logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma
commit: a960983815b8798632fc489b762f760738cf798b
parent: 05967472f296fc782c15f0d8ebbeaeadb03b0f8c
Author: lambda <pleromagit@rogerbraun.net>
Date:   Sat, 17 Nov 2018 18:33:09 +0000

Merge branch 'security/actor-containment' into 'develop'

security hotfix: actor containment

See merge request pleroma/pleroma!460

Diffstat:

Mlib/pleroma/web/activity_pub/activity_pub.ex2+-
Atest/fixtures/httpoison_mock/https___info.pleroma.site_actor.json17+++++++++++++++++
Mtest/fixtures/httpoison_mock/https__info.pleroma.site_activity.json4++--
Atest/fixtures/httpoison_mock/https__info.pleroma.site_activity2.json14++++++++++++++
Atest/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json13+++++++++++++
Mtest/support/httpoison_mock.ex24++++++++++++++++++++++++
Mtest/web/activity_pub/transmogrifier_test.exs40++++++++++++++++++++++++++++++++++++----
7 files changed, 107 insertions(+), 7 deletions(-)

diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -747,7 +747,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do "type" => "Create", "to" => data["to"], "cc" => data["cc"], - "actor" => data["attributedTo"], + "actor" => data["actor"] || data["attributedTo"], "object" => data }, :ok <- Transmogrifier.contain_origin(id, params), diff --git a/test/fixtures/httpoison_mock/https___info.pleroma.site_actor.json b/test/fixtures/httpoison_mock/https___info.pleroma.site_actor.json @@ -0,0 +1,17 @@ +{ + "@context": "https://www.w3.org/ns/activitystreams", + "id": "https://info.pleroma.site/actor.json", + "type": "Person", + "following": "https://info.pleroma.site/following.json", + "followers": "https://info.pleroma.site/followers.json", + "inbox": "https://info.pleroma.site/inbox.json", + "outbox": "https://info.pleroma.site/outbox.json", + "preferredUsername": "admin", + "name": null, + "summary": "<p></p>", + "publicKey": { + "id": "https://info.pleroma.site/actor.json#main-key", + "owner": "https://info.pleroma.site/actor.json", + "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtc4Tir+3ADhSNF6VKrtW\nOU32T01w7V0yshmQei38YyiVwVvFu8XOP6ACchkdxbJ+C9mZud8qWaRJKVbFTMUG\nNX4+6Q+FobyuKrwN7CEwhDALZtaN2IPbaPd6uG1B7QhWorrY+yFa8f2TBM3BxnUy\nI4T+bMIZIEYG7KtljCBoQXuTQmGtuffO0UwJksidg2ffCF5Q+K//JfQagJ3UzrR+\nZXbKMJdAw4bCVJYs4Z5EhHYBwQWiXCyMGTd7BGlmMkY6Av7ZqHKC/owp3/0EWDNz\nNqF09Wcpr3y3e8nA10X40MJqp/wR+1xtxp+YGbq/Cj5hZGBG7etFOmIpVBrDOhry\nBwIDAQAB\n-----END PUBLIC KEY-----\n" + } +} diff --git a/test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json b/test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json @@ -1,8 +1,8 @@ { "@context": "https://www.w3.org/ns/activitystreams", - "actor": "https://mastodon.example.org/users/admin", + "actor": "http://mastodon.example.org/users/admin", "attachment": [], - "attributedTo": "https://mastodon.example.org/users/admin", + "attributedTo": "http://mastodon.example.org/users/admin", "content": "<p>this post was not actually written by Haelwenn</p>", "id": "https://info.pleroma.site/activity.json", "published": "2018-09-01T22:15:00Z", diff --git a/test/fixtures/httpoison_mock/https__info.pleroma.site_activity2.json b/test/fixtures/httpoison_mock/https__info.pleroma.site_activity2.json @@ -0,0 +1,14 @@ +{ + "@context": "https://www.w3.org/ns/activitystreams", + "attributedTo": "https://info.pleroma.site/actor.json", + "attachment": [], + "actor": "http://mastodon.example.org/users/admin", + "content": "<p>this post was not actually written by Haelwenn</p>", + "id": "https://info.pleroma.site/activity2.json", + "published": "2018-09-01T22:15:00Z", + "tag": [], + "to": [ + "https://www.w3.org/ns/activitystreams#Public" + ], + "type": "Note" +} diff --git a/test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json b/test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json @@ -0,0 +1,13 @@ +{ + "@context": "https://www.w3.org/ns/activitystreams", + "attributedTo": "http://mastodon.example.org/users/admin", + "attachment": [], + "content": "<p>this post was not actually written by Haelwenn</p>", + "id": "https://info.pleroma.site/activity2.json", + "published": "2018-09-01T22:15:00Z", + "tag": [], + "to": [ + "https://www.w3.org/ns/activitystreams#Public" + ], + "type": "Note" +} diff --git a/test/support/httpoison_mock.ex b/test/support/httpoison_mock.ex @@ -40,6 +40,30 @@ defmodule HTTPoisonMock do }} end + def get("https://info.pleroma.site/activity2.json", _, _) do + {:ok, + %Response{ + status_code: 200, + body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity2.json") + }} + end + + def get("https://info.pleroma.site/activity3.json", _, _) do + {:ok, + %Response{ + status_code: 200, + body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json") + }} + end + + def get("https://info.pleroma.site/actor.json", _, _) do + {:ok, + %Response{ + status_code: 200, + body: File.read!("test/fixtures/httpoison_mock/https___info.pleroma.site_actor.json") + }} + end + def get("https://puckipedia.com/", [Accept: "application/activity+json"], _) do {:ok, %Response{ diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs @@ -872,12 +872,10 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do end test "it rejects activities which reference objects with bogus origins" do - user = insert(:user, %{local: false}) - data = %{ "@context" => "https://www.w3.org/ns/activitystreams", - "id" => user.ap_id <> "/activities/1234", - "actor" => user.ap_id, + "id" => "http://mastodon.example.org/users/admin/activities/1234", + "actor" => "http://mastodon.example.org/users/admin", "to" => ["https://www.w3.org/ns/activitystreams#Public"], "object" => "https://info.pleroma.site/activity.json", "type" => "Announce" @@ -885,5 +883,39 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do :error = Transmogrifier.handle_incoming(data) end + + test "it rejects objects when attributedTo is wrong (variant 1)" do + {:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity2.json") + end + + test "it rejects activities which reference objects that have an incorrect attribution (variant 1)" do + data = %{ + "@context" => "https://www.w3.org/ns/activitystreams", + "id" => "http://mastodon.example.org/users/admin/activities/1234", + "actor" => "http://mastodon.example.org/users/admin", + "to" => ["https://www.w3.org/ns/activitystreams#Public"], + "object" => "https://info.pleroma.site/activity2.json", + "type" => "Announce" + } + + :error = Transmogrifier.handle_incoming(data) + end + + test "it rejects objects when attributedTo is wrong (variant 2)" do + {:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity3.json") + end + + test "it rejects activities which reference objects that have an incorrect attribution (variant 2)" do + data = %{ + "@context" => "https://www.w3.org/ns/activitystreams", + "id" => "http://mastodon.example.org/users/admin/activities/1234", + "actor" => "http://mastodon.example.org/users/admin", + "to" => ["https://www.w3.org/ns/activitystreams#Public"], + "object" => "https://info.pleroma.site/activity3.json", + "type" => "Announce" + } + + :error = Transmogrifier.handle_incoming(data) + end end end