Validate object data for incoming Update activities

In Create validator we do not validate the object data, but that is because the object itself will go through the pipeline again, which is not the case for Update. Thus, we added validation for objects in Update activities.
2022-07-03 20:19:50 -04:00 · 2022-07-03 20:19:50 -04:00 · 3411bb819f
commit 3411bb819f
parent 090bda6877
2 changed files with 43 additions and 2 deletions
--- a/lib/pleroma/web/activity_pub/object_validator.ex
+++ b/lib/pleroma/web/activity_pub/object_validator.ex
@ -135,8 +135,8 @@ def validate(
      )
      when objtype in ~w[Question Answer Audio Video Event Article Note Page] do
    with {_, false} <- {:local, Access.get(meta, :local, false)},
-         {:ok, object_data} <- cast_and_apply(object),
-         meta = Keyword.put(meta, :object_data, object_data |> stringify_keys),
+         {_, {:ok, object_data, _}} <- {:object_validation, validate(object, meta)},
+         meta = Keyword.put(meta, :object_data, object_data),
         {:ok, update_activity} <-
           update_activity
           |> UpdateValidator.cast_and_validate()
@ -152,6 +152,9 @@ def validate(
          object = stringify_keys(object)
          {:ok, object, meta}
        end
+
+      {:object_validation, e} ->
+        e
    end
  end

--- a/test/pleroma/web/activity_pub/object_validators/update_handling_test.exs
+++ b/test/pleroma/web/activity_pub/object_validators/update_handling_test.exs
@ -127,4 +127,42 @@ test "returns object_data in meta for a remote Update" do
      assert meta[:object_data]
    end
  end
+
+  describe "update with history" do
+    setup do
+      user = insert(:user)
+      {:ok, activity} = Pleroma.Web.CommonAPI.post(user, %{status: "mew mew :dinosaur:"})
+      {:ok, edit} = Pleroma.Web.CommonAPI.update(user, activity, %{status: "edited :blank:"})
+      {:ok, external_rep} = Pleroma.Web.ActivityPub.Transmogrifier.prepare_outgoing(edit.data)
+      %{external_rep: external_rep}
+    end
+
+    test "edited note", %{external_rep: external_rep} do
+      {:ok, _validate_res, meta} = ObjectValidator.validate(external_rep, [])
+
+      assert %{"formerRepresentations" => %{"orderedItems" => [%{"emoji" => %{"dinosaur" => _}}]}} =
+               meta[:object_data]
+    end
+
+    test "edited note, badly-formed formerRepresentations", %{external_rep: external_rep} do
+      external_rep = put_in(external_rep, ["object", "formerRepresentations"], %{})
+
+      assert {:error, _} = ObjectValidator.validate(external_rep, [])
+    end
+
+    test "edited note, badly-formed history item", %{external_rep: external_rep} do
+      history_item =
+        Enum.at(external_rep["object"]["formerRepresentations"]["orderedItems"], 0)
+        |> Map.put("type", "Foo")
+
+      external_rep =
+        put_in(
+          external_rep,
+          ["object", "formerRepresentations", "orderedItems"],
+          [history_item]
+        )
+
+      assert {:error, _} = ObjectValidator.validate(external_rep, [])
+    end
+  end
 end