Webfinger: Add test showing wrong webfinger behavior

author: Lain Soykaf <lain@lain.com> 2024-05-22 12:57:30 +0400
committer: Lain Soykaf <lain@lain.com> 2024-05-22 12:57:30 +0400
commit: d1b053f3ba4170021c511b0d06a41405d3ab07d3 (patch)
tree: b5bdc09dd98417984183db13acffb70d38fb75e1 /test
parent: 7fca5982686e9da2ef449af65b6ec2602a3c9f69 (diff)
download: pleroma-d1b053f3ba4170021c511b0d06a41405d3ab07d3.tar.gz
pleroma-d1b053f3ba4170021c511b0d06a41405d3ab07d3.zip
2 files changed, 56 insertions, 0 deletions
diff --git a/test/fixtures/webfinger/graf-imposter-webfinger.json b/test/fixtures/webfinger/graf-imposter-webfinger.json
new file mode 100644
index 000000000..e7010f606
--- /dev/null
+++ b/test/fixtures/webfinger/graf-imposter-webfinger.json
@@ -0,0 +1,41 @@
+{
+    "subject": "acct:graf@poa.st",
+    "aliases": [
+        "https://fba.ryona.agenc/webfingertest"
+    ],
+    "links": [
+        {
+            "rel": "http://webfinger.net/rel/profile-page",
+            "type": "text/html",
+            "href": "https://fba.ryona.agenc/webfingertest"
+        },
+        {
+            "rel": "self",
+            "type": "application/activity+json",
+            "href": "https://fba.ryona.agenc/webfingertest"
+        },
+        {
+            "rel": "http://ostatus.org/schema/1.0/subscribe",
+            "template": "https://fba.ryona.agenc/contact/follow?url={uri}"
+        },
+        {
+            "rel": "http://schemas.google.com/g/2010#updates-from",
+            "type": "application/atom+xml",
+            "href": ""
+        },
+        {
+            "rel": "salmon",
+            "href": "https://fba.ryona.agenc/salmon/friendica"
+        },
+        {
+            "rel": "http://microformats.org/profile/hcard",
+            "type": "text/html",
+            "href": "https://fba.ryona.agenc/hcard/friendica"
+        },
+        {
+            "rel": "http://joindiaspora.com/seed_location",
+            "type": "text/html",
+            "href": "https://fba.ryona.agenc"
+        }
+    ]
+}
diff --git a/test/pleroma/web/web_finger_test.exs b/test/pleroma/web/web_finger_test.exs
index be5e08776..6530fbc56 100644
--- a/test/pleroma/web/web_finger_test.exs
+++ b/test/pleroma/web/web_finger_test.exs
@@ -204,4 +204,19 @@ defmodule Pleroma.Web.WebFingerTest do
       assert :error = WebFinger.finger("pekorino@pawoo.net")
     end
   end
+
+  test "prevents forgeries" do
+    Tesla.Mock.mock(fn
+      %{url: "https://fba.ryona.agency/.well-known/webfinger?resource=acct:graf@fba.ryona.agency"} ->
+        fake_webfinger =
+          File.read!("test/fixtures/webfinger/graf-imposter-webfinger.json") |> Jason.decode!()
+
+        Tesla.Mock.json(fake_webfinger)
+
+      %{url: "https://fba.ryona.agency/.well-known/host-meta"} ->
+        {:ok, %Tesla.Env{status: 404}}
+    end)
+
+    refute {:ok, _} = WebFinger.finger("graf@fba.ryona.agency")
+  end
 end
author	Lain Soykaf <lain@lain.com>	2024-05-22 12:57:30 +0400
committer	Lain Soykaf <lain@lain.com>	2024-05-22 12:57:30 +0400
commit	d1b053f3ba4170021c511b0d06a41405d3ab07d3 (patch)
tree	b5bdc09dd98417984183db13acffb70d38fb75e1 /test
parent	7fca5982686e9da2ef449af65b6ec2602a3c9f69 (diff)
download	pleroma-d1b053f3ba4170021c511b0d06a41405d3ab07d3.tar.gz pleroma-d1b053f3ba4170021c511b0d06a41405d3ab07d3.zip