commit: 509d8058d99d7455155b6e7fad83fed28f2ae02d
parent: 93701c3399add8af2d4a5d43b6f171d84655a533
Author: kaniini <ariadne@dereferenced.org>
Date: Sun, 14 Jul 2019 19:24:39 +0000
Merge branch 'security/ir-generic-containment' into 'develop'
security: IR-based generic object containment
See merge request pleroma/pleroma!1417
Diffstat:
5 files changed, 46 insertions(+), 0 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -42,6 +42,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Admin API: changed json structure for saving config settings.
- RichMedia: parsers and their order are configured in `rich_media` config.
+## [1.0.1] - 2019-07-14
+### Security
+- OStatus: fix an object spoofing vulnerability.
+
## [1.0.0] - 2019-06-29
### Security
- Mastodon API: Fix display names not being sanitized
diff --git a/lib/pleroma/object/containment.ex b/lib/pleroma/object/containment.ex
@@ -48,6 +48,9 @@ defmodule Pleroma.Object.Containment do
end
end
+ def contain_origin(id, %{"attributedTo" => actor} = params),
+ do: contain_origin(id, Map.put(params, "actor", actor))
+
def contain_origin_from_id(_id, %{"id" => nil}), do: :error
def contain_origin_from_id(id, %{"id" => other_id} = _params) do
@@ -60,4 +63,9 @@ defmodule Pleroma.Object.Containment do
:error
end
end
+
+ def contain_child(%{"object" => %{"id" => id, "attributedTo" => _} = object}),
+ do: contain_origin(id, object)
+
+ def contain_child(_), do: :ok
end
diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex
@@ -8,6 +8,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
alias Pleroma.Conversation
alias Pleroma.Notification
alias Pleroma.Object
+ alias Pleroma.Object.Containment
alias Pleroma.Object.Fetcher
alias Pleroma.Pagination
alias Pleroma.Repo
@@ -126,6 +127,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
{:ok, map} <- MRF.filter(map),
{recipients, _, _} = get_recipients(map),
{:fake, false, map, recipients} <- {:fake, fake, map, recipients},
+ :ok <- Containment.contain_child(map),
{:ok, map, object} <- insert_full_object(map) do
{:ok, activity} =
Repo.insert(%Activity{
diff --git a/test/object/containment_test.exs b/test/object/containment_test.exs
@@ -68,4 +68,34 @@ defmodule Pleroma.Object.ContainmentTest do
"[error] Could not decode user at fetch https://n1u.moe/users/rye, {:error, :error}"
end
end
+
+ describe "containment of children" do
+ test "contain_child() catches spoofing attempts" do
+ data = %{
+ "id" => "http://example.com/whatever",
+ "type" => "Create",
+ "object" => %{
+ "id" => "http://example.net/~alyssa/activities/1234",
+ "attributedTo" => "http://example.org/~alyssa"
+ },
+ "actor" => "http://example.com/~bob"
+ }
+
+ :error = Containment.contain_child(data)
+ end
+
+ test "contain_child() allows correct origins" do
+ data = %{
+ "id" => "http://example.org/~alyssa/activities/5678",
+ "type" => "Create",
+ "object" => %{
+ "id" => "http://example.org/~alyssa/activities/1234",
+ "attributedTo" => "http://example.org/~alyssa"
+ },
+ "actor" => "http://example.org/~alyssa"
+ }
+
+ :ok = Containment.contain_child(data)
+ end
+ end
end
diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs
@@ -416,6 +416,7 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
|> Map.put("attributedTo", user.ap_id)
|> Map.put("to", ["https://www.w3.org/ns/activitystreams#Public"])
|> Map.put("cc", [])
+ |> Map.put("id", user.ap_id <> "/activities/12345678")
data = Map.put(data, "object", object)
@@ -439,6 +440,7 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
|> Map.put("attributedTo", user.ap_id)
|> Map.put("to", nil)
|> Map.put("cc", nil)
+ |> Map.put("id", user.ap_id <> "/activities/12345678")
data = Map.put(data, "object", object)
