Merge branch 'security/activitypub-spoofing' into 'develop'

security: activitypub spoofing

See merge request pleroma/pleroma!321

1 files changed, 21 insertions, 0 deletions

diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs
index e2926d495..afa25bb60 100644
--- a/test/web/activity_pub/transmogrifier_test.exs
+++ b/test/web/activity_pub/transmogrifier_test.exs
@@ -798,4 +798,25 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
       assert rewritten["url"] == "http://example.com"
     end
   end
+
+  describe "actor origin containment" do
+    test "it rejects objects with a bogus origin" do
+      {:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity.json")
+    end
+
+    test "it rejects activities which reference objects with bogus origins" do
+      user = insert(:user, %{local: false})
+
+      data = %{
+        "@context" => "https://www.w3.org/ns/activitystreams",
+        "id" => user.ap_id <> "/activities/1234",
+        "actor" => user.ap_id,
+        "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+        "object" => "https://info.pleroma.site/activity.json",
+        "type" => "Announce"
+      }
+
+      :error = Transmogrifier.handle_incoming(data)
+    end
+  end
 end