Merge branch 'security/activitypub-reject-bogus-ids' into 'develop'

security: activitypub: reject activities with bogus ids

See merge request pleroma/pleroma!286
This commit is contained in:
kaniini 2018-08-23 01:39:08 +00:00
commit e416469a40
2 changed files with 18 additions and 0 deletions

View file

@ -177,6 +177,12 @@ def fix_content_map(%{"contentMap" => content_map} = object) do
def fix_content_map(object), do: object def fix_content_map(object), do: object
# disallow objects with bogus IDs
def handle_incoming(%{"id" => nil}), do: :error
def handle_incoming(%{"id" => ""}), do: :error
# length of https:// = 8, should validate better, but good enough for now.
def handle_incoming(%{"id" => id}) when not (is_binary(id) and length(id) > 8), do: :error
# TODO: validate those with a Ecto scheme # TODO: validate those with a Ecto scheme
# - tags # - tags
# - emoji # - emoji

View file

@ -615,6 +615,18 @@ test "it works for incoming rejects which are referenced by IRI only" do
assert User.following?(follower, followed) == false assert User.following?(follower, followed) == false
end end
test "it rejects activities without a valid ID" do
user = insert(:user)
data =
File.read!("test/fixtures/mastodon-follow-activity.json")
|> Poison.decode!()
|> Map.put("object", user.ap_id)
|> Map.put("id", "")
:error = Transmogrifier.handle_incoming(data)
end
end end
describe "prepare outgoing" do describe "prepare outgoing" do