2019-07-10 07:13:23 +02:00
|
|
|
# Pleroma: A lightweight social networking server
|
|
|
|
# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
|
|
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
|
2018-12-01 23:29:41 +01:00
|
|
|
defmodule Pleroma.Object.ContainmentTest do
|
|
|
|
use Pleroma.DataCase
|
|
|
|
|
|
|
|
alias Pleroma.Object.Containment
|
2019-04-17 13:52:01 +02:00
|
|
|
alias Pleroma.User
|
2018-12-01 23:29:41 +01:00
|
|
|
|
|
|
|
import Pleroma.Factory
|
2019-06-16 12:49:24 +02:00
|
|
|
import ExUnit.CaptureLog
|
2018-12-01 23:29:41 +01:00
|
|
|
|
2019-06-04 07:46:19 +02:00
|
|
|
setup_all do
|
|
|
|
Tesla.Mock.mock_global(fn env -> apply(HttpRequestMock, :request, [env]) end)
|
|
|
|
:ok
|
|
|
|
end
|
|
|
|
|
2018-12-01 23:29:41 +01:00
|
|
|
describe "general origin containment" do
|
|
|
|
test "contain_origin_from_id() catches obvious spoofing attempts" do
|
|
|
|
data = %{
|
|
|
|
"id" => "http://example.com/~alyssa/activities/1234.json"
|
|
|
|
}
|
|
|
|
|
|
|
|
:error =
|
|
|
|
Containment.contain_origin_from_id(
|
|
|
|
"http://example.org/~alyssa/activities/1234.json",
|
|
|
|
data
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
test "contain_origin_from_id() allows alternate IDs within the same origin domain" do
|
|
|
|
data = %{
|
|
|
|
"id" => "http://example.com/~alyssa/activities/1234.json"
|
|
|
|
}
|
|
|
|
|
|
|
|
:ok =
|
|
|
|
Containment.contain_origin_from_id(
|
|
|
|
"http://example.com/~alyssa/activities/1234",
|
|
|
|
data
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
test "contain_origin_from_id() allows matching IDs" do
|
|
|
|
data = %{
|
|
|
|
"id" => "http://example.com/~alyssa/activities/1234.json"
|
|
|
|
}
|
|
|
|
|
|
|
|
:ok =
|
|
|
|
Containment.contain_origin_from_id(
|
|
|
|
"http://example.com/~alyssa/activities/1234.json",
|
|
|
|
data
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
test "users cannot be collided through fake direction spoofing attempts" do
|
2019-04-17 11:27:29 +02:00
|
|
|
_user =
|
2018-12-01 23:29:41 +01:00
|
|
|
insert(:user, %{
|
|
|
|
nickname: "rye@niu.moe",
|
|
|
|
local: false,
|
|
|
|
ap_id: "https://niu.moe/users/rye",
|
|
|
|
follower_address: User.ap_followers(%User{nickname: "rye@niu.moe"})
|
|
|
|
})
|
|
|
|
|
2019-06-16 12:49:24 +02:00
|
|
|
assert capture_log(fn ->
|
|
|
|
{:error, _} = User.get_or_fetch_by_ap_id("https://n1u.moe/users/rye")
|
|
|
|
end) =~
|
|
|
|
"[error] Could not decode user at fetch https://n1u.moe/users/rye, {:error, :error}"
|
2018-12-01 23:29:41 +01:00
|
|
|
end
|
2019-11-08 21:51:28 +01:00
|
|
|
|
|
|
|
test "contain_origin_from_id() gracefully handles cases where no ID is present" do
|
|
|
|
data = %{
|
|
|
|
"type" => "Create",
|
|
|
|
"object" => %{
|
|
|
|
"id" => "http://example.net/~alyssa/activities/1234",
|
|
|
|
"attributedTo" => "http://example.org/~alyssa"
|
|
|
|
},
|
|
|
|
"actor" => "http://example.com/~bob"
|
|
|
|
}
|
|
|
|
|
|
|
|
:error =
|
|
|
|
Containment.contain_origin_from_id("http://example.net/~alyssa/activities/1234", data)
|
|
|
|
end
|
2018-12-01 23:29:41 +01:00
|
|
|
end
|
2019-07-14 19:47:08 +02:00
|
|
|
|
|
|
|
describe "containment of children" do
|
|
|
|
test "contain_child() catches spoofing attempts" do
|
|
|
|
data = %{
|
|
|
|
"id" => "http://example.com/whatever",
|
|
|
|
"type" => "Create",
|
|
|
|
"object" => %{
|
|
|
|
"id" => "http://example.net/~alyssa/activities/1234",
|
|
|
|
"attributedTo" => "http://example.org/~alyssa"
|
|
|
|
},
|
|
|
|
"actor" => "http://example.com/~bob"
|
|
|
|
}
|
|
|
|
|
|
|
|
:error = Containment.contain_child(data)
|
|
|
|
end
|
|
|
|
|
|
|
|
test "contain_child() allows correct origins" do
|
|
|
|
data = %{
|
|
|
|
"id" => "http://example.org/~alyssa/activities/5678",
|
|
|
|
"type" => "Create",
|
|
|
|
"object" => %{
|
|
|
|
"id" => "http://example.org/~alyssa/activities/1234",
|
|
|
|
"attributedTo" => "http://example.org/~alyssa"
|
|
|
|
},
|
|
|
|
"actor" => "http://example.org/~alyssa"
|
|
|
|
}
|
|
|
|
|
|
|
|
:ok = Containment.contain_child(data)
|
|
|
|
end
|
|
|
|
end
|
2018-12-01 23:29:41 +01:00
|
|
|
end
|