ewancroft.uk / atproto-connect
a Fabric Minecraft mod that connects the game to the AT Protocol.
atproto minecraft minecraft-fabric
fork atom

ssrf validation #1

merged
opened by nekomimi.pet targeting main from nekomimi.pet/atproto-connect: main

current code completely trusts all redirects DID documents offer which allow the server to send http requests to arbitrary internal or external hosts

per https://atproto.com/specs/did: The PDS service network location for the account is found under the service array, with id ending #atproto_pds, and type matching AtprotoPersonalDataServer. The first matching entry in the array should be used, and any others ignored. The serviceEndpoint field must contain an HTTPS URL of server. It should contain only the URI scheme (http or https), hostname, and optional port number, not any "userinfo", path prefix, or other components.

0
by nekomimi.pet 1 comment
expand 1 commit
74bf7093
ssrf
ewancroft.uk

Thanks, I just wanted to bang out an initial version so this is much appreciated!

pull request successfully merged
sign up or login to add to the discussion
Labels

None yet.

assignee

None yet.

Participants 2
AT URI
at://did:plc:ttdrpj45ibqunmfhdsb4zdwq/sh.tangled.repo.pull/3magz3ojgec22