logo

mastofe

My custom branche(s) on git.pleroma.social/pleroma/mastofe
commit: f7937d903c681769801e4f3edcdac7e3c71ad9cf
parent: 6b2be5dbfb73e2daf78cf050e5f24c2a8b31ece5
Author: unarist <m.unarist@gmail.com>
Date:   Fri,  1 Sep 2017 00:18:49 +0900

Don't process ActivityPub payload if signature is invalid (#4752)

* Don't process ActivityPub payload if signature is invalid

* Fix style issue

Diffstat:

Mapp/services/activitypub/process_collection_service.rb5++---
Mspec/services/activitypub/process_collection_service_spec.rb47++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/app/services/activitypub/process_collection_service.rb b/app/services/activitypub/process_collection_service.rb @@ -9,7 +9,7 @@ class ActivityPub::ProcessCollectionService < BaseService return if @account.suspended? || !supported_context? - verify_account! if different_actor? + return if different_actor? && verify_account!.nil? case @json['type'] when 'Collection', 'CollectionPage' @@ -43,7 +43,6 @@ class ActivityPub::ProcessCollectionService < BaseService end def verify_account! - account = ActivityPub::LinkedDataSignature.new(@json).verify_account! - @account = account unless account.nil? + @account = ActivityPub::LinkedDataSignature.new(@json).verify_account! end end diff --git a/spec/services/activitypub/process_collection_service_spec.rb b/spec/services/activitypub/process_collection_service_spec.rb @@ -1,10 +1,55 @@ require 'rails_helper' RSpec.describe ActivityPub::ProcessCollectionService do + let(:actor) { Fabricate(:account) } + + let(:payload) do + { + '@context': 'https://www.w3.org/ns/activitystreams', + id: 'foo', + type: 'Create', + actor: ActivityPub::TagManager.instance.uri_for(actor), + object: { + id: 'bar', + type: 'Note', + content: 'Lorem ipsum', + }, + } + end + + let(:json) { Oj.dump(payload) } + subject { described_class.new } describe '#call' do context 'when actor is the sender' - context 'when actor differs from sender' + context 'when actor differs from sender' do + let(:forwarder) { Fabricate(:account) } + + it 'processes payload with sender if no signature exists' do + expect_any_instance_of(ActivityPub::LinkedDataSignature).not_to receive(:verify_account!) + expect(ActivityPub::Activity).to receive(:factory).with(instance_of(Hash), forwarder) + + subject.call(json, forwarder) + end + + it 'processes payload with actor if valid signature exists' do + payload['signature'] = {'type' => 'RsaSignature2017'} + + expect_any_instance_of(ActivityPub::LinkedDataSignature).to receive(:verify_account!).and_return(actor) + expect(ActivityPub::Activity).to receive(:factory).with(instance_of(Hash), actor) + + subject.call(json, forwarder) + end + + it 'does not process payload if invalid signature exists' do + payload['signature'] = {'type' => 'RsaSignature2017'} + + expect_any_instance_of(ActivityPub::LinkedDataSignature).to receive(:verify_account!).and_return(nil) + expect(ActivityPub::Activity).not_to receive(:factory) + + subject.call(json, forwarder) + end + end end end