diff options
| author | lambda <pleromagit@rogerbraun.net> | 2018-11-17 18:33:09 +0000 |
|---|---|---|
| committer | lambda <pleromagit@rogerbraun.net> | 2018-11-17 18:33:09 +0000 |
| commit | a960983815b8798632fc489b762f760738cf798b (patch) | |
| tree | 2f1bfbc9e90fce24707eda378c566c6554603e58 /test/web | |
| parent | 05967472f296fc782c15f0d8ebbeaeadb03b0f8c (diff) | |
| parent | b483ae0a724a2b76e8c61f63a96d7867339dacb1 (diff) | |
| download | pleroma-a960983815b8798632fc489b762f760738cf798b.tar.gz pleroma-a960983815b8798632fc489b762f760738cf798b.zip | |
Merge branch 'security/actor-containment' into 'develop'
security hotfix: actor containment
See merge request pleroma/pleroma!460
Diffstat (limited to 'test/web')
| -rw-r--r-- | test/web/activity_pub/transmogrifier_test.exs | 40 |
1 files changed, 36 insertions, 4 deletions
diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs index 0278ef5d1..6320b5b6e 100644 --- a/test/web/activity_pub/transmogrifier_test.exs +++ b/test/web/activity_pub/transmogrifier_test.exs @@ -872,12 +872,10 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do end test "it rejects activities which reference objects with bogus origins" do - user = insert(:user, %{local: false}) - data = %{ "@context" => "https://www.w3.org/ns/activitystreams", - "id" => user.ap_id <> "/activities/1234", - "actor" => user.ap_id, + "id" => "http://mastodon.example.org/users/admin/activities/1234", + "actor" => "http://mastodon.example.org/users/admin", "to" => ["https://www.w3.org/ns/activitystreams#Public"], "object" => "https://info.pleroma.site/activity.json", "type" => "Announce" @@ -885,5 +883,39 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do :error = Transmogrifier.handle_incoming(data) end + + test "it rejects objects when attributedTo is wrong (variant 1)" do + {:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity2.json") + end + + test "it rejects activities which reference objects that have an incorrect attribution (variant 1)" do + data = %{ + "@context" => "https://www.w3.org/ns/activitystreams", + "id" => "http://mastodon.example.org/users/admin/activities/1234", + "actor" => "http://mastodon.example.org/users/admin", + "to" => ["https://www.w3.org/ns/activitystreams#Public"], + "object" => "https://info.pleroma.site/activity2.json", + "type" => "Announce" + } + + :error = Transmogrifier.handle_incoming(data) + end + + test "it rejects objects when attributedTo is wrong (variant 2)" do + {:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity3.json") + end + + test "it rejects activities which reference objects that have an incorrect attribution (variant 2)" do + data = %{ + "@context" => "https://www.w3.org/ns/activitystreams", + "id" => "http://mastodon.example.org/users/admin/activities/1234", + "actor" => "http://mastodon.example.org/users/admin", + "to" => ["https://www.w3.org/ns/activitystreams#Public"], + "object" => "https://info.pleroma.site/activity3.json", + "type" => "Announce" + } + + :error = Transmogrifier.handle_incoming(data) + end end end |