Commit a9609838 authored by lain's avatar lain
Browse files

Merge branch 'security/actor-containment' into 'develop'

security hotfix: actor containment

See merge request pleroma/pleroma!460
parents 05967472 b483ae0a
Pipeline #4535 passed with stages
in 7 minutes and 16 seconds
...@@ -747,7 +747,7 @@ def fetch_object_from_id(id) do ...@@ -747,7 +747,7 @@ def fetch_object_from_id(id) do
"type" => "Create", "type" => "Create",
"to" => data["to"], "to" => data["to"],
"cc" => data["cc"], "cc" => data["cc"],
"actor" => data["attributedTo"], "actor" => data["actor"] || data["attributedTo"],
"object" => data "object" => data
}, },
:ok <- Transmogrifier.contain_origin(id, params), :ok <- Transmogrifier.contain_origin(id, params),
......
{
"@context": "https://www.w3.org/ns/activitystreams",
"id": "https://info.pleroma.site/actor.json",
"type": "Person",
"following": "https://info.pleroma.site/following.json",
"followers": "https://info.pleroma.site/followers.json",
"inbox": "https://info.pleroma.site/inbox.json",
"outbox": "https://info.pleroma.site/outbox.json",
"preferredUsername": "admin",
"name": null,
"summary": "<p></p>",
"publicKey": {
"id": "https://info.pleroma.site/actor.json#main-key",
"owner": "https://info.pleroma.site/actor.json",
"publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtc4Tir+3ADhSNF6VKrtW\nOU32T01w7V0yshmQei38YyiVwVvFu8XOP6ACchkdxbJ+C9mZud8qWaRJKVbFTMUG\nNX4+6Q+FobyuKrwN7CEwhDALZtaN2IPbaPd6uG1B7QhWorrY+yFa8f2TBM3BxnUy\nI4T+bMIZIEYG7KtljCBoQXuTQmGtuffO0UwJksidg2ffCF5Q+K//JfQagJ3UzrR+\nZXbKMJdAw4bCVJYs4Z5EhHYBwQWiXCyMGTd7BGlmMkY6Av7ZqHKC/owp3/0EWDNz\nNqF09Wcpr3y3e8nA10X40MJqp/wR+1xtxp+YGbq/Cj5hZGBG7etFOmIpVBrDOhry\nBwIDAQAB\n-----END PUBLIC KEY-----\n"
}
}
{ {
"@context": "https://www.w3.org/ns/activitystreams", "@context": "https://www.w3.org/ns/activitystreams",
"actor": "https://mastodon.example.org/users/admin", "actor": "http://mastodon.example.org/users/admin",
"attachment": [], "attachment": [],
"attributedTo": "https://mastodon.example.org/users/admin", "attributedTo": "http://mastodon.example.org/users/admin",
"content": "<p>this post was not actually written by Haelwenn</p>", "content": "<p>this post was not actually written by Haelwenn</p>",
"id": "https://info.pleroma.site/activity.json", "id": "https://info.pleroma.site/activity.json",
"published": "2018-09-01T22:15:00Z", "published": "2018-09-01T22:15:00Z",
......
{
"@context": "https://www.w3.org/ns/activitystreams",
"attributedTo": "https://info.pleroma.site/actor.json",
"attachment": [],
"actor": "http://mastodon.example.org/users/admin",
"content": "<p>this post was not actually written by Haelwenn</p>",
"id": "https://info.pleroma.site/activity2.json",
"published": "2018-09-01T22:15:00Z",
"tag": [],
"to": [
"https://www.w3.org/ns/activitystreams#Public"
],
"type": "Note"
}
{
"@context": "https://www.w3.org/ns/activitystreams",
"attributedTo": "http://mastodon.example.org/users/admin",
"attachment": [],
"content": "<p>this post was not actually written by Haelwenn</p>",
"id": "https://info.pleroma.site/activity2.json",
"published": "2018-09-01T22:15:00Z",
"tag": [],
"to": [
"https://www.w3.org/ns/activitystreams#Public"
],
"type": "Note"
}
...@@ -40,6 +40,30 @@ def get("https://info.pleroma.site/activity.json", _, _) do ...@@ -40,6 +40,30 @@ def get("https://info.pleroma.site/activity.json", _, _) do
}} }}
end end
def get("https://info.pleroma.site/activity2.json", _, _) do
{:ok,
%Response{
status_code: 200,
body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity2.json")
}}
end
def get("https://info.pleroma.site/activity3.json", _, _) do
{:ok,
%Response{
status_code: 200,
body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity3.json")
}}
end
def get("https://info.pleroma.site/actor.json", _, _) do
{:ok,
%Response{
status_code: 200,
body: File.read!("test/fixtures/httpoison_mock/https___info.pleroma.site_actor.json")
}}
end
def get("https://puckipedia.com/", [Accept: "application/activity+json"], _) do def get("https://puckipedia.com/", [Accept: "application/activity+json"], _) do
{:ok, {:ok,
%Response{ %Response{
......
...@@ -872,12 +872,10 @@ test "it rejects objects with a bogus origin" do ...@@ -872,12 +872,10 @@ test "it rejects objects with a bogus origin" do
end end
test "it rejects activities which reference objects with bogus origins" do test "it rejects activities which reference objects with bogus origins" do
user = insert(:user, %{local: false})
data = %{ data = %{
"@context" => "https://www.w3.org/ns/activitystreams", "@context" => "https://www.w3.org/ns/activitystreams",
"id" => user.ap_id <> "/activities/1234", "id" => "http://mastodon.example.org/users/admin/activities/1234",
"actor" => user.ap_id, "actor" => "http://mastodon.example.org/users/admin",
"to" => ["https://www.w3.org/ns/activitystreams#Public"], "to" => ["https://www.w3.org/ns/activitystreams#Public"],
"object" => "https://info.pleroma.site/activity.json", "object" => "https://info.pleroma.site/activity.json",
"type" => "Announce" "type" => "Announce"
...@@ -885,5 +883,39 @@ test "it rejects activities which reference objects with bogus origins" do ...@@ -885,5 +883,39 @@ test "it rejects activities which reference objects with bogus origins" do
:error = Transmogrifier.handle_incoming(data) :error = Transmogrifier.handle_incoming(data)
end end
test "it rejects objects when attributedTo is wrong (variant 1)" do
{:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity2.json")
end
test "it rejects activities which reference objects that have an incorrect attribution (variant 1)" do
data = %{
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => "http://mastodon.example.org/users/admin/activities/1234",
"actor" => "http://mastodon.example.org/users/admin",
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
"object" => "https://info.pleroma.site/activity2.json",
"type" => "Announce"
}
:error = Transmogrifier.handle_incoming(data)
end
test "it rejects objects when attributedTo is wrong (variant 2)" do
{:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity3.json")
end
test "it rejects activities which reference objects that have an incorrect attribution (variant 2)" do
data = %{
"@context" => "https://www.w3.org/ns/activitystreams",
"id" => "http://mastodon.example.org/users/admin/activities/1234",
"actor" => "http://mastodon.example.org/users/admin",
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
"object" => "https://info.pleroma.site/activity3.json",
"type" => "Announce"
}
:error = Transmogrifier.handle_incoming(data)
end
end end
end end
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment