From 3839a11ef51a7602bd4c0b5c5d1318bb9cedd213 Mon Sep 17 00:00:00 2001 From: lain Date: Sat, 26 May 2018 14:07:46 +0200 Subject: [PATCH] Don't treat remote accepts/rejects as local. Also, use specialized functions to get safe data. --- lib/pleroma/web/activity_pub/activity_pub.ex | 11 +++++++ .../web/activity_pub/transmogrifier.ex | 4 +-- test/web/activity_pub/transmogrifier_test.exs | 33 ++++++++++++++++--- 3 files changed, 42 insertions(+), 6 deletions(-) diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 30211072b..1a1bfbffd 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -95,6 +95,17 @@ def accept(%{to: to, actor: actor, object: object} = params) do end end + def reject(%{to: to, actor: actor, object: object} = params) do + # only accept false as false value + local = !(params[:local] == false) + + with data <- %{"to" => to, "type" => "Reject", "actor" => actor, "object" => object}, + {:ok, activity} <- insert(data, local), + :ok <- maybe_federate(activity) do + {:ok, activity} + end + end + def update(%{to: to, cc: cc, actor: actor, object: object} = params) do # only accept false as false value local = !(params[:local] == false) diff --git a/lib/pleroma/web/activity_pub/transmogrifier.ex b/lib/pleroma/web/activity_pub/transmogrifier.ex index 690ca62ec..b2224514c 100644 --- a/lib/pleroma/web/activity_pub/transmogrifier.ex +++ b/lib/pleroma/web/activity_pub/transmogrifier.ex @@ -173,7 +173,7 @@ def handle_incoming( %User{local: true} = follower <- User.get_cached_by_ap_id(follow_activity["actor"]), follow_activity <- Utils.fetch_latest_follow(follower, followed), false <- is_nil(follow_activity), - {:ok, activity} <- ActivityPub.insert(data, true) do + {:ok, activity} <- ActivityPub.accept(%{to: follow_activity.data["to"], type: "Accept", actor: followed.ap_id, object: follow_activity.data["id"], local: false}) do if not User.following?(follower, followed) do {:ok, follower} = User.follow(follower, followed) end @@ -192,7 +192,7 @@ def handle_incoming( %User{local: true} = follower <- User.get_cached_by_ap_id(follow_activity["actor"]), follow_activity <- Utils.fetch_latest_follow(follower, followed), false <- is_nil(follow_activity), - {:ok, activity} <- ActivityPub.insert(data, true) do + {:ok, activity} <- ActivityPub.accept(%{to: follow_activity.data["to"], type: "Accept", actor: followed.ap_id, object: follow_activity.data["id"], local: false}) do User.unfollow(follower, followed) {:ok, activity} diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs index e4cff898d..761d9d992 100644 --- a/test/web/activity_pub/transmogrifier_test.exs +++ b/test/web/activity_pub/transmogrifier_test.exs @@ -404,7 +404,10 @@ test "it works for incoming accepts which were pre-accepted" do accept_data = Map.put(accept_data, "object", Map.put(accept_data["object"], "actor", follower.ap_id)) - {:ok, %Activity{data: _}} = Transmogrifier.handle_incoming(accept_data) + {:ok, activity} = Transmogrifier.handle_incoming(accept_data) + refute activity.local + + assert activity.data["object"] == follow_activity.data["id"] follower = Repo.get(User, follower.id) @@ -425,7 +428,8 @@ test "it works for incoming accepts which were orphaned" do accept_data = Map.put(accept_data, "object", Map.put(accept_data["object"], "actor", follower.ap_id)) - {:ok, %Activity{data: _}} = Transmogrifier.handle_incoming(accept_data) + {:ok, activity} = Transmogrifier.handle_incoming(accept_data) + assert activity.data["object"] == follow_activity.data["id"] follower = Repo.get(User, follower.id) @@ -444,7 +448,8 @@ test "it works for incoming accepts which are referenced by IRI only" do |> Map.put("actor", followed.ap_id) |> Map.put("object", follow_activity.data["id"]) - {:ok, %Activity{data: _}} = Transmogrifier.handle_incoming(accept_data) + {:ok, activity} = Transmogrifier.handle_incoming(accept_data) + assert activity.data["object"] == follow_activity.data["id"] follower = Repo.get(User, follower.id) @@ -470,6 +475,25 @@ test "it fails for incoming accepts which cannot be correlated" do refute User.following?(follower, followed) == true end + test "it fails for incoming rejects which cannot be correlated" do + follower = insert(:user) + followed = insert(:user, %{info: %{"locked" => true}}) + + accept_data = + File.read!("test/fixtures/mastodon-reject-activity.json") + |> Poison.decode!() + |> Map.put("actor", followed.ap_id) + + accept_data = + Map.put(accept_data, "object", Map.put(accept_data["object"], "actor", follower.ap_id)) + + :error = Transmogrifier.handle_incoming(accept_data) + + follower = Repo.get(User, follower.id) + + refute User.following?(follower, followed) == true + end + test "it works for incoming rejects which are orphaned" do follower = insert(:user) followed = insert(:user, %{info: %{"locked" => true}}) @@ -487,7 +511,8 @@ test "it works for incoming rejects which are orphaned" do reject_data = Map.put(reject_data, "object", Map.put(reject_data["object"], "actor", follower.ap_id)) - {:ok, %Activity{data: _}} = Transmogrifier.handle_incoming(reject_data) + {:ok, activity} = Transmogrifier.handle_incoming(reject_data) + refute activity.local follower = Repo.get(User, follower.id)