Merge branch 'security/actor-containment' into 'develop'
security hotfix: actor containment See merge request pleroma/pleroma!460
This commit is contained in:
commit
a960983815
7 changed files with 107 additions and 7 deletions
|
@ -747,7 +747,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
|
|||
"type" => "Create",
|
||||
"to" => data["to"],
|
||||
"cc" => data["cc"],
|
||||
"actor" => data["attributedTo"],
|
||||
"actor" => data["actor"] || data["attributedTo"],
|
||||
"object" => data
|
||||
},
|
||||
:ok <- Transmogrifier.contain_origin(id, params),
|
||||
|
|
17
test/fixtures/httpoison_mock/https___info.pleroma.site_actor.json
vendored
Normal file
17
test/fixtures/httpoison_mock/https___info.pleroma.site_actor.json
vendored
Normal file
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"@context": "https://www.w3.org/ns/activitystreams",
|
||||
"id": "https://info.pleroma.site/actor.json",
|
||||
"type": "Person",
|
||||
"following": "https://info.pleroma.site/following.json",
|
||||
"followers": "https://info.pleroma.site/followers.json",
|
||||
"inbox": "https://info.pleroma.site/inbox.json",
|
||||
"outbox": "https://info.pleroma.site/outbox.json",
|
||||
"preferredUsername": "admin",
|
||||
"name": null,
|
||||
"summary": "<p></p>",
|
||||
"publicKey": {
|
||||
"id": "https://info.pleroma.site/actor.json#main-key",
|
||||
"owner": "https://info.pleroma.site/actor.json",
|
||||
"publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtc4Tir+3ADhSNF6VKrtW\nOU32T01w7V0yshmQei38YyiVwVvFu8XOP6ACchkdxbJ+C9mZud8qWaRJKVbFTMUG\nNX4+6Q+FobyuKrwN7CEwhDALZtaN2IPbaPd6uG1B7QhWorrY+yFa8f2TBM3BxnUy\nI4T+bMIZIEYG7KtljCBoQXuTQmGtuffO0UwJksidg2ffCF5Q+K//JfQagJ3UzrR+\nZXbKMJdAw4bCVJYs4Z5EhHYBwQWiXCyMGTd7BGlmMkY6Av7ZqHKC/owp3/0EWDNz\nNqF09Wcpr3y3e8nA10X40MJqp/wR+1xtxp+YGbq/Cj5hZGBG7etFOmIpVBrDOhry\nBwIDAQAB\n-----END PUBLIC KEY-----\n"
|
||||
}
|
||||
}
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"@context": "https://www.w3.org/ns/activitystreams",
|
||||
"actor": "https://mastodon.example.org/users/admin",
|
||||
"actor": "http://mastodon.example.org/users/admin",
|
||||
"attachment": [],
|
||||
"attributedTo": "https://mastodon.example.org/users/admin",
|
||||
"attributedTo": "http://mastodon.example.org/users/admin",
|
||||
"content": "<p>this post was not actually written by Haelwenn</p>",
|
||||
"id": "https://info.pleroma.site/activity.json",
|
||||
"published": "2018-09-01T22:15:00Z",
|
||||
|
|
14
test/fixtures/httpoison_mock/https__info.pleroma.site_activity2.json
vendored
Normal file
14
test/fixtures/httpoison_mock/https__info.pleroma.site_activity2.json
vendored
Normal file
|
@ -0,0 +1,14 @@
|
|||
{
|
||||
"@context": "https://www.w3.org/ns/activitystreams",
|
||||
"attributedTo": "https://info.pleroma.site/actor.json",
|
||||
"attachment": [],
|
||||
"actor": "http://mastodon.example.org/users/admin",
|
||||
"content": "<p>this post was not actually written by Haelwenn</p>",
|
||||
"id": "https://info.pleroma.site/activity2.json",
|
||||
"published": "2018-09-01T22:15:00Z",
|
||||
"tag": [],
|
||||
"to": [
|
||||
"https://www.w3.org/ns/activitystreams#Public"
|
||||
],
|
||||
"type": "Note"
|
||||
}
|
13
test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json
vendored
Normal file
13
test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json
vendored
Normal file
|
@ -0,0 +1,13 @@
|
|||
{
|
||||
"@context": "https://www.w3.org/ns/activitystreams",
|
||||
"attributedTo": "http://mastodon.example.org/users/admin",
|
||||
"attachment": [],
