Update spoofed activity test

Turns out we already had a test for activities spoofed via upload due
to an exploit several years. Back then *oma did not verify content-type
at all and doing so was the only adopted countermeasure.
Even the added test sample though suffered from a mismatching id, yet
nobody seems to have thought it a good idea to tighten id checks, huh

Since we will add stricter id checks later, make id and URL match
and also add a testcase for no content type at all. The new section
will be expanded in subsequent commits.
This commit is contained in:
Oneric 2024-03-13 20:04:31 -01:00
parent 2bcf633dc2
commit baaeffdebc

View file

@ -14,6 +14,17 @@ defmodule Pleroma.Object.FetcherTest do
import Mock import Mock
import Tesla.Mock import Tesla.Mock
defp spoofed_object_with_ids(
id \\ "https://patch.cx/objects/spoof",
actor_id \\ "https://patch.cx/users/rin"
) do
File.read!("test/fixtures/spoofed-object.json")
|> Jason.decode!()
|> Map.put("id", id)
|> Map.put("actor", actor_id)
|> Jason.encode!()
end
setup do setup do
mock(fn mock(fn
%{method: :get, url: "https://mastodon.example.org/users/userisgone"} -> %{method: :get, url: "https://mastodon.example.org/users/userisgone"} ->
@ -22,15 +33,28 @@ defmodule Pleroma.Object.FetcherTest do
%{method: :get, url: "https://mastodon.example.org/users/userisgone404"} -> %{method: :get, url: "https://mastodon.example.org/users/userisgone404"} ->
%Tesla.Env{status: 404} %Tesla.Env{status: 404}
# Spoof: wrong Content-Type
%{ %{
method: :get, method: :get,
url: url: "https://patch.cx/objects/spoof_content_type.json"
"https://patch.cx/media/03ca3c8b4ac3ddd08bf0f84be7885f2f88de0f709112131a22d83650819e36c2.json"
} -> } ->
%Tesla.Env{ %Tesla.Env{
status: 200, status: 200,
url: "https://patch.cx/objects/spoof_content_type.json",
headers: [{"content-type", "application/json"}], headers: [{"content-type", "application/json"}],
body: File.read!("test/fixtures/spoofed-object.json") body: spoofed_object_with_ids("https://patch.cx/objects/spoof_content_type.json")
}
# Spoof: no Content-Type
%{
method: :get,
url: "https://patch.cx/objects/spoof_content_type"
} ->
%Tesla.Env{
status: 200,
url: "https://patch.cx/objects/spoof_content_type",
headers: [],
body: spoofed_object_with_ids("https://patch.cx/objects/spoof_content_type")
} }
env -> env ->
@ -129,6 +153,22 @@ test "it rejects objects when attributedTo is wrong (variant 2)" do
end end
end end
describe "fetcher security and auth checks" do
test "it does not fetch a spoofed object without content type" do
assert {:error, {:content_type, nil}} =
Fetcher.fetch_and_contain_remote_object_from_id(
"https://patch.cx/objects/spoof_content_type"
)
end
test "it does not fetch a spoofed object with wrong content type" do
assert {:error, {:content_type, _}} =
Fetcher.fetch_and_contain_remote_object_from_id(
"https://patch.cx/objects/spoof_content_type.json"
)
end
end
describe "fetching an object" do describe "fetching an object" do
test "it fetches an object" do test "it fetches an object" do
{:ok, object} = {:ok, object} =
@ -155,13 +195,6 @@ test "Return MRF reason when fetched status is rejected by one" do
) )
end end
test "it does not fetch a spoofed object uploaded on an instance as an attachment" do
assert {:error, _} =
Fetcher.fetch_object_from_id(
"https://patch.cx/media/03ca3c8b4ac3ddd08bf0f84be7885f2f88de0f709112131a22d83650819e36c2.json"
)
end
test "does not fetch anything from a rejected instance" do test "does not fetch anything from a rejected instance" do
clear_config([:mrf_simple, :reject], [{"evil.example.org", "i said so"}]) clear_config([:mrf_simple, :reject], [{"evil.example.org", "i said so"}])