditto.test'],
]);
assertThrows(
() => new DittoConf(env),
Error,
'For security reasons, MEDIA_DOMAIN cannot be on the same host as LOCAL_DOMAIN',
);
});
Deno.test('DittoConfig with insecure media host and precheck disabled', () => {
const env = new Map<string, string>([
['LOCAL_DOMAIN', 'https://ditto.test'],
['MEDIA_DOMAIN', 'https://ditto.test'],
['DITTO_PRECHECK', 'false'],
]);
new DittoConf(env);
});

17
packages/conf/DittoConf.ts
View file

@ -13,7 +13,17 @@ import { mergeURLPath } from './utils/url.ts';
/** Ditto application-wide configuration. */ /** Ditto application-wide configuration. */
export class DittoConf { export class DittoConf {
constructor(private env: { get(key: string): string | undefined }) {} constructor(private env: { get(key: string): string | undefined }) {
if (this.precheck) {
const mediaUrl = new URL(this.mediaDomain);
if (this.url.host === mediaUrl.host) {
throw new Error(
'For security reasons, MEDIA_DOMAIN cannot be on the same host as LOCAL_DOMAIN.\n\nTo disable this check, set DITTO_PRECHECK="false"',
);
}
}
}
/** Cached parsed admin signer. */ /** Cached parsed admin signer. */
private _signer: NSecSigner | undefined; private _signer: NSecSigner | undefined;
@ -465,4 +475,9 @@ export class DittoConf {
get streakWindow(): number { get streakWindow(): number {
return Number(this.env.get('STREAK_WINDOW') || 129600); return Number(this.env.get('STREAK_WINDOW') || 129600);
} }
/** Whether to perform security/configuration checks on startup. */
get precheck(): boolean {
return optionalBooleanSchema.parse(this.env.get('DITTO_PRECHECK')) ?? true;
}
} }

22
packages/ditto/precheck.ts
View file

@ -1,22 +0,0 @@
import { Conf } from '@/config.ts';
/** Ensure the media URL is not on the same host as the local domain. */
function checkMediaHost() {
const { url, mediaDomain } = Conf;
const mediaUrl = new URL(mediaDomain);
if (url.host === mediaUrl.host) {
throw new PrecheckError('For security reasons, MEDIA_DOMAIN cannot be on the same host as LOCAL_DOMAIN.');
}
}
/** Error class for precheck errors. */
class PrecheckError extends Error {
constructor(message: string) {
super(`${message}\nTo disable this check, set DITTO_PRECHECK="false"`);
}
}
if (Deno.env.get('DITTO_PRECHECK') !== 'false') {
checkMediaHost();
}

1
packages/ditto/server.ts
View file

@ -1,6 +1,5 @@
import { logi } from '@soapbox/logi'; import { logi } from '@soapbox/logi';
import '@/precheck.ts';
import '@/sentry.ts'; import '@/sentry.ts';
import '@/nostr-wasm.ts'; import '@/nostr-wasm.ts';
import app from '@/app.ts'; import app from '@/app.ts';