Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
Pleroma
pleroma
Commits
dfcfb184
Commit
dfcfb184
authored
Nov 17, 2018
by
kaniini
Browse files
activitypub: transmogrifier: make deletes secure
parent
b1a6e8d8
Pipeline
#4548
failed with stages
in 3 minutes and 5 seconds
Changes
2
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
lib/pleroma/web/activity_pub/transmogrifier.ex
View file @
dfcfb184
...
...
@@ -467,15 +467,20 @@ def handle_incoming(
end
end
# TODO: Make secure.
# TODO: We presently assume that any actor on the same origin domain as the object being
# deleted has the rights to delete that object. A better way to validate whether or not
# the object should be deleted is to refetch the object URI, which should return either
# an error or a tombstone. This would allow us to verify that a deletion actually took
# place.
def
handle_incoming
(
%{
"type"
=>
"Delete"
,
"object"
=>
object_id
,
"actor"
=>
actor
,
"id"
=>
_id
}
=
data
%{
"type"
=>
"Delete"
,
"object"
=>
object_id
,
"actor"
=>
_
actor
,
"id"
=>
_id
}
=
data
)
do
object_id
=
Utils
.
get_ap_id
(
object_id
)
with
actor
<-
get_actor
(
data
),
%
User
{}
=
_
actor
<-
User
.
get_or_fetch_by_ap_id
(
actor
),
%
User
{}
=
actor
<-
User
.
get_or_fetch_by_ap_id
(
actor
),
{
:ok
,
object
}
<-
get_obj_helper
(
object_id
)
||
fetch_obj_helper
(
object_id
),
:ok
<-
contain_origin
(
actor
.
ap_id
,
object
.
data
),
{
:ok
,
activity
}
<-
ActivityPub
.
delete
(
object
,
false
)
do
{
:ok
,
activity
}
else
...
...
test/web/activity_pub/transmogrifier_test.exs
View file @
dfcfb184
...
...
@@ -361,6 +361,26 @@ test "it works for incoming deletes" do
refute
Repo
.
get
(
Activity
,
activity
.
id
)
end
test
"it fails for incoming deletes with spoofed origin"
do
activity
=
insert
(
:note_activity
)
data
=
File
.
read!
(
"test/fixtures/mastodon-delete.json"
)
|>
Poison
.
decode!
()
object
=
data
[
"object"
]
|>
Map
.
put
(
"id"
,
activity
.
data
[
"object"
][
"id"
])
data
=
data
|>
Map
.
put
(
"object"
,
object
)
:error
=
Transmogrifier
.
handle_incoming
(
data
)
assert
Repo
.
get
(
Activity
,
activity
.
id
)
end
test
"it works for incoming unannounces with an existing notice"
do
user
=
insert
(
:user
)
{
:ok
,
activity
}
=
CommonAPI
.
post
(
user
,
%{
"status"
=>
"hey"
})
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment