Remove containment tests from transmogrifier and fix thread visibility solver
This commit is contained in:
rinpatch
parent
d1eb578a57
commit
35ac672b8d
|
|
@ -9,9 +9,6 @@ defmodule Pleroma.Object.Containment do
|
||||||
Object containment is an important step in validating remote objects to prevent
|
Object containment is an important step in validating remote objects to prevent
|
||||||
spoofing, therefore removal of object containment functions is NOT recommended.
|
spoofing, therefore removal of object containment functions is NOT recommended.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
require Logger
|
|
||||||
|
|
||||||
def get_actor(%{"actor" => actor}) when is_binary(actor) do
|
def get_actor(%{"actor" => actor}) when is_binary(actor) do
|
||||||
actor
|
actor
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -41,16 +41,19 @@ defmodule Pleroma.Web.ActivityPub.Visibility do
|
||||||
# guard
|
# guard
|
||||||
def entire_thread_visible_for_user?(nil, _user), do: false
|
def entire_thread_visible_for_user?(nil, _user), do: false
|
||||||
|
|
||||||
# child
|
# XXX: Probably even more inefficient than the previous implementation, intended to be a placeholder untill https://git.pleroma.social/pleroma/pleroma/merge_requests/971 is in develop
|
||||||
def entire_thread_visible_for_user?(
|
def entire_thread_visible_for_user?(
|
||||||
%Activity{data: %{"object" => %{"inReplyTo" => parent_id}}} = tail,
|
%Activity{} = tail,
|
||||||
|
# %Activity{data: %{"object" => %{"inReplyTo" => parent_id}}} = tail,
|
||||||
user
|
user
|
||||||
)
|
) do
|
||||||
when is_binary(parent_id) do
|
case Object.normalize(tail) do
|
||||||
parent = Activity.get_in_reply_to_activity(tail)
|
%{data: %{"inReplyTo" => parent_id}} when is_binary(parent_id) ->
|
||||||
visible_for_user?(tail, user) && entire_thread_visible_for_user?(parent, user)
|
parent = Activity.get_in_reply_to_activity(tail)
|
||||||
end
|
visible_for_user?(tail, user) && entire_thread_visible_for_user?(parent, user)
|
||||||
|
|
||||||
# root
|
_ ->
|
||||||
def entire_thread_visible_for_user?(tail, user), do: visible_for_user?(tail, user)
|
visible_for_user?(tail, user)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -832,7 +832,9 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
|
||||||
activities = ActivityPub.fetch_activities([user1.ap_id | user1.following])
|
activities = ActivityPub.fetch_activities([user1.ap_id | user1.following])
|
||||||
|
|
||||||
private_activity_1 = Activity.get_by_ap_id_with_object(private_activity_1.data["id"])
|
private_activity_1 = Activity.get_by_ap_id_with_object(private_activity_1.data["id"])
|
||||||
assert [public_activity, private_activity_1, private_activity_3] == activities
|
assert [public_activity, private_activity_1, private_activity_3] ==
|
||||||
|
activities
|
||||||
|
|
||||||
assert length(activities) == 3
|
assert length(activities) == 3
|
||||||
|
|
||||||
activities = ActivityPub.contain_timeline(activities, user1)
|
activities = ActivityPub.contain_timeline(activities, user1)
|
||||||
|
|
|
||||||
|
|
@ -1136,62 +1136,6 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "general origin containment" do
|
|
||||||
test "contain_origin_from_id() catches obvious spoofing attempts" do
|
|
||||||
data = %{
|
|
||||||
"id" => "http://example.com/~alyssa/activities/1234.json"
|
|
||||||
}
|
|
||||||
|
|
||||||
:error =
|
|
||||||
Transmogrifier.contain_origin_from_id(
|
|
||||||
"http://example.org/~alyssa/activities/1234.json",
|
|
||||||
data
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
test "contain_origin_from_id() allows alternate IDs within the same origin domain" do
|
|
||||||
data = %{
|
|
||||||
"id" => "http://example.com/~alyssa/activities/1234.json"
|
|
||||||
}
|
|
||||||
|
|
||||||
:ok =
|
|
||||||
Transmogrifier.contain_origin_from_id(
|
|
||||||
"http://example.com/~alyssa/activities/1234",
|
|
||||||
data
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
test "contain_origin_from_id() allows matching IDs" do
|
|
||||||
data = %{
|
|
||||||
"id" => "http://example.com/~alyssa/activities/1234.json"
|
|
||||||
}
|
|
||||||
|
|
||||||
:ok =
|
|
||||||
Transmogrifier.contain_origin_from_id(
|
|
||||||
"http://example.com/~alyssa/activities/1234.json",
|
|
||||||
data
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
test "users cannot be collided through fake direction spoofing attempts" do
|
|
||||||
insert(:user, %{
|
|
||||||
nickname: "rye@niu.moe",
|
|
||||||
local: false,
|
|
||||||
ap_id: "https://niu.moe/users/rye",
|
|
||||||
follower_address: User.ap_followers(%User{nickname: "rye@niu.moe"})
|
|
||||||
})
|
|
||||||
|
|
||||||
{:error, _} = User.get_or_fetch_by_ap_id("https://n1u.moe/users/rye")
|
|
||||||
end
|
|
||||||
|
|
||||||
test "all objects with fake directions are rejected by the object fetcher" do
|
|
||||||
{:error, _} =
|
|
||||||
Fetcher.fetch_and_contain_remote_object_from_id(
|
|
||||||
"https://info.pleroma.site/activity4.json"
|
|
||||||
)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "reserialization" do
|
describe "reserialization" do
|
||||||
test "successfully reserializes a message with inReplyTo == nil" do
|
test "successfully reserializes a message with inReplyTo == nil" do
|
||||||
user = insert(:user)
|
user = insert(:user)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue