ActivityPub.signed_request: handle redirects to relative URLs

fixes https://console.cloud.google.com/errors/detail/COLi8YPesYOztwE;time=P30D?project=bridgy-federated

activitypub.py

@@ -3,7 +3,7 @@ from base64 import b64encode
 from hashlib import sha256
 import itertools
 import logging
-from urllib.parse import quote_plus
+from urllib.parse import quote_plus, urljoin
 
 from flask import abort, g, request
 from google.cloud import ndb
@@ -435,8 +435,9 @@ def signed_request(fn, url, data=None, log_data=True, headers=None, **kwargs):
 
     # handle GET redirects manually so that we generate a new HTTP signature
     if resp.is_redirect and fn == util.requests_get:
-        return signed_request(fn, resp.headers['Location'], data=data,
-                              headers=headers, log_data=log_data, **kwargs)
+        new_url = urljoin(url, resp.headers['Location'])
+        return signed_request(fn, new_url, data=data, headers=headers,
+                              log_data=log_data, **kwargs)
 
     type = common.content_type(resp)
     if (type and type != 'text/html' and

tests/test_activitypub.py

@@ -1682,7 +1682,25 @@ class ActivityPubUtilsTest(TestCase):
         first = mock_get.call_args_list[0][1]
         second = mock_get.call_args_list[1][1]
         self.assertNotEqual(first['headers'], second['headers'])
-        self.assertNotEqual(
+
+    @patch('requests.get')
+    def test_signed_get_redirects_to_relative_url(self, mock_get):
+        mock_get.side_effect = [
+            # redirected URL is relative, we have to resolve it
+            requests_response(status=302, redirected_url='/second',
+                              allow_redirects=False),
+            requests_response(status=200, allow_redirects=False),
+        ]
+        activitypub.signed_get('https://first')
+
+        self.assertEqual(('https://first/second',), mock_get.call_args_list[1][0])
+
+        first = mock_get.call_args_list[0][1]
+        second = mock_get.call_args_list[1][1]
+
+        # headers are equal because host is the same
+        self.assertEqual(first['headers'], second['headers'])
+        self.assertEqual(
             first['auth'].header_signer.sign(first['headers'], method='GET', path='/'),
             second['auth'].header_signer.sign(second['headers'], method='GET', path='/'))