Merge branch 'security/activitypub-spoofing' into 'develop'

security: activitypub spoofing

See merge request pleroma/pleroma!321
This commit is contained in:
kaniini 2018-09-01 23:48:55 +00:00
commit 3c7280934e
5 changed files with 58 additions and 0 deletions

View file

@ -747,6 +747,7 @@ def fetch_object_from_id(id) do
"actor" => data["attributedTo"], "actor" => data["attributedTo"],
"object" => data "object" => data
}, },
:ok <- Transmogrifier.contain_origin(id, params),
{:ok, activity} <- Transmogrifier.handle_incoming(params) do {:ok, activity} <- Transmogrifier.handle_incoming(params) do
{:ok, Object.normalize(activity.data["object"])} {:ok, Object.normalize(activity.data["object"])}
else else

View file

@ -30,6 +30,20 @@ def get_actor(%{"actor" => actor}) when is_map(actor) do
actor["id"] actor["id"]
end end
@doc """
Checks that an imported AP object's actor matches the domain it came from.
"""
def contain_origin(id, %{"actor" => actor} = params) do
id_uri = URI.parse(id)
actor_uri = URI.parse(get_actor(params))
if id_uri.host == actor_uri.host do
:ok
else
:error
end
end
@doc """ @doc """
Modifies an incoming AP object (mastodon format) to our internal format. Modifies an incoming AP object (mastodon format) to our internal format.
""" """

View file

@ -0,0 +1,14 @@
{
"@context": "https://www.w3.org/ns/activitystreams",
"actor": "https://mastodon.example.org/users/admin",
"attachment": [],
"attributedTo": "https://mastodon.example.org/users/admin",
"content": "<p>this post was not actually written by Haelwenn</p>",
"id": "https://info.pleroma.site/activity.json",
"published": "2018-09-01T22:15:00Z",
"tag": [],
"to": [
"https://www.w3.org/ns/activitystreams#Public"
],
"type": "Note"
}

View file

@ -3,6 +3,14 @@ defmodule HTTPoisonMock do
def get(url, body \\ [], headers \\ []) def get(url, body \\ [], headers \\ [])
def get("https://info.pleroma.site/activity.json", _, _) do
{:ok,
%Response{
status_code: 200,
body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json")
}}
end
def get("https://puckipedia.com/", [Accept: "application/activity+json"], _) do def get("https://puckipedia.com/", [Accept: "application/activity+json"], _) do
{:ok, {:ok,
%Response{ %Response{

View file

@ -798,4 +798,25 @@ test "it fixes the actor URL property to be a proper URI" do
assert rewritten["url"] == "http://example.com" assert rewritten["url"] == "http://example.com"
end end
end end
describe "actor origin containment" do
test "it rejects objects with a bogus origin" do
{:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity.json")
end
test "it rejects activities which reference objects with bogus origins" do
user = insert(:user, %{local: false})
data = %{
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => user.ap_id <> "/activities/1234",
"actor" => user.ap_id,
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
"object" => "https://info.pleroma.site/activity.json",
"type" => "Announce"
}
:error = Transmogrifier.handle_incoming(data)
end
end
end end