Add (optional) support for correctly building (request-target)

ClearlyClaire · Dec 22, 2023 · fdd2485 · fdd2485
1 parent ff3eb40
commit fdd2485
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/app/controllers/concerns/signature_verification.rb b/app/controllers/concerns/signature_verification.rb
@@ -91,21 +91,21 @@ def signed_request_actor
     raise SignatureVerificationError, "Public key not found for key #{signature_params['keyId']}" if actor.nil?
 
     signature             = Base64.decode64(signature_params['signature'])
-    compare_signed_string = build_signed_string(request_target_quirk: true)
+    compare_signed_string = build_signed_string(request_target_quirk: false)
 
     return actor unless verify_signature(actor, signature, compare_signed_string).nil?
 
-    compare_signed_string = build_signed_string(request_target_quirk: false)
+    compare_signed_string = build_signed_string(request_target_quirk: true)
     return actor unless verify_signature(actor, signature, compare_signed_string).nil?
 
     actor = stoplight_wrap_request { actor_refresh_key!(actor) }
 
     raise SignatureVerificationError, "Could not refresh public key #{signature_params['keyId']}" if actor.nil?
 
-    compare_signed_string = build_signed_string(request_target_quirk: true)
+    compare_signed_string = build_signed_string(request_target_quirk: false)
     return actor unless verify_signature(actor, signature, compare_signed_string).nil?
 
-    compare_signed_string = build_signed_string(request_target_quirk: false)
+    compare_signed_string = build_signed_string(request_target_quirk: true)
     return actor unless verify_signature(actor, signature, compare_signed_string).nil?
 
     fail_with! "Verification failed for #{actor.to_log_human_identifier} #{actor.uri} using rsa-sha256 (RSASSA-PKCS1-v1_5 with SHA-256)", signed_string: compare_signed_string, signature: signature_params['signature']

diff --git a/app/lib/request.rb b/app/lib/request.rb
@@ -77,6 +77,7 @@ def initialize(verb, url, **options)
     @url         = Addressable::URI.parse(url).normalize
     @http_client = options.delete(:http_client)
     @allow_local = options.delete(:allow_local)
+    @full_path   = options.delete(:with_query_string)
     @options     = options.merge(socket_class: use_proxy? || @allow_local ? ProxySocket : Socket)
     @options     = @options.merge(timeout_class: PerOperationWithDeadline, timeout_options: TIMEOUT)
     @options     = @options.merge(proxy_url) if use_proxy?
@@ -146,7 +147,7 @@ def http_client
   private
 
   def set_common_headers!
-    @headers[REQUEST_TARGET]    = "#{@verb} #{@url.path}"
+    @headers[REQUEST_TARGET]    = request_target
     @headers['User-Agent']      = Mastodon::Version.user_agent
     @headers['Host']            = @url.host
     @headers['Date']            = Time.now.utc.httpdate
@@ -157,6 +158,14 @@ def set_digest!
     @headers['Digest'] = "SHA-256=#{Digest::SHA256.base64digest(@options[:body])}"
   end
 
+  def request_target
+    if @url.query.nil? || !@full_path
+      "#{@verb} #{@url.path}"
+    else
+      "#{@verb} #{@url.path}?#{@url.query}"
+    end
+  end
+
   def signature
     algorithm = 'rsa-sha256'
     signature = Base64.strict_encode64(@keypair.sign(OpenSSL::Digest.new('SHA256'), signed_string))