Merge branch 'security/activitypub-spoofing' into 'develop'
security: activitypub spoofing See merge request pleroma/pleroma!321
This commit is contained in:
commit
3c7280934e
@ -747,6 +747,7 @@ def fetch_object_from_id(id) do
|
|||||||
"actor" => data["attributedTo"],
|
"actor" => data["attributedTo"],
|
||||||
"object" => data
|
"object" => data
|
||||||
},
|
},
|
||||||
|
:ok <- Transmogrifier.contain_origin(id, params),
|
||||||
{:ok, activity} <- Transmogrifier.handle_incoming(params) do
|
{:ok, activity} <- Transmogrifier.handle_incoming(params) do
|
||||||
{:ok, Object.normalize(activity.data["object"])}
|
{:ok, Object.normalize(activity.data["object"])}
|
||||||
else
|
else
|
||||||
|
@ -30,6 +30,20 @@ def get_actor(%{"actor" => actor}) when is_map(actor) do
|
|||||||
actor["id"]
|
actor["id"]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@doc """
|
||||||
|
Checks that an imported AP object's actor matches the domain it came from.
|
||||||
|
"""
|
||||||
|
def contain_origin(id, %{"actor" => actor} = params) do
|
||||||
|
id_uri = URI.parse(id)
|
||||||
|
actor_uri = URI.parse(get_actor(params))
|
||||||
|
|
||||||
|
if id_uri.host == actor_uri.host do
|
||||||
|
:ok
|
||||||
|
else
|
||||||
|
:error
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
@doc """
|
@doc """
|
||||||
Modifies an incoming AP object (mastodon format) to our internal format.
|
Modifies an incoming AP object (mastodon format) to our internal format.
|
||||||
"""
|
"""
|
||||||
|
14
test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json
vendored
Normal file
14
test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json
vendored
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
{
|
||||||
|
"@context": "https://www.w3.org/ns/activitystreams",
|
||||||
|
"actor": "https://mastodon.example.org/users/admin",
|
||||||
|
"attachment": [],
|
||||||
|
"attributedTo": "https://mastodon.example.org/users/admin",
|
||||||
|
"content": "<p>this post was not actually written by Haelwenn</p>",
|
||||||
|
"id": "https://info.pleroma.site/activity.json",
|
||||||
|
"published": "2018-09-01T22:15:00Z",
|
||||||
|
"tag": [],
|
||||||
|
"to": [
|
||||||
|
"https://www.w3.org/ns/activitystreams#Public"
|
||||||
|
],
|
||||||
|
"type": "Note"
|
||||||
|
}
|
@ -3,6 +3,14 @@ defmodule HTTPoisonMock do
|
|||||||
|
|
||||||
def get(url, body \\ [], headers \\ [])
|
def get(url, body \\ [], headers \\ [])
|
||||||
|
|
||||||
|
def get("https://info.pleroma.site/activity.json", _, _) do
|
||||||
|
{:ok,
|
||||||
|
%Response{
|
||||||
|
status_code: 200,
|
||||||
|
body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json")
|
||||||
|
}}
|
||||||
|
end
|
||||||
|
|
||||||
def get("https://puckipedia.com/", [Accept: "application/activity+json"], _) do
|
def get("https://puckipedia.com/", [Accept: "application/activity+json"], _) do
|
||||||
{:ok,
|
{:ok,
|
||||||
%Response{
|
%Response{
|
||||||
|
@ -798,4 +798,25 @@ test "it fixes the actor URL property to be a proper URI" do
|
|||||||
assert rewritten["url"] == "http://example.com"
|
assert rewritten["url"] == "http://example.com"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "actor origin containment" do
|
||||||
|
test "it rejects objects with a bogus origin" do
|
||||||
|
{:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity.json")
|
||||||
|
end
|
||||||
|
|
||||||
|
test "it rejects activities which reference objects with bogus origins" do
|
||||||
|
user = insert(:user, %{local: false})
|
||||||
|
|
||||||
|
data = %{
|
||||||
|
"@context" => "https://www.w3.org/ns/activitystreams",
|
||||||
|
"id" => user.ap_id <> "/activities/1234",
|
||||||
|
"actor" => user.ap_id,
|
||||||
|
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
|
||||||
|
"object" => "https://info.pleroma.site/activity.json",
|
||||||
|
"type" => "Announce"
|
||||||
|
}
|
||||||
|
|
||||||
|
:error = Transmogrifier.handle_incoming(data)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
Loading…
Reference in New Issue
Block a user