diff options
| -rw-r--r-- | lib/pleroma/web/activity_pub/activity_pub.ex | 1 | ||||
| -rw-r--r-- | lib/pleroma/web/activity_pub/transmogrifier.ex | 14 | ||||
| -rw-r--r-- | test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json | 14 | ||||
| -rw-r--r-- | test/support/httpoison_mock.ex | 8 | ||||
| -rw-r--r-- | test/web/activity_pub/transmogrifier_test.exs | 21 |
5 files changed, 58 insertions, 0 deletions
diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index e6c2dc9cf..81c11dd76 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -747,6 +747,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do "actor" => data["attributedTo"], "object" => data }, + :ok <- Transmogrifier.contain_origin(id, params), {:ok, activity} <- Transmogrifier.handle_incoming(params) do {:ok, Object.normalize(activity.data["object"])} else diff --git a/lib/pleroma/web/activity_pub/transmogrifier.ex b/lib/pleroma/web/activity_pub/transmogrifier.ex index 1367bc7e3..4a3a82195 100644 --- a/lib/pleroma/web/activity_pub/transmogrifier.ex +++ b/lib/pleroma/web/activity_pub/transmogrifier.ex @@ -31,6 +31,20 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do end @doc """ + Checks that an imported AP object's actor matches the domain it came from. + """ + def contain_origin(id, %{"actor" => actor} = params) do + id_uri = URI.parse(id) + actor_uri = URI.parse(get_actor(params)) + + if id_uri.host == actor_uri.host do + :ok + else + :error + end + end + + @doc """ Modifies an incoming AP object (mastodon format) to our internal format. """ def fix_object(object) do diff --git a/test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json b/test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json new file mode 100644 index 000000000..eab0341fe --- /dev/null +++ b/test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json @@ -0,0 +1,14 @@ +{ + "@context": "https://www.w3.org/ns/activitystreams", + "actor": "https://mastodon.example.org/users/admin", + "attachment": [], + "attributedTo": "https://mastodon.example.org/users/admin", + "content": "<p>this post was not actually written by Haelwenn</p>", + "id": "https://info.pleroma.site/activity.json", + "published": "2018-09-01T22:15:00Z", + "tag": [], + "to": [ + "https://www.w3.org/ns/activitystreams#Public" + ], + "type": "Note" +} diff --git a/test/support/httpoison_mock.ex b/test/support/httpoison_mock.ex index 4ee2feb95..7057f30fb 100644 --- a/test/support/httpoison_mock.ex +++ b/test/support/httpoison_mock.ex @@ -3,6 +3,14 @@ defmodule HTTPoisonMock do def get(url, body \\ [], headers \\ []) + def get("https://info.pleroma.site/activity.json", _, _) do + {:ok, + %Response{ + status_code: 200, + body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json") + }} + end + def get("https://puckipedia.com/", [Accept: "application/activity+json"], _) do {:ok, %Response{ diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs index e2926d495..afa25bb60 100644 --- a/test/web/activity_pub/transmogrifier_test.exs +++ b/test/web/activity_pub/transmogrifier_test.exs @@ -798,4 +798,25 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do assert rewritten["url"] == "http://example.com" end end + + describe "actor origin containment" do + test "it rejects objects with a bogus origin" do + {:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity.json") + end + + test "it rejects activities which reference objects with bogus origins" do + user = insert(:user, %{local: false}) + + data = %{ + "@context" => "https://www.w3.org/ns/activitystreams", + "id" => user.ap_id <> "/activities/1234", + "actor" => user.ap_id, + "to" => ["https://www.w3.org/ns/activitystreams#Public"], + "object" => "https://info.pleroma.site/activity.json", + "type" => "Announce" + } + + :error = Transmogrifier.handle_incoming(data) + end + end end |