commit: 17987e39908d8771b844142d62fcbfa795562815
parent 736686b4e2b6e37408b2e46b5acfd4284ddd17c3
Author: Mark Felder <feld@feld.me>
Date: Thu, 3 Jul 2025 12:08:36 -0700
Enforce an exact domain match for WebFinger resolution
The regex was not being terminated with an $
Diffstat:
3 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/changelog.d/webfinger-resolution.fix b/changelog.d/webfinger-resolution.fix
@@ -0,0 +1 @@
+Enforce an exact domain match for WebFinger resolution
diff --git a/lib/pleroma/web/web_finger.ex b/lib/pleroma/web/web_finger.ex
@@ -35,9 +35,9 @@ defmodule Pleroma.Web.WebFinger do
regex =
if webfinger_domain = Pleroma.Config.get([__MODULE__, :domain]) do
- ~r/(acct:)?(?<username>[a-z0-9A-Z_\.-]+)@(#{host}|#{webfinger_domain})/
+ ~r/(acct:)?(?<username>[a-z0-9A-Z_\.-]+)@(#{host}|#{webfinger_domain})$/
else
- ~r/(acct:)?(?<username>[a-z0-9A-Z_\.-]+)@#{host}/
+ ~r/(acct:)?(?<username>[a-z0-9A-Z_\.-]+)@#{host}$/
end
with %{"username" => username} <- Regex.named_captures(regex, resource),
diff --git a/test/pleroma/web/web_finger_test.exs b/test/pleroma/web/web_finger_test.exs
@@ -39,6 +39,23 @@ defmodule Pleroma.Web.WebFingerTest do
end
end
+ test "requires exact match for Endpoint host or WebFinger domain" do
+ clear_config([Pleroma.Web.WebFinger, :domain], "pleroma.dev")
+ user = insert(:user)
+
+ assert {:error, "Couldn't find user"} ==
+ WebFinger.webfinger("#{user.nickname}@#{Pleroma.Web.Endpoint.host()}xxxx", "JSON")
+
+ assert {:error, "Couldn't find user"} ==
+ WebFinger.webfinger("#{user.nickname}@pleroma.devxxxx", "JSON")
+
+ assert {:ok, _} =
+ WebFinger.webfinger("#{user.nickname}@#{Pleroma.Web.Endpoint.host()}", "JSON")
+
+ assert {:ok, _} =
+ WebFinger.webfinger("#{user.nickname}@pleroma.dev", "JSON")
+ end
+
describe "fingering" do
test "returns error for nonsensical input" do
assert {:error, _} = WebFinger.finger("bliblablu")
