From 50403351f48d44f575724c0f6893c21dc8f8f4f4 Mon Sep 17 00:00:00 2001 From: lain Date: Wed, 22 May 2024 19:17:34 +0100 Subject: [PATCH] add impostor test for webfinger --- .../webfinger/imposter-webfinger.json | 41 +++++++++++++++++++ test/pleroma/web/web_finger_test.exs | 16 ++++++++ 2 files changed, 57 insertions(+) create mode 100644 test/fixtures/webfinger/imposter-webfinger.json diff --git a/test/fixtures/webfinger/imposter-webfinger.json b/test/fixtures/webfinger/imposter-webfinger.json new file mode 100644 index 000000000..e3d21a083 --- /dev/null +++ b/test/fixtures/webfinger/imposter-webfinger.json @@ -0,0 +1,41 @@ +{ + "subject": "acct:oopsie@notwhereitshouldbe.com", + "aliases": [ + "https://bad.com/webfingertest" + ], + "links": [ + { + "rel": "http://webfinger.net/rel/profile-page", + "type": "text/html", + "href": "https://bad.com/webfingertest" + }, + { + "rel": "self", + "type": "application/activity+json", + "href": "https://bad.com/webfingertest" + }, + { + "rel": "http://ostatus.org/schema/1.0/subscribe", + "template": "https://bad.com/contact/follow?url={uri}" + }, + { + "rel": "http://schemas.google.com/g/2010#updates-from", + "type": "application/atom+xml", + "href": "" + }, + { + "rel": "salmon", + "href": "https://bad.com/salmon/friendica" + }, + { + "rel": "http://microformats.org/profile/hcard", + "type": "text/html", + "href": "https://bad.com/hcard/friendica" + }, + { + "rel": "http://joindiaspora.com/seed_location", + "type": "text/html", + "href": "https://bad.com" + } + ] +} diff --git a/test/pleroma/web/web_finger_test.exs b/test/pleroma/web/web_finger_test.exs index 141bb9d6a..5c46d6988 100644 --- a/test/pleroma/web/web_finger_test.exs +++ b/test/pleroma/web/web_finger_test.exs @@ -190,4 +190,20 @@ test "prevents spoofing" do end end + + @tag capture_log: true + test "prevents forgeries" do + Tesla.Mock.mock(fn + %{url: "https://bad.com/.well-known/webfinger?resource=acct:meanie@bad.com"} -> + fake_webfinger = + File.read!("test/fixtures/webfinger/imposter-webfinger.json") |> Jason.decode!() + + Tesla.Mock.json(fake_webfinger) + + %{url: "https://bad.com/.well-known/host-meta"} -> + {:ok, %Tesla.Env{status: 404}} + end) + + assert {:error, {:webfinger_invalid, _, _}} = WebFinger.finger("meanie@bad.com") + end end