Merge branch 'security/ir-generic-containment' into 'develop'
security: IR-based generic object containment See merge request pleroma/pleroma!1417
This commit is contained in:
commit
509d8058d9
5 changed files with 46 additions and 0 deletions
|
@ -42,6 +42,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
- Admin API: changed json structure for saving config settings.
|
||||
- RichMedia: parsers and their order are configured in `rich_media` config.
|
||||
|
||||
## [1.0.1] - 2019-07-14
|
||||
### Security
|
||||
- OStatus: fix an object spoofing vulnerability.
|
||||
|
||||
## [1.0.0] - 2019-06-29
|
||||
### Security
|
||||
- Mastodon API: Fix display names not being sanitized
|
||||
|
|
|
@ -48,6 +48,9 @@ def contain_origin(id, %{"actor" => _actor} = params) do
|
|||
end
|
||||
end
|
||||
|
||||
def contain_origin(id, %{"attributedTo" => actor} = params),
|
||||
do: contain_origin(id, Map.put(params, "actor", actor))
|
||||
|
||||
def contain_origin_from_id(_id, %{"id" => nil}), do: :error
|
||||
|
||||
def contain_origin_from_id(id, %{"id" => other_id} = _params) do
|
||||
|
@ -60,4 +63,9 @@ def contain_origin_from_id(id, %{"id" => other_id} = _params) do
|
|||
:error
|
||||
end
|
||||
end
|
||||
|
||||
def contain_child(%{"object" => %{"id" => id, "attributedTo" => _} = object}),
|
||||
do: contain_origin(id, object)
|
||||
|
||||
def contain_child(_), do: :ok
|
||||
end
|
||||
|
|
|
@ -8,6 +8,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
|
|||
alias Pleroma.Conversation
|
||||
alias Pleroma.Notification
|
||||
alias Pleroma.Object
|
||||
alias Pleroma.Object.Containment
|
||||
alias Pleroma.Object.Fetcher
|
||||
alias Pleroma.Pagination
|
||||
alias Pleroma.Repo
|
||||
|
@ -126,6 +127,7 @@ def insert(map, local \\ true, fake \\ false) when is_map(map) do
|
|||
{:ok, map} <- MRF.filter(map),
|
||||
{recipients, _, _} = get_recipients(map),
|
||||
{:fake, false, map, recipients} <- {:fake, fake, map, recipients},
|
||||
:ok <- Containment.contain_child(map),
|
||||
{:ok, map, object} <- insert_full_object(map) do
|
||||
{:ok, activity} =
|
||||
Repo.insert(%Activity{
|
||||
|
|
|
@ -68,4 +68,34 @@ test "users cannot be collided through fake direction spoofing attempts" do
|
|||
"[error] Could not decode user at fetch https://n1u.moe/users/rye, {:error, :error}"
|
||||
end
|
||||
end
|
||||
|
||||
describe "containment of children" do
|
||||
test "contain_child() catches spoofing attempts" do
|
||||
data = %{
|
||||
"id" => "http://example.com/whatever",
|
||||
"type" => "Create",
|
||||
"object" => %{
|
||||
"id" => "http://example.net/~alyssa/activities/1234",
|
||||
"attributedTo" => "http://example.org/~alyssa"
|
||||
},
|
||||
"actor" => "http://example.com/~bob"
|
||||
}
|
||||
|
||||
:error = Containment.contain_child(data)
|
||||
end
|
||||
|
||||
test "contain_child() allows correct origins" do
|
||||
data = %{
|
||||
"id" => "http://example.org/~alyssa/activities/5678",
|
||||
"type" => "Create",
|
||||
"object" => %{
|
||||
"id" => "http://example.org/~alyssa/activities/1234",
|
||||
"attributedTo" => "http://example.org/~alyssa"
|
||||
},
|
||||
"actor" => "http://example.org/~alyssa"
|
||||
}
|
||||
|
||||
:ok = Containment.contain_child(data)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -416,6 +416,7 @@ test "it ensures that as:Public activities make it to their followers collection
|
|||
|> Map.put("attributedTo", user.ap_id)
|
||||
|> Map.put("to", ["https://www.w3.org/ns/activitystreams#Public"])
|
||||
|> Map.put("cc", [])
|
||||
|> Map.put("id", user.ap_id <> "/activities/12345678")
|
||||
|
||||
data = Map.put(data, "object", object)
|
||||
|
||||
|
@ -439,6 +440,7 @@ test "it ensures that address fields become lists" do
|
|||
|> Map.put("attributedTo", user.ap_id)
|
||||
|> Map.put("to", nil)
|
||||
|> Map.put("cc", nil)
|
||||
|> Map.put("id", user.ap_id <> "/activities/12345678")
|
||||
|
||||
data = Map.put(data, "object", object)
|
||||
|
||||
|
|
Loading…
Reference in a new issue