forked from AkkomaGang/akkoma
Update spoofed activity test
Turns out we already had a test for activities spoofed via upload due to an exploit several years. Back then *oma did not verify content-type at all and doing so was the only adopted countermeasure. Even the added test sample though suffered from a mismatching id, yet nobody seems to have thought it a good idea to tighten id checks, huh Since we will add stricter id checks later, make id and URL match and also add a testcase for no content type at all. The new section will be expanded in subsequent commits.
This commit is contained in:
parent
2bcf633dc2
commit
baaeffdebc
1 changed files with 43 additions and 10 deletions
|
@ -14,6 +14,17 @@ defmodule Pleroma.Object.FetcherTest do
|
||||||
import Mock
|
import Mock
|
||||||
import Tesla.Mock
|
import Tesla.Mock
|
||||||
|
|
||||||
|
defp spoofed_object_with_ids(
|
||||||
|
id \\ "https://patch.cx/objects/spoof",
|
||||||
|
actor_id \\ "https://patch.cx/users/rin"
|
||||||
|
) do
|
||||||
|
File.read!("test/fixtures/spoofed-object.json")
|
||||||
|
|> Jason.decode!()
|
||||||
|
|> Map.put("id", id)
|
||||||
|
|> Map.put("actor", actor_id)
|
||||||
|
|> Jason.encode!()
|
||||||
|
end
|
||||||
|
|
||||||
setup do
|
setup do
|
||||||
mock(fn
|
mock(fn
|
||||||
%{method: :get, url: "https://mastodon.example.org/users/userisgone"} ->
|
%{method: :get, url: "https://mastodon.example.org/users/userisgone"} ->
|
||||||
|
@ -22,15 +33,28 @@ defmodule Pleroma.Object.FetcherTest do
|
||||||
%{method: :get, url: "https://mastodon.example.org/users/userisgone404"} ->
|
%{method: :get, url: "https://mastodon.example.org/users/userisgone404"} ->
|
||||||
%Tesla.Env{status: 404}
|
%Tesla.Env{status: 404}
|
||||||
|
|
||||||
|
# Spoof: wrong Content-Type
|
||||||
%{
|
%{
|
||||||
method: :get,
|
method: :get,
|
||||||
url:
|
url: "https://patch.cx/objects/spoof_content_type.json"
|
||||||
"https://patch.cx/media/03ca3c8b4ac3ddd08bf0f84be7885f2f88de0f709112131a22d83650819e36c2.json"
|
|
||||||
} ->
|
} ->
|
||||||
%Tesla.Env{
|
%Tesla.Env{
|
||||||
status: 200,
|
status: 200,
|
||||||
|
url: "https://patch.cx/objects/spoof_content_type.json",
|
||||||
headers: [{"content-type", "application/json"}],
|
headers: [{"content-type", "application/json"}],
|
||||||
body: File.read!("test/fixtures/spoofed-object.json")
|
body: spoofed_object_with_ids("https://patch.cx/objects/spoof_content_type.json")
|
||||||
|
}
|
||||||
|
|
||||||
|
# Spoof: no Content-Type
|
||||||
|
%{
|
||||||
|
method: :get,
|
||||||
|
url: "https://patch.cx/objects/spoof_content_type"
|
||||||
|
} ->
|
||||||
|
%Tesla.Env{
|
||||||
|
status: 200,
|
||||||
|
url: "https://patch.cx/objects/spoof_content_type",
|
||||||
|
headers: [],
|
||||||
|
body: spoofed_object_with_ids("https://patch.cx/objects/spoof_content_type")
|
||||||
}
|
}
|
||||||
|
|
||||||
env ->
|
env ->
|
||||||
|
@ -129,6 +153,22 @@ test "it rejects objects when attributedTo is wrong (variant 2)" do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "fetcher security and auth checks" do
|
||||||
|
test "it does not fetch a spoofed object without content type" do
|
||||||
|
assert {:error, {:content_type, nil}} =
|
||||||
|
Fetcher.fetch_and_contain_remote_object_from_id(
|
||||||
|
"https://patch.cx/objects/spoof_content_type"
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
test "it does not fetch a spoofed object with wrong content type" do
|
||||||
|
assert {:error, {:content_type, _}} =
|
||||||
|
Fetcher.fetch_and_contain_remote_object_from_id(
|
||||||
|
"https://patch.cx/objects/spoof_content_type.json"
|
||||||
|
)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe "fetching an object" do
|
describe "fetching an object" do
|
||||||
test "it fetches an object" do
|
test "it fetches an object" do
|
||||||
{:ok, object} =
|
{:ok, object} =
|
||||||
|
@ -155,13 +195,6 @@ test "Return MRF reason when fetched status is rejected by one" do
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
test "it does not fetch a spoofed object uploaded on an instance as an attachment" do
|
|
||||||
assert {:error, _} =
|
|
||||||
Fetcher.fetch_object_from_id(
|
|
||||||
"https://patch.cx/media/03ca3c8b4ac3ddd08bf0f84be7885f2f88de0f709112131a22d83650819e36c2.json"
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
test "does not fetch anything from a rejected instance" do
|
test "does not fetch anything from a rejected instance" do
|
||||||
clear_config([:mrf_simple, :reject], [{"evil.example.org", "i said so"}])
|
clear_config([:mrf_simple, :reject], [{"evil.example.org", "i said so"}])
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue