commit: f70d1a436b343f010b3b8d638151d746b889c01b
parent 45af48520bf605dc1fa2e28a53a327a535f8acd1
Author: Lain Soykaf <lain@lain.com>
Date: Sun, 21 Dec 2025 17:46:20 +0400
WebFingerTest: Add test for more webfinger spoofing.
Diffstat:
1 file changed, 40 insertions(+), 0 deletions(-)
diff --git a/test/pleroma/web/web_finger_test.exs b/test/pleroma/web/web_finger_test.exs
@@ -254,6 +254,46 @@ defmodule Pleroma.Web.WebFingerTest do
assert {:error, _} = WebFinger.finger("graf@fba.ryona.agency")
end
+ test "prevents forgeries even when the spoofed subject exists on the target domain" do
+ Tesla.Mock.mock(fn
+ %{url: url}
+ when url in [
+ "https://attacker.example/.well-known/host-meta",
+ "https://victim.example/.well-known/host-meta"
+ ] ->
+ {:ok, %Tesla.Env{status: 404}}
+
+ %{
+ url:
+ "https://attacker.example/.well-known/webfinger?resource=acct:alice@attacker.example"
+ } ->
+ Tesla.Mock.json(%{
+ "subject" => "acct:alice@victim.example",
+ "links" => [
+ %{
+ "rel" => "self",
+ "type" => "application/activity+json",
+ "href" => "https://attacker.example/users/alice"
+ }
+ ]
+ })
+
+ %{url: "https://victim.example/.well-known/webfinger?resource=acct:alice@victim.example"} ->
+ Tesla.Mock.json(%{
+ "subject" => "acct:alice@victim.example",
+ "links" => [
+ %{
+ "rel" => "self",
+ "type" => "application/activity+json",
+ "href" => "https://victim.example/users/alice"
+ }
+ ]
+ })
+ end)
+
+ assert {:error, _} = WebFinger.finger("alice@attacker.example")
+ end
+
test "works for correctly set up split-domain instances implementing host-meta redirect" do
{:ok, _data} = WebFinger.finger("a@pleroma.example")
{:ok, _data} = WebFinger.finger("a@sub.pleroma.example")