|
||||
"content": "<p>this post was not actually written by Haelwenn</p>",
|
||||
"id": "https://info.pleroma.site/activity2.json",
|
||||
"published": "2018-09-01T22:15:00Z",
|
||||
"tag": [],
|
||||
"to": [
|
||||
"https://www.w3.org/ns/activitystreams#Public"
|
||||
],
|
||||
"type": "Note"
|
||||
}
|
|
@ -40,6 +40,30 @@ defmodule HTTPoisonMock do
|
|||
}}
|
||||
end
|
||||
|
||||
def get("https://info.pleroma.site/activity2.json", _, _) do
|
||||
{:ok,
|
||||
%Response{
|
||||
status_code: 200,
|
||||
body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity2.json")
|
||||
}}
|
||||
end
|
||||
|
||||
def get("https://info.pleroma.site/activity3.json", _, _) do
|
||||
{:ok,
|
||||
%Response{
|
||||
status_code: 200,
|
||||
body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json")
|
||||
}}
|
||||
end
|
||||
|
||||
def get("https://info.pleroma.site/actor.json", _, _) do
|
||||
{:ok,
|
||||
%Response{
|
||||
status_code: 200,
|
||||
body: File.read!("test/fixtures/httpoison_mock/https___info.pleroma.site_actor.json")
|
||||
}}
|
||||
end
|
||||
|
||||
def get("https://puckipedia.com/", [Accept: "application/activity+json"], _) do
|
||||
{:ok,
|
||||
%Response{
|
||||
|
|
|
@ -872,12 +872,10 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
|
|||
end
|
||||
|
||||
test "it rejects activities which reference objects with bogus origins" do
|
||||
user = insert(:user, %{local: false})
|
||||
|
||||
data = %{
|
||||
"@context" => "https://www.w3.org/ns/activitystreams",
|
||||
"id" => user.ap_id <> "/activities/1234",
|
||||
"actor" => user.ap_id,
|
||||
"id" => "http://mastodon.example.org/users/admin/activities/1234",
|
||||
"actor" => "http://mastodon.example.org/users/admin",
|
||||
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
|
||||
"object" => "https://info.pleroma.site/activity.json",
|
||||
"type" => "Announce"
|
||||
|
@ -885,5 +883,39 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
|
|||
|
||||
:error = Transmogrifier.handle_incoming(data)
|
||||
end
|
||||
|
||||
test "it rejects objects when attributedTo is wrong (variant 1)" do
|
||||
{:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity2.json")
|
||||
end
|
||||
|
||||
test "it rejects activities which reference objects that have an incorrect attribution (variant 1)" do
|
||||
data = %{
|
||||
"@context" => "https://www.w3.org/ns/activitystreams",
|
||||
"id" => "http://mastodon.example.org/users/admin/activities/1234",
|
||||
"actor" => "http://mastodon.example.org/users/admin",
|
||||
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
|
||||
"object" => "https://info.pleroma.site/activity2.json",
|
||||
"type" => "Announce"
|
||||
}
|
||||
|
||||
:error = Transmogrifier.handle_incoming(data)
|
||||
end
|
||||
|
||||
test "it rejects objects when attributedTo is wrong (variant 2)" do
|
||||
{:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity3.json")
|
||||
end
|
||||
|
||||
test "it rejects activities which reference objects that have an incorrect attribution (variant 2)" do
|
||||
data = %{
|
||||
"@context" => "https://www.w3.org/ns/activitystreams",
|
||||
"id" => "http://mastodon.example.org/users/admin/activities/1234",
|
||||
"actor" => "http://mastodon.example.org/users/admin",
|
||||
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
|
||||
"object" => "https://info.pleroma.site/activity3.json",
|
||||
"type" => "Announce"
|
||||
}
|
||||
|
||||
:error = Transmogrifier.handle_incoming(data)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue