logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma

containment_test.exs (3752B)


  1. # Pleroma: A lightweight social networking server
  2. # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
  3. # SPDX-License-Identifier: AGPL-3.0-only
  4. defmodule Pleroma.Object.ContainmentTest do
  5. use Pleroma.DataCase
  6. alias Pleroma.Object.Containment
  7. alias Pleroma.User
  8. import Pleroma.Factory
  9. import ExUnit.CaptureLog
  10. setup_all do
  11. Tesla.Mock.mock_global(fn env -> apply(HttpRequestMock, :request, [env]) end)
  12. :ok
  13. end
  14. describe "general origin containment" do
  15. test "works for completely actorless posts" do
  16. assert :error ==
  17. Containment.contain_origin("https://glaceon.social/users/monorail", %{
  18. "deleted" => "2019-10-30T05:48:50.249606Z",
  19. "formerType" => "Note",
  20. "id" => "https://glaceon.social/users/monorail/statuses/103049757364029187",
  21. "type" => "Tombstone"
  22. })
  23. end
  24. test "contain_origin_from_id() catches obvious spoofing attempts" do
  25. data = %{
  26. "id" => "http://example.com/~alyssa/activities/1234.json"
  27. }
  28. :error =
  29. Containment.contain_origin_from_id(
  30. "http://example.org/~alyssa/activities/1234.json",
  31. data
  32. )
  33. end
  34. test "contain_origin_from_id() allows alternate IDs within the same origin domain" do
  35. data = %{
  36. "id" => "http://example.com/~alyssa/activities/1234.json"
  37. }
  38. :ok =
  39. Containment.contain_origin_from_id(
  40. "http://example.com/~alyssa/activities/1234",
  41. data
  42. )
  43. end
  44. test "contain_origin_from_id() allows matching IDs" do
  45. data = %{
  46. "id" => "http://example.com/~alyssa/activities/1234.json"
  47. }
  48. :ok =
  49. Containment.contain_origin_from_id(
  50. "http://example.com/~alyssa/activities/1234.json",
  51. data
  52. )
  53. end
  54. test "users cannot be collided through fake direction spoofing attempts" do
  55. _user =
  56. insert(:user, %{
  57. nickname: "rye@niu.moe",
  58. local: false,
  59. ap_id: "https://niu.moe/users/rye",
  60. follower_address: User.ap_followers(%User{nickname: "rye@niu.moe"})
  61. })
  62. assert capture_log(fn ->
  63. {:error, _} = User.get_or_fetch_by_ap_id("https://n1u.moe/users/rye")
  64. end) =~
  65. "[error] Could not decode user at fetch https://n1u.moe/users/rye"
  66. end
  67. test "contain_origin_from_id() gracefully handles cases where no ID is present" do
  68. data = %{
  69. "type" => "Create",
  70. "object" => %{
  71. "id" => "http://example.net/~alyssa/activities/1234",
  72. "attributedTo" => "http://example.org/~alyssa"
  73. },
  74. "actor" => "http://example.com/~bob"
  75. }
  76. :error =
  77. Containment.contain_origin_from_id("http://example.net/~alyssa/activities/1234", data)
  78. end
  79. end
  80. describe "containment of children" do
  81. test "contain_child() catches spoofing attempts" do
  82. data = %{
  83. "id" => "http://example.com/whatever",
  84. "type" => "Create",
  85. "object" => %{
  86. "id" => "http://example.net/~alyssa/activities/1234",
  87. "attributedTo" => "http://example.org/~alyssa"
  88. },
  89. "actor" => "http://example.com/~bob"
  90. }
  91. :error = Containment.contain_child(data)
  92. end
  93. test "contain_child() allows correct origins" do
  94. data = %{
  95. "id" => "http://example.org/~alyssa/activities/5678",
  96. "type" => "Create",
  97. "object" => %{
  98. "id" => "http://example.org/~alyssa/activities/1234",
  99. "attributedTo" => "http://example.org/~alyssa"
  100. },
  101. "actor" => "http://example.org/~alyssa"
  102. }
  103. :ok = Containment.contain_child(data)
  104. end
  105. end
  106. end