From f627d2eb938d220eb767b0211b66b4281c921f75 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Sat, 1 May 2021 23:18:59 +0200
Subject: [PATCH] Fix trying to fetch key from empty URI when verifying HTTP
 signature (#16100)

---
 app/helpers/jsonld_helper.rb                         | 2 +-
 app/services/activitypub/fetch_remote_key_service.rb | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/helpers/jsonld_helper.rb b/app/helpers/jsonld_helper.rb
index 1c473efa3f..62eb50f786 100644
--- a/app/helpers/jsonld_helper.rb
+++ b/app/helpers/jsonld_helper.rb
@@ -67,7 +67,7 @@ module JsonLdHelper
     unless id
       json = fetch_resource_without_id_validation(uri, on_behalf_of)
 
-      return unless json
+      return if !json.is_a?(Hash) || unsupported_uri_scheme?(json['id'])
 
       uri = json['id']
     end
diff --git a/app/services/activitypub/fetch_remote_key_service.rb b/app/services/activitypub/fetch_remote_key_service.rb
index df17d90793..c48288b3ba 100644
--- a/app/services/activitypub/fetch_remote_key_service.rb
+++ b/app/services/activitypub/fetch_remote_key_service.rb
@@ -5,6 +5,8 @@ class ActivityPub::FetchRemoteKeyService < BaseService
 
   # Returns account that owns the key
   def call(uri, id: true, prefetched_body: nil)
+    return if uri.blank?
+
     if prefetched_body.nil?
       if id
         @json = fetch_resource_without_id_validation(uri)
-- 
GitLab