activitypub: transmogrifier: make deletes secure

author: William Pitcock <nenolod@dereferenced.org> 2018-11-17 21:22:30 +0000
committer: William Pitcock <nenolod@dereferenced.org> 2018-11-17 21:22:57 +0000
commit: dfcfb184b10428af8d37492e64f271c0275fc2c9 (patch)
tree: d5920e48f086e916eb3d17bee22dafd38f204e9b
parent: b1a6e8d80d47efdea5110e9d86e080a16b5aeaa8 (diff)
download: pleroma-dfcfb184b10428af8d37492e64f271c0275fc2c9.tar.gz
2 files changed, 28 insertions, 3 deletions
diff --git a/lib/pleroma/web/activity_pub/transmogrifier.ex b/lib/pleroma/web/activity_pub/transmogrifier.ex
index 1f886839e..5864855b0 100644
--- a/lib/pleroma/web/activity_pub/transmogrifier.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier.ex
@@ -467,15 +467,20 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
     end
   end
 
-  # TODO: Make secure.
+  # TODO: We presently assume that any actor on the same origin domain as the object being
+  # deleted has the rights to delete that object.  A better way to validate whether or not
+  # the object should be deleted is to refetch the object URI, which should return either
+  # an error or a tombstone.  This would allow us to verify that a deletion actually took
+  # place.
   def handle_incoming(
-        %{"type" => "Delete", "object" => object_id, "actor" => actor, "id" => _id} = data
+        %{"type" => "Delete", "object" => object_id, "actor" => _actor, "id" => _id} = data
       ) do
     object_id = Utils.get_ap_id(object_id)
 
     with actor <- get_actor(data),
-         %User{} = _actor <- User.get_or_fetch_by_ap_id(actor),
+         %User{} = actor <- User.get_or_fetch_by_ap_id(actor),
          {:ok, object} <- get_obj_helper(object_id) || fetch_obj_helper(object_id),
+         :ok <- contain_origin(actor.ap_id, object.data),
          {:ok, activity} <- ActivityPub.delete(object, false) do
       {:ok, activity}
     else
diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs
index 9174d9b76..829da0a65 100644
--- a/test/web/activity_pub/transmogrifier_test.exs
+++ b/test/web/activity_pub/transmogrifier_test.exs
@@ -361,6 +361,26 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
       refute Repo.get(Activity, activity.id)
     end
 
+    test "it fails for incoming deletes with spoofed origin" do
+      activity = insert(:note_activity)
+
+      data =
+        File.read!("test/fixtures/mastodon-delete.json")
+        |> Poison.decode!()
+
+      object =
+        data["object"]
+        |> Map.put("id", activity.data["object"]["id"])
+
+      data =
+        data
+        |> Map.put("object", object)
+
+      :error = Transmogrifier.handle_incoming(data)
+
+      assert Repo.get(Activity, activity.id)
+    end
+
     test "it works for incoming unannounces with an existing notice" do
       user = insert(:user)
       {:ok, activity} = CommonAPI.post(user, %{"status" => "hey"})
author	William Pitcock <nenolod@dereferenced.org>	2018-11-17 21:22:30 +0000
committer	William Pitcock <nenolod@dereferenced.org>	2018-11-17 21:22:57 +0000
commit	dfcfb184b10428af8d37492e64f271c0275fc2c9 (patch)
tree	d5920e48f086e916eb3d17bee22dafd38f204e9b
parent	b1a6e8d80d47efdea5110e9d86e080a16b5aeaa8 (diff)
download	pleroma-dfcfb184b10428af8d37492e64f271c0275fc2c9.tar.gz