logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma
commit: 51435014269567d4d05e9961cd0fa884cfbbb072
parent: b471344b6361945aff94685db8d3065da0e5228a
Author: lambda <pleromagit@rogerbraun.net>
Date:   Sat, 17 Nov 2018 22:43:45 +0000

Merge branch 'security/as2-object-render-hardening' into 'develop'

activitypub: object view: avoid leaking private details

See merge request pleroma/pleroma!463

Diffstat:

Mlib/pleroma/web/activity_pub/views/object_view.ex13++++++++++++-
Mtest/web/activity_pub/views/object_view_test.exs40++++++++++++++++++++++++++++++++++++++++
2 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/lib/pleroma/web/activity_pub/views/object_view.ex b/lib/pleroma/web/activity_pub/views/object_view.ex @@ -10,7 +10,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectView do Map.merge(base, additional) end - def render("object.json", %{object: %Activity{} = activity}) do + def render("object.json", %{object: %Activity{data: %{"type" => "Create"}} = activity}) do base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header() object = Object.normalize(activity.data["object"]) @@ -20,4 +20,15 @@ defmodule Pleroma.Web.ActivityPub.ObjectView do Map.merge(base, additional) end + + def render("object.json", %{object: %Activity{} = activity}) do + base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header() + object = Object.normalize(activity.data["object"]) + + additional = + Transmogrifier.prepare_object(activity.data) + |> Map.put("object", object.data["id"]) + + Map.merge(base, additional) + end end diff --git a/test/web/activity_pub/views/object_view_test.exs b/test/web/activity_pub/views/object_view_test.exs @@ -2,6 +2,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectViewTest do use Pleroma.DataCase import Pleroma.Factory + alias Pleroma.Web.CommonAPI alias Pleroma.Web.ActivityPub.ObjectView test "renders a note object" do @@ -15,4 +16,43 @@ defmodule Pleroma.Web.ActivityPub.ObjectViewTest do assert result["type"] == "Note" assert result["@context"] end + + test "renders a note activity" do + note = insert(:note_activity) + + result = ObjectView.render("object.json", %{object: note}) + + assert result["id"] == note.data["id"] + assert result["to"] == note.data["to"] + assert result["object"]["type"] == "Note" + assert result["object"]["content"] == note.data["object"]["content"] + assert result["type"] == "Create" + assert result["@context"] + end + + test "renders a like activity" do + note = insert(:note_activity) + user = insert(:user) + + {:ok, like_activity, _} = CommonAPI.favorite(note.id, user) + + result = ObjectView.render("object.json", %{object: like_activity}) + + assert result["id"] == like_activity.data["id"] + assert result["object"] == note.data["object"]["id"] + assert result["type"] == "Like" + end + + test "renders an announce activity" do + note = insert(:note_activity) + user = insert(:user) + + {:ok, announce_activity, _} = CommonAPI.repeat(note.id, user) + + result = ObjectView.render("object.json", %{object: announce_activity}) + + assert result["id"] == announce_activity.data["id"] + assert result["object"] == note.data["object"]["id"] + assert result["type"] == "Announce" + end end