Merge branch 'simplepolicy-announce-leak' into 'develop'
SimplePolicy: filter nested objects, fixes #2582 Closes #2582 See merge request pleroma/pleroma!3376
This commit is contained in:
commit
359ded086c
3 changed files with 48 additions and 1 deletions
|
@ -33,6 +33,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- Applying ConcurrentLimiter settings via AdminAPI
|
- Applying ConcurrentLimiter settings via AdminAPI
|
||||||
- User login failures if their `notification_settings` were in a NULL state.
|
- User login failures if their `notification_settings` were in a NULL state.
|
||||||
- Mix task `pleroma.user delete_activities` query transaction timeout is now :infinity
|
- Mix task `pleroma.user delete_activities` query transaction timeout is now :infinity
|
||||||
|
- MRF (`SimplePolicy`): Embedded objects are now checked. If any embedded object would be rejected, its parent is rejected. This fixes Announces leaking posts from blocked domains.
|
||||||
- Fixed some Markdown issues, including trailing slash in links.
|
- Fixed some Markdown issues, including trailing slash in links.
|
||||||
|
|
||||||
## [2.3.0] - 2020-03-01
|
## [2.3.0] - 2020-03-01
|
||||||
|
|
|
@ -177,6 +177,14 @@ defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicy do
|
||||||
|
|
||||||
defp check_banner_removal(_actor_info, object), do: {:ok, object}
|
defp check_banner_removal(_actor_info, object), do: {:ok, object}
|
||||||
|
|
||||||
|
defp check_object(%{"object" => object} = activity) do
|
||||||
|
with {:ok, _object} <- filter(object) do
|
||||||
|
{:ok, activity}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
defp check_object(object), do: {:ok, object}
|
||||||
|
|
||||||
@impl true
|
@impl true
|
||||||
def filter(%{"type" => "Delete", "actor" => actor} = object) do
|
def filter(%{"type" => "Delete", "actor" => actor} = object) do
|
||||||
%{host: actor_host} = URI.parse(actor)
|
%{host: actor_host} = URI.parse(actor)
|
||||||
|
@ -202,7 +210,8 @@ defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicy do
|
||||||
{:ok, object} <- check_media_nsfw(actor_info, object),
|
{:ok, object} <- check_media_nsfw(actor_info, object),
|
||||||
{:ok, object} <- check_ftl_removal(actor_info, object),
|
{:ok, object} <- check_ftl_removal(actor_info, object),
|
||||||
{:ok, object} <- check_followers_only(actor_info, object),
|
{:ok, object} <- check_followers_only(actor_info, object),
|
||||||
{:ok, object} <- check_report_removal(actor_info, object) do
|
{:ok, object} <- check_report_removal(actor_info, object),
|
||||||
|
{:ok, object} <- check_object(object) do
|
||||||
{:ok, object}
|
{:ok, object}
|
||||||
else
|
else
|
||||||
{:reject, nil} -> {:reject, "[SimplePolicy]"}
|
{:reject, nil} -> {:reject, "[SimplePolicy]"}
|
||||||
|
@ -227,6 +236,19 @@ defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicy do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def filter(object) when is_binary(object) do
|
||||||
|
uri = URI.parse(object)
|
||||||
|
|
||||||
|
with {:ok, object} <- check_accept(uri, object),
|
||||||
|
{:ok, object} <- check_reject(uri, object) do
|
||||||
|
{:ok, object}
|
||||||
|
else
|
||||||
|
{:reject, nil} -> {:reject, "[SimplePolicy]"}
|
||||||
|
{:reject, _} = e -> e
|
||||||
|
_ -> {:reject, "[SimplePolicy]"}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def filter(object), do: {:ok, object}
|
def filter(object), do: {:ok, object}
|
||||||
|
|
||||||
@impl true
|
@impl true
|
||||||
|
|
|
@ -254,6 +254,30 @@ defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicyTest do
|
||||||
|
|
||||||
assert {:reject, _} = SimplePolicy.filter(remote_user)
|
assert {:reject, _} = SimplePolicy.filter(remote_user)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "reject Announce when object would be rejected" do
|
||||||
|
clear_config([:mrf_simple, :reject], ["blocked.tld"])
|
||||||
|
|
||||||
|
announce = %{
|
||||||
|
"type" => "Announce",
|
||||||
|
"actor" => "https://okay.tld/users/alice",
|
||||||
|
"object" => %{"type" => "Note", "actor" => "https://blocked.tld/users/bob"}
|
||||||
|
}
|
||||||
|
|
||||||
|
assert {:reject, _} = SimplePolicy.filter(announce)
|
||||||
|
end
|
||||||
|
|
||||||
|
test "reject by URI object" do
|
||||||
|
clear_config([:mrf_simple, :reject], ["blocked.tld"])
|
||||||
|
|
||||||
|
announce = %{
|
||||||
|
"type" => "Announce",
|
||||||
|
"actor" => "https://okay.tld/users/alice",
|
||||||
|
"object" => "https://blocked.tld/activities/1"
|
||||||
|
}
|
||||||
|
|
||||||
|
assert {:reject, _} = SimplePolicy.filter(announce)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "when :followers_only" do
|
describe "when :followers_only" do
|
||||||
|
|
Loading…
Reference in a new issue