Merge branch 'security/activitypub-spoofing' into 'develop'
security: activitypub spoofing See merge request pleroma/pleroma!321
This commit is contained in:
commit
3c7280934e
5 changed files with 58 additions and 0 deletions
|
@ -747,6 +747,7 @@ def fetch_object_from_id(id) do
|
|||
"actor" => data["attributedTo"],
|
||||
"object" => data
|
||||
},
|
||||
:ok <- Transmogrifier.contain_origin(id, params),
|
||||
{:ok, activity} <- Transmogrifier.handle_incoming(params) do
|
||||
{:ok, Object.normalize(activity.data["object"])}
|
||||
else
|
||||
|
|
|
@ -30,6 +30,20 @@ def get_actor(%{"actor" => actor}) when is_map(actor) do
|
|||
actor["id"]
|
||||
end
|
||||
|
||||
@doc """
|
||||
Checks that an imported AP object's actor matches the domain it came from.
|
||||
"""
|
||||
def contain_origin(id, %{"actor" => actor} = params) do
|
||||
id_uri = URI.parse(id)
|
||||
actor_uri = URI.parse(get_actor(params))
|
||||
|
||||
if id_uri.host == actor_uri.host do
|
||||
:ok
|
||||
else
|
||||
:error
|
||||
end
|
||||
end
|
||||
|
||||
@doc """
|
||||
Modifies an incoming AP object (mastodon format) to our internal format.
|
||||
"""
|
||||
|
|
14
test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json
vendored
Normal file
14
test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json
vendored
Normal file
|
@ -0,0 +1,14 @@
|
|||
{
|
||||
"@context": "https://www.w3.org/ns/activitystreams",
|
||||
"actor": "https://mastodon.example.org/users/admin",
|
||||
"attachment": [],
|
||||
"attributedTo": "https://mastodon.example.org/users/admin",
|
||||
"content": "<p>this post was not actually written by Haelwenn</p>",
|
||||
"id": "https://info.pleroma.site/activity.json",
|
||||
"published": "2018-09-01T22:15:00Z",
|
||||
"tag": [],
|
||||
"to": [
|
||||
"https://www.w3.org/ns/activitystreams#Public"
|
||||
],
|
||||
"type": "Note"
|
||||
}
|
|
@ -3,6 +3,14 @@ defmodule HTTPoisonMock do
|
|||
|
||||
def get(url, body \\ [], headers \\ [])
|
||||
|
||||
def get("https://info.pleroma.site/activity.json", _, _) do
|
||||
{:ok,
|
||||
%Response{
|
||||
status_code: 200,
|
||||
body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json")
|
||||
}}
|
||||
end
|
||||
|
||||
def get("https://puckipedia.com/", [Accept: "application/activity+json"], _) do
|
||||
{:ok,
|
||||
%Response{
|
||||
|
|
|
@ -798,4 +798,25 @@ test "it fixes the actor URL property to be a proper URI" do
|
|||
assert rewritten["url"] == "http://example.com"
|
||||
end
|
||||
end
|
||||
|
||||
describe "actor origin containment" do
|
||||
test "it rejects objects with a bogus origin" do
|
||||
{:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity.json")
|
||||
end
|
||||
|
||||
test "it rejects activities which reference objects with bogus origins" do
|
||||
user = insert(:user, %{local: false})
|
||||
|
||||
data = %{
|
||||
"@context" => "https://www.w3.org/ns/activitystreams",
|
||||
"id" => user.ap_id <> "/activities/1234",
|
||||
"actor" => user.ap_id,
|
||||
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
|
||||
"object" => "https://info.pleroma.site/activity.json",
|
||||
"type" => "Announce"
|
||||
}
|
||||
|
||||
:error = Transmogrifier.handle_incoming(data)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue