forked from AkkomaGang/akkoma
/notice signing checks on redirect (#150)
Reviewed-on: AkkomaGang/akkoma#150
This commit is contained in:
parent
3b973d0627
commit
ec162b496b
2 changed files with 47 additions and 11 deletions
|
@ -5,6 +5,8 @@
|
||||||
defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
|
defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
|
||||||
import Plug.Conn
|
import Plug.Conn
|
||||||
import Phoenix.Controller, only: [get_format: 1, text: 2]
|
import Phoenix.Controller, only: [get_format: 1, text: 2]
|
||||||
|
alias Pleroma.Activity
|
||||||
|
alias Pleroma.Web.Router
|
||||||
require Logger
|
require Logger
|
||||||
|
|
||||||
def init(options) do
|
def init(options) do
|
||||||
|
@ -25,11 +27,25 @@ def call(conn, _opts) do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
defp maybe_assign_valid_signature(conn) do
|
def route_aliases(%{path_info: ["objects", id]} = conn) do
|
||||||
if has_signature_header?(conn) do
|
ap_id = Router.Helpers.o_status_url(Pleroma.Web.Endpoint, :object, id)
|
||||||
# set (request-target) header to the appropriate value
|
|
||||||
# we also replace the digest header with the one we computed
|
with %Activity{} = activity <- Activity.get_by_object_ap_id_with_object(ap_id) do
|
||||||
request_target = String.downcase("#{conn.method}") <> " #{conn.request_path}"
|
["/notice/#{activity.id}"]
|
||||||
|
else
|
||||||
|
_ -> []
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def route_aliases(_), do: []
|
||||||
|
|
||||||
|
defp assign_valid_signature_on_route_aliases(conn, []), do: conn
|
||||||
|
|
||||||
|
defp assign_valid_signature_on_route_aliases(%{assigns: %{valid_signature: true}} = conn, _),
|
||||||
|
do: conn
|
||||||
|
|
||||||
|
defp assign_valid_signature_on_route_aliases(conn, [path | rest]) do
|
||||||
|
request_target = String.downcase("#{conn.method}") <> " #{path}"
|
||||||
|
|
||||||
conn =
|
conn =
|
||||||
conn
|
conn
|
||||||
|
@ -39,7 +55,17 @@ defp maybe_assign_valid_signature(conn) do
|
||||||
conn -> conn
|
conn -> conn
|
||||||
end
|
end
|
||||||
|
|
||||||
assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn))
|
conn
|
||||||
|
|> assign(:valid_signature, HTTPSignatures.validate_conn(conn))
|
||||||
|
|> assign_valid_signature_on_route_aliases(rest)
|
||||||
|
end
|
||||||
|
|
||||||
|
defp maybe_assign_valid_signature(conn) do
|
||||||
|
if has_signature_header?(conn) do
|
||||||
|
# set (request-target) header to the appropriate value
|
||||||
|
# we also replace the digest header with the one we computed
|
||||||
|
possible_paths = route_aliases(conn) ++ [conn.request_path]
|
||||||
|
assign_valid_signature_on_route_aliases(conn, possible_paths)
|
||||||
else
|
else
|
||||||
Logger.debug("No signature header!")
|
Logger.debug("No signature header!")
|
||||||
conn
|
conn
|
||||||
|
|
|
@ -4,6 +4,7 @@
|
||||||
|
|
||||||
defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
|
defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
|
||||||
use Pleroma.Web.ConnCase
|
use Pleroma.Web.ConnCase
|
||||||
|
import Pleroma.Factory
|
||||||
alias Pleroma.Web.Plugs.HTTPSignaturePlug
|
alias Pleroma.Web.Plugs.HTTPSignaturePlug
|
||||||
|
|
||||||
import Plug.Conn
|
import Plug.Conn
|
||||||
|
@ -81,5 +82,14 @@ test "halts the connection when `signature` header is not present", %{conn: conn
|
||||||
assert conn.state == :sent
|
assert conn.state == :sent
|
||||||
assert conn.resp_body == "Request not signed"
|
assert conn.resp_body == "Request not signed"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "aliases redirected /object endpoints", _ do
|
||||||
|
obj = insert(:note)
|
||||||
|
act = insert(:note_activity, note: obj)
|
||||||
|
params = %{"actor" => "http://mastodon.example.org/users/admin"}
|
||||||
|
path = URI.parse(obj.data["id"]).path
|
||||||
|
conn = build_conn(:get, path, params)
|
||||||
|
assert ["/notice/#{act.id}"] == HTTPSignaturePlug.route_aliases(conn)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue