Commit e416469a authored by kaniini's avatar kaniini

Merge branch 'security/activitypub-reject-bogus-ids' into 'develop'

security: activitypub: reject activities with bogus ids

See merge request pleroma/pleroma!286
parents 643f3735 a909fe45
......@@ -177,6 +177,12 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
def fix_content_map(object), do: object
# disallow objects with bogus IDs
def handle_incoming(%{"id" => nil}), do: :error
def handle_incoming(%{"id" => ""}), do: :error
# length of https:// = 8, should validate better, but good enough for now.
def handle_incoming(%{"id" => id}) when not (is_binary(id) and length(id) > 8), do: :error
# TODO: validate those with a Ecto scheme
# - tags
# - emoji
......@@ -615,6 +615,18 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
assert User.following?(follower, followed) == false
test "it rejects activities without a valid ID" do
user = insert(:user)
data =!("test/fixtures/mastodon-follow-activity.json")
|> Poison.decode!()
|> Map.put("object", user.ap_id)
|> Map.put("id", "")
:error = Transmogrifier.handle_incoming(data)
describe "prepare outgoing" do
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment