commit: e416469a409e6ff4bea84da40a5af43fe532a2ce
parent: 643f373514081864814930807432dc0740694c69
Author: kaniini <nenolod@gmail.com>
Date: Thu, 23 Aug 2018 01:39:08 +0000
Merge branch 'security/activitypub-reject-bogus-ids' into 'develop'
security: activitypub: reject activities with bogus ids
See merge request pleroma/pleroma!286
Diffstat:
2 files changed, 18 insertions(+), 0 deletions(-)
diff --git a/lib/pleroma/web/activity_pub/transmogrifier.ex b/lib/pleroma/web/activity_pub/transmogrifier.ex
@@ -177,6 +177,12 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
def fix_content_map(object), do: object
+ # disallow objects with bogus IDs
+ def handle_incoming(%{"id" => nil}), do: :error
+ def handle_incoming(%{"id" => ""}), do: :error
+ # length of https:// = 8, should validate better, but good enough for now.
+ def handle_incoming(%{"id" => id}) when not (is_binary(id) and length(id) > 8), do: :error
+
# TODO: validate those with a Ecto scheme
# - tags
# - emoji
diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs
@@ -615,6 +615,18 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
assert User.following?(follower, followed) == false
end
+
+ test "it rejects activities without a valid ID" do
+ user = insert(:user)
+
+ data =
+ File.read!("test/fixtures/mastodon-follow-activity.json")
+ |> Poison.decode!()
+ |> Map.put("object", user.ap_id)
+ |> Map.put("id", "")
+
+ :error = Transmogrifier.handle_incoming(data)
+ end
end
describe "prepare outgoing" do