forked from AkkomaGang/akkoma
Merge branch 'security/actor-containment' into 'develop'
security hotfix: actor containment See merge request pleroma/pleroma!460
This commit is contained in:
commit
a960983815
7 changed files with 107 additions and 7 deletions
|
@ -747,7 +747,7 @@ def fetch_object_from_id(id) do
|
||||||
"type" => "Create",
|
"type" => "Create",
|
||||||
"to" => data["to"],
|
"to" => data["to"],
|
||||||
"cc" => data["cc"],
|
"cc" => data["cc"],
|
||||||
"actor" => data["attributedTo"],
|
"actor" => data["actor"] || data["attributedTo"],
|
||||||
"object" => data
|
"object" => data
|
||||||
},
|
},
|
||||||
:ok <- Transmogrifier.contain_origin(id, params),
|
:ok <- Transmogrifier.contain_origin(id, params),
|
||||||
|
|
17
test/fixtures/httpoison_mock/https___info.pleroma.site_actor.json
vendored
Normal file
17
test/fixtures/httpoison_mock/https___info.pleroma.site_actor.json
vendored
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
{
|
||||||
|
"@context": "https://www.w3.org/ns/activitystreams",
|
||||||
|
"id": "https://info.pleroma.site/actor.json",
|
||||||
|
"type": "Person",
|
||||||
|
"following": "https://info.pleroma.site/following.json",
|
||||||
|
"followers": "https://info.pleroma.site/followers.json",
|
||||||
|
"inbox": "https://info.pleroma.site/inbox.json",
|
||||||
|
"outbox": "https://info.pleroma.site/outbox.json",
|
||||||
|
"preferredUsername": "admin",
|
||||||
|
"name": null,
|
||||||
|
"summary": "<p></p>",
|
||||||
|
"publicKey": {
|
||||||
|
"id": "https://info.pleroma.site/actor.json#main-key",
|
||||||
|
"owner": "https://info.pleroma.site/actor.json",
|
||||||
|
"publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtc4Tir+3ADhSNF6VKrtW\nOU32T01w7V0yshmQei38YyiVwVvFu8XOP6ACchkdxbJ+C9mZud8qWaRJKVbFTMUG\nNX4+6Q+FobyuKrwN7CEwhDALZtaN2IPbaPd6uG1B7QhWorrY+yFa8f2TBM3BxnUy\nI4T+bMIZIEYG7KtljCBoQXuTQmGtuffO0UwJksidg2ffCF5Q+K//JfQagJ3UzrR+\nZXbKMJdAw4bCVJYs4Z5EhHYBwQWiXCyMGTd7BGlmMkY6Av7ZqHKC/owp3/0EWDNz\nNqF09Wcpr3y3e8nA10X40MJqp/wR+1xtxp+YGbq/Cj5hZGBG7etFOmIpVBrDOhry\nBwIDAQAB\n-----END PUBLIC KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,8 +1,8 @@
|
||||||
{
|
{
|
||||||
"@context": "https://www.w3.org/ns/activitystreams",
|
"@context": "https://www.w3.org/ns/activitystreams",
|
||||||
"actor": "https://mastodon.example.org/users/admin",
|
"actor": "http://mastodon.example.org/users/admin",
|
||||||
"attachment": [],
|
"attachment": [],
|
||||||
"attributedTo": "https://mastodon.example.org/users/admin",
|
"attributedTo": "http://mastodon.example.org/users/admin",
|
||||||
"content": "<p>this post was not actually written by Haelwenn</p>",
|
"content": "<p>this post was not actually written by Haelwenn</p>",
|
||||||
"id": "https://info.pleroma.site/activity.json",
|
"id": "https://info.pleroma.site/activity.json",
|
||||||
"published": "2018-09-01T22:15:00Z",
|
"published": "2018-09-01T22:15:00Z",
|
||||||
|
|
14
test/fixtures/httpoison_mock/https__info.pleroma.site_activity2.json
vendored
Normal file
14
test/fixtures/httpoison_mock/https__info.pleroma.site_activity2.json
vendored
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
{
|
||||||
|
"@context": "https://www.w3.org/ns/activitystreams",
|
||||||
|
"attributedTo": "https://info.pleroma.site/actor.json",
|
||||||
|
"attachment": [],
|
||||||
|
"actor": "http://mastodon.example.org/users/admin",
|
||||||
|
"content": "<p>this post was not actually written by Haelwenn</p>",
|
||||||
|
"id": "https://info.pleroma.site/activity2.json",
|
||||||
|
"published": "2018-09-01T22:15:00Z",
|
||||||
|
"tag": [],
|
||||||
|
"to": [
|
||||||
|
"https://www.w3.org/ns/activitystreams#Public"
|
||||||
|
],
|
||||||
|
"type": "Note"
|
||||||
|
}
|
13
test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json
vendored
Normal file
13
test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json
vendored
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
{
|
||||||
|
"@context": "https://www.w3.org/ns/activitystreams",
|
||||||
|
"attributedTo": "http://mastodon.example.org/users/admin",
|
||||||
|
"attachment": [],
|
||||||
|
"content": "<p>this post was not actually written by Haelwenn</p>",
|
||||||
|
"id": "https://info.pleroma.site/activity2.json",
