Merge branch 'security/activitypub-reject-bogus-ids' into 'develop'

security: activitypub: reject activities with bogus ids See merge request pleroma/pleroma!286
2018-08-23 01:39:08 +00:00 · 2018-08-23 01:39:08 +00:00 · e416469a40
commit e416469a40
parent 643f373514 a909fe45a6
2 changed files with 18 additions and 0 deletions
--- a/lib/pleroma/web/activity_pub/transmogrifier.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier.ex
@ -177,6 +177,12 @@ def fix_content_map(%{"contentMap" => content_map} = object) do

  def fix_content_map(object), do: object

+  # disallow objects with bogus IDs
+  def handle_incoming(%{"id" => nil}), do: :error
+  def handle_incoming(%{"id" => ""}), do: :error
+  # length of https:// = 8, should validate better, but good enough for now.
+  def handle_incoming(%{"id" => id}) when not (is_binary(id) and length(id) > 8), do: :error
+
  # TODO: validate those with a Ecto scheme
  # - tags
  # - emoji
--- a/test/web/activity_pub/transmogrifier_test.exs
+++ b/test/web/activity_pub/transmogrifier_test.exs
@ -615,6 +615,18 @@ test "it works for incoming rejects which are referenced by IRI only" do

      assert User.following?(follower, followed) == false
    end
+
+    test "it rejects activities without a valid ID" do
+      user = insert(:user)
+
+      data =
+        File.read!("test/fixtures/mastodon-follow-activity.json")
+        |> Poison.decode!()
+        |> Map.put("object", user.ap_id)
+        |> Map.put("id", "")
+
+      :error = Transmogrifier.handle_incoming(data)
+    end
  end

  describe "prepare outgoing" do