Update spoofed activity test
Turns out we already had a test for activities spoofed via upload due to an exploit several years. Back then *oma did not verify content-type at all and doing so was the only adopted countermeasure. Even the added test sample though suffered from a mismatching id, yet nobody seems to have thought it a good idea to tighten id checks, huh Since we will add stricter id checks later, make id and URL match and also add a testcase for no content type at all. The new section will be expanded in subsequent commits.
This commit is contained in:
parent
2bcf633dc2
commit
baaeffdebc
1 changed files with 43 additions and 10 deletions
|
@ -14,6 +14,17 @@ defmodule Pleroma.Object.FetcherTest do
|
|||
import Mock
|
||||
import Tesla.Mock
|
||||
|
||||
defp spoofed_object_with_ids(
|
||||
id \\ "https://patch.cx/objects/spoof",
|
||||
actor_id \\ "https://patch.cx/users/rin"
|
||||
) do
|
||||
File.read!("test/fixtures/spoofed-object.json")
|
||||
|> Jason.decode!()
|
||||
|> Map.put("id", id)
|
||||
|> Map.put("actor", actor_id)
|
||||
|> Jason.encode!()
|
||||
end
|
||||
|
||||
setup do
|
||||
mock(fn
|
||||
%{method: :get, url: "https://mastodon.example.org/users/userisgone"} ->
|
||||
|
@ -22,15 +33,28 @@ defmodule Pleroma.Object.FetcherTest do
|
|||
%{method: :get, url: "https://mastodon.example.org/users/userisgone404"} ->
|
||||
%Tesla.Env{status: 404}
|
||||
|
||||
# Spoof: wrong Content-Type
|
||||
%{
|
||||
method: :get,
|
||||
url:
|
||||
"https://patch.cx/media/03ca3c8b4ac3ddd08bf0f84be7885f2f88de0f709112131a22d83650819e36c2.json"
|
||||
url: "https://patch.cx/objects/spoof_content_type.json"
|
||||
} ->
|
||||
%Tesla.Env{
|
||||
status: 200,
|
||||
url: "https://patch.cx/objects/spoof_content_type.json",
|
||||
headers: [{"content-type", "application/json"}],
|
||||
body: File.read!("test/fixtures/spoofed-object.json")
|
||||
body: spoofed_object_with_ids("https://patch.cx/objects/spoof_content_type.json")
|
||||
}
|
||||
|
||||
# Spoof: no Content-Type
|
||||
%{
|
||||
method: :get,
|
||||
url: "https://patch.cx/objects/spoof_content_type"
|
||||
} ->
|
||||
%Tesla.Env{
|
||||
status: 200,
|
||||
url: "https://patch.cx/objects/spoof_content_type",
|
||||
headers: [],
|
||||
body: spoofed_object_with_ids("https://patch.cx/objects/spoof_content_type")
|
||||
}
|
||||
|
||||
env ->
|
||||
|
@ -129,6 +153,22 @@ defmodule Pleroma.Object.FetcherTest do
|
|||
end
|
||||
end
|
||||
|
||||
describe "fetcher security and auth checks" do
|
||||
test "it does not fetch a spoofed object without content type" do
|
||||
assert {:error, {:content_type, nil}} =
|
||||
Fetcher.fetch_and_contain_remote_object_from_id(
|
||||
"https://patch.cx/objects/spoof_content_type"
|
||||
)
|
||||
end
|
||||
|
||||
test "it does not fetch a spoofed object with wrong content type" do
|
||||
assert {:error, {:content_type, _}} =
|
||||
Fetcher.fetch_and_contain_remote_object_from_id(
|
||||
"https://patch.cx/objects/spoof_content_type.json"
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
describe "fetching an object" do
|
||||
test "it fetches an object" do
|
||||
{:ok, object} =
|
||||
|
@ -155,13 +195,6 @@ defmodule Pleroma.Object.FetcherTest do
|
|||
)
|
||||
end
|
||||
|
||||
test "it does not fetch a spoofed object uploaded on an instance as an attachment" do
|
||||
assert {:error, _} =
|
||||
Fetcher.fetch_object_from_id(
|
||||
"https://patch.cx/media/03ca3c8b4ac3ddd08bf0f84be7885f2f88de0f709112131a22d83650819e36c2.json"
|
||||
)
|
||||
end
|
||||
|
||||
test "does not fetch anything from a rejected instance" do
|
||||
clear_config([:mrf_simple, :reject], [{"evil.example.org", "i said so"}])
|
||||
|
||||
|
|
Loading…
Reference in a new issue