|
||||||
|
"published": "2018-09-01T22:15:00Z",
|
||||||
|
"tag": [],
|
||||||
|
"to": [
|
||||||
|
"https://www.w3.org/ns/activitystreams#Public"
|
||||||
|
],
|
||||||
|
"type": "Note"
|
||||||
|
}
|
|
@ -40,6 +40,30 @@ def get("https://info.pleroma.site/activity.json", _, _) do
|
||||||
}}
|
}}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def get("https://info.pleroma.site/activity2.json", _, _) do
|
||||||
|
{:ok,
|
||||||
|
%Response{
|
||||||
|
status_code: 200,
|
||||||
|
body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity2.json")
|
||||||
|
}}
|
||||||
|
end
|
||||||
|
|
||||||
|
def get("https://info.pleroma.site/activity3.json", _, _) do
|
||||||
|
{:ok,
|
||||||
|
%Response{
|
||||||
|
status_code: 200,
|
||||||
|
body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json")
|
||||||
|
}}
|
||||||
|
end
|
||||||
|
|
||||||
|
def get("https://info.pleroma.site/actor.json", _, _) do
|
||||||
|
{:ok,
|
||||||
|
%Response{
|
||||||
|
status_code: 200,
|
||||||
|
body: File.read!("test/fixtures/httpoison_mock/https___info.pleroma.site_actor.json")
|
||||||
|
}}
|
||||||
|
end
|
||||||
|
|
||||||
def get("https://puckipedia.com/", [Accept: "application/activity+json"], _) do
|
def get("https://puckipedia.com/", [Accept: "application/activity+json"], _) do
|
||||||
{:ok,
|
{:ok,
|
||||||
%Response{
|
%Response{
|
||||||
|
|
|
@ -872,12 +872,10 @@ test "it rejects objects with a bogus origin" do
|
||||||
end
|
end
|
||||||
|
|
||||||
test "it rejects activities which reference objects with bogus origins" do
|
test "it rejects activities which reference objects with bogus origins" do
|
||||||
user = insert(:user, %{local: false})
|
|
||||||
|
|
||||||
data = %{
|
data = %{
|
||||||
"@context" => "https://www.w3.org/ns/activitystreams",
|
"@context" => "https://www.w3.org/ns/activitystreams",
|
||||||
"id" => user.ap_id <> "/activities/1234",
|
"id" => "http://mastodon.example.org/users/admin/activities/1234",
|
||||||
"actor" => user.ap_id,
|
"actor" => "http://mastodon.example.org/users/admin",
|
||||||
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
|
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
|
||||||
"object" => "https://info.pleroma.site/activity.json",
|
"object" => "https://info.pleroma.site/activity.json",
|
||||||
"type" => "Announce"
|
"type" => "Announce"
|
||||||
|
@ -885,5 +883,39 @@ test "it rejects activities which reference objects with bogus origins" do
|
||||||
|
|
||||||
:error = Transmogrifier.handle_incoming(data)
|
:error = Transmogrifier.handle_incoming(data)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "it rejects objects when attributedTo is wrong (variant 1)" do
|
||||||
|
{:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity2.json")
|
||||||
|
end
|
||||||
|
|
||||||
|
test "it rejects activities which reference objects that have an incorrect attribution (variant 1)" do
|
||||||
|
data = %{
|
||||||
|
"@context" => "https://www.w3.org/ns/activitystreams",
|
||||||
|
"id" => "http://mastodon.example.org/users/admin/activities/1234",
|
||||||
|
"actor" => "http://mastodon.example.org/users/admin",
|
||||||
|
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
|
||||||
|
"object" => "https://info.pleroma.site/activity2.json",
|
||||||
|
"type" => "Announce"
|
||||||
|
}
|
||||||
|
|
||||||
|
:error = Transmogrifier.handle_incoming(data)
|
||||||
|
end
|
||||||
|
|
||||||
|
test "it rejects objects when attributedTo is wrong (variant 2)" do
|
||||||
|
{:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity3.json")
|
||||||
|
end
|
||||||
|
|
||||||
|
test "it rejects activities which reference objects that have an incorrect attribution (variant 2)" do
|
||||||
|
data = %{
|
||||||
|
"@context" => "https://www.w3.org/ns/activitystreams",
|
||||||
|
"id" => "http://mastodon.example.org/users/admin/activities/1234",
|
||||||
|
"actor" => "http://mastodon.example.org/users/admin",
|
||||||
|
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
|
||||||
|
"object" => "https://info.pleroma.site/activity3.json",
|
||||||
|
"type" => "Announce"
|
||||||
|
}
|
||||||
|
|
||||||
|
:error = Transmogrifier.handle_incoming(data)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue