10 files changed, 143 insertions, 15 deletions

diff --git a/test/web/activity_pub/activity_pub_test.exs b/test/web/activity_pub/activity_pub_test.exs
index 90c0bd768..1cf7d6bbc 100644
--- a/test/web/activity_pub/activity_pub_test.exs
+++ b/test/web/activity_pub/activity_pub_test.exs
@@ -506,6 +506,15 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
     end
   end
 
+  test "it can fetch peertube videos" do
+    {:ok, object} =
+      ActivityPub.fetch_object_from_id(
+        "https://peertube.moe/videos/watch/df5f464b-be8d-46fb-ad81-2d4c2d1630e3"
+      )
+
+    assert object
+  end
+
   def data_uri do
     File.read!("test/fixtures/avatar_data_uri")
   end
diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs
index e455da39f..afa25bb60 100644
--- a/test/web/activity_pub/transmogrifier_test.exs
+++ b/test/web/activity_pub/transmogrifier_test.exs
@@ -615,6 +615,18 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
 
       assert User.following?(follower, followed) == false
     end
+
+    test "it rejects activities without a valid ID" do
+      user = insert(:user)
+
+      data =
+        File.read!("test/fixtures/mastodon-follow-activity.json")
+        |> Poison.decode!()
+        |> Map.put("object", user.ap_id)
+        |> Map.put("id", "")
+
+      :error = Transmogrifier.handle_incoming(data)
+    end
   end
 
   describe "prepare outgoing" do
@@ -786,4 +798,25 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
       assert rewritten["url"] == "http://example.com"
     end
   end
+
+  describe "actor origin containment" do
+    test "it rejects objects with a bogus origin" do
+      {:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity.json")
+    end
+
+    test "it rejects activities which reference objects with bogus origins" do
+      user = insert(:user, %{local: false})
+
+      data = %{
+        "@context" => "https://www.w3.org/ns/activitystreams",
+        "id" => user.ap_id <> "/activities/1234",
+        "actor" => user.ap_id,
+        "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+        "object" => "https://info.pleroma.site/activity.json",
+        "type" => "Announce"
+      }
+
+      :error = Transmogrifier.handle_incoming(data)
+    end
+  end
 end
diff --git a/test/web/common_api/common_api_test.exs b/test/web/common_api/common_api_test.exs
index a5da271b3..2a2c40833 100644
--- a/test/web/common_api/common_api_test.exs
+++ b/test/web/common_api/common_api_test.exs
@@ -1,6 +1,7 @@
 defmodule Pleroma.Web.CommonAPI.Test do
   use Pleroma.DataCase
   alias Pleroma.Web.CommonAPI
+  alias Pleroma.User
 
   import Pleroma.Factory
 
@@ -10,4 +11,14 @@ defmodule Pleroma.Web.CommonAPI.Test do
 
     assert activity.data["object"]["tag"] == ["2hu"]
   end
+
+  test "it adds emoji when updating profiles" do
+    user = insert(:user, %{name: ":karjalanpiirakka:"})
+
+    CommonAPI.update(user)
+    user = User.get_cached_by_ap_id(user.ap_id)
+    [karjalanpiirakka] = user.info["source_data"]["tag"]
+
+    assert karjalanpiirakka["name"] == ":karjalanpiirakka:"
+  end
 end
diff --git a/test/web/common_api/common_api_utils_test.exs b/test/web/common_api/common_api_utils_test.exs
index f39472ee3..b01ce04f8 100644
--- a/test/web/common_api/common_api_utils_test.exs
+++ b/test/web/common_api/common_api_utils_test.exs
@@ -1,5 +1,6 @@
 defmodule Pleroma.Web.CommonAPI.UtilsTest do
   alias Pleroma.Web.CommonAPI.Utils
+  alias Pleroma.Web.Endpoint
   alias Pleroma.Builders.{UserBuilder}
   use Pleroma.DataCase
 
@@ -29,4 +30,26 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do
       assert Utils.confirm_current_password(user, "test") == {:ok, user}
     end
   end
+
+  test "parses emoji from name and bio" do
+    {:ok, user} = UserBuilder.insert(%{name: ":karjalanpiirakka:", bio: ":perkele:"})
+
+    expected = [
+      %{
+        "type" => "Emoji",
+        "icon" => %{"type" => "Image", "url" => "#{Endpoint.url()}/finmoji/128px/perkele-128.png"},
+        "name" => ":perkele:"
+      },
+      %{
+        "type" => "Emoji",
+        "icon" => %{
+          "type" => "Image",
+          "url" => "#{Endpoint.url()}/finmoji/128px/karjalanpiirakka-128.png"
+        },
+        "name" => ":karjalanpiirakka:"
+      }
+    ]
+
+    assert expected == Utils.emoji_from_profile(user)
+  end
 end
diff --git a/test/web/mastodon_api/account_view_test.exs b/test/web/mastodon_api/account_view_test.exs
index 8bf194e6b..35c8a1fb0 100644
--- a/test/web/mastodon_api/account_view_test.exs
+++ b/test/web/mastodon_api/account_view_test.exs
@@ -20,6 +20,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
         info: %{"note_count" => 5, "follower_count" => 3, "source_data" => source_data},
         nickname: "shp@shitposter.club",
         name: ":karjalanpiirakka: shp",
+        bio: "<script src=\"invalid-html\"></script><span>valid html</span>",
         inserted_at: ~N[2017-08-15 15:47:06.597036]
       })
 
@@ -33,7 +34,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       followers_count: 3,
       following_count: 0,
       statuses_count: 5,
-      note: user.bio,
+      note: "<span>valid html</span>",
       url: user.ap_id,
       avatar: "http://localhost:4001/images/avi.png",
       avatar_static: "http://localhost:4001/images/avi.png",
diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs
index 9e33c1d04..60dafcf03 100644
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -206,7 +206,19 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
       |> assign(:user, user)
       |> get("/api/v1/accounts/verify_credentials")
 
-    assert %{"id" => id} = json_response(conn, 200)
+    assert %{"id" => id, "source" => %{"privacy" => "public"}} = json_response(conn, 200)
+    assert id == to_string(user.id)
+  end
+
+  test "verify_credentials default scope unlisted", %{conn: conn} do
+    user = insert(:user, %{info: %{"default_scope" => "unlisted"}})
+
+    conn =
+      conn
+      |> assign(:user, user)
+      |> get("/api/v1/accounts/verify_credentials")
+
+    assert %{"id" => id, "source" => %{"privacy" => "unlisted"}} = json_response(conn, 200)
     assert id == to_string(user.id)
   end
 
@@ -368,6 +380,30 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
 
       assert id == to_string(activity_two.id)
     end
+
+    test "list timeline does not leak non-public statuses for unfollowed users", %{conn: conn} do
+      user = insert(:user)
+      other_user = insert(:user)
+      {:ok, activity_one} = TwitterAPI.create_status(other_user, %{"status" => "Marisa is cute."})
+
+      {:ok, activity_two} =
+        TwitterAPI.create_status(other_user, %{
+          "status" => "Marisa is cute.",
+          "visibility" => "private"
+        })
+
+      {:ok, list} = Pleroma.List.create("name", user)
+      {:ok, list} = Pleroma.List.follow(list, other_user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> get("/api/v1/timelines/list/#{list.id}")
+
+      assert [%{"id" => id}] = json_response(conn, 200)
+
+      assert id == to_string(activity_one.id)
+    end
   end
 
   describe "notifications" do
@@ -691,6 +727,18 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
       assert User.following?(other_user, user) == true
     end
 
+    test "verify_credentials", %{conn: conn} do
+      user = insert(:user, %{info: %{"default_scope" => "private"}})
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> get("/api/v1/accounts/verify_credentials")
+
+      assert %{"id" => id, "source" => %{"privacy" => "private"}} = json_response(conn, 200)
+      assert id == to_string(user.id)
+    end
+
     test "/api/v1/follow_requests/:id/reject works" do
       user = insert(:user, %{info: %{"locked" => true}})
       other_user = insert(:user)
diff --git a/test/web/twitter_api/representers/activity_representer_test.exs b/test/web/twitter_api/representers/activity_representer_test.exs
index 3f85e028b..894d20049 100644
--- a/test/web/twitter_api/representers/activity_representer_test.exs
+++ b/test/web/twitter_api/representers/activity_representer_test.exs
@@ -126,7 +126,7 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ActivityRepresenterTest do
     }
 
     expected_html =
-      "<p>2hu</p>alert('YAY')Some <img height='32px' width='32px' alt='2hu' title='2hu' src='corndog.png' /> content mentioning <a href=\"#{
+      "<p>2hu</p>alert('YAY')Some <img height=\"32px\" width=\"32px\" alt=\"2hu\" title=\"2hu\" src=\"corndog.png\" /> content mentioning <a href=\"#{
         mentioned_user.ap_id
       }\">@shp</a>"
 
diff --git a/test/web/twitter_api/representers/object_representer_test.exs b/test/web/twitter_api/representers/object_representer_test.exs
index ebac051dc..228b2ac42 100644
--- a/test/web/twitter_api/representers/object_representer_test.exs
+++ b/test/web/twitter_api/representers/object_representer_test.exs
@@ -23,7 +23,8 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ObjectReprenterTest do
       id: 6,
       url: "someurl",
       mimetype: "sometype",
-      oembed: false
+      oembed: false,
+      description: nil
     }
 
     assert expected_object == ObjectRepresenter.to_map(object)
@@ -46,7 +47,8 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ObjectReprenterTest do
         "http://mastodon.example.org/system/media_attachments/files/000/000/001/original/8619f31c6edec470.png",
       mimetype: "image/png",
       oembed: false,
-      id: nil
+      id: nil,
+      description: "blabla"
     }
 
     assert expected_object == ObjectRepresenter.to_map(object)
diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs
index 3a035e298..87bcdaf71 100644
--- a/test/web/twitter_api/twitter_api_controller_test.exs
+++ b/test/web/twitter_api/twitter_api_controller_test.exs
@@ -77,7 +77,8 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do
       conn = conn_with_creds |> post(request_path, %{status: " "})
       assert json_response(conn, 400) == error_response
 
-      conn = conn_with_creds |> post(request_path, %{status: "Nice meme."})
+      # we post with visibility private in order to avoid triggering relay
+      conn = conn_with_creds |> post(request_path, %{status: "Nice meme.", visibility: "private"})
 
       assert json_response(conn, 200) ==
                ActivityRepresenter.to_map(Repo.one(Activity), %{user: user})
diff --git a/test/web/twitter_api/views/user_view_test.exs b/test/web/twitter_api/views/user_view_test.exs
index fefb6bdcc..7075a2370 100644
--- a/test/web/twitter_api/views/user_view_test.exs
+++ b/test/web/twitter_api/views/user_view_test.exs
@@ -22,7 +22,7 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
 
   test "A user with emoji in username", %{user: user} do
     expected =
-      "<img height='32px' width='32px' alt='karjalanpiirakka' title='karjalanpiirakka' src='/file.png' /> man"
+      "<img height=\"32px\" width=\"32px\" alt=\"karjalanpiirakka\" title=\"karjalanpiirakka\" src=\"/file.png\" /> man"
 
     user = %{
       user
@@ -65,8 +65,8 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
       "name" => user.name,
       "screen_name" => user.nickname,
       "name_html" => user.name,
-      "description" => HtmlSanitizeEx.strip_tags(user.bio),
-      "description_html" => HtmlSanitizeEx.strip_tags(user.bio),
+      "description" => HtmlSanitizeEx.strip_tags(user.bio |> String.replace("<br>", "\n")),
+      "description_html" => HtmlSanitizeEx.basic_html(user.bio),
       "created_at" => user.inserted_at |> Utils.format_naive_asctime(),
       "favourites_count" => 0,
       "statuses_count" => 1,
@@ -104,8 +104,8 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
       "name" => user.name,
       "screen_name" => user.nickname,
       "name_html" => user.name,
-      "description" => HtmlSanitizeEx.strip_tags(user.bio),
-      "description_html" => HtmlSanitizeEx.strip_tags(user.bio),
+      "description" => HtmlSanitizeEx.strip_tags(user.bio |> String.replace("<br>", "\n")),
+      "description_html" => HtmlSanitizeEx.basic_html(user.bio),
       "created_at" => user.inserted_at |> Utils.format_naive_asctime(),
       "favourites_count" => 0,
       "statuses_count" => 0,
@@ -144,8 +144,8 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
       "name" => follower.name,
       "screen_name" => follower.nickname,
       "name_html" => follower.name,
-      "description" => HtmlSanitizeEx.strip_tags(follower.bio),
-      "description_html" => HtmlSanitizeEx.strip_tags(follower.bio),
+      "description" => HtmlSanitizeEx.strip_tags(follower.bio |> String.replace("<br>", "\n")),
+      "description_html" => HtmlSanitizeEx.basic_html(follower.bio),
       "created_at" => follower.inserted_at |> Utils.format_naive_asctime(),
       "favourites_count" => 0,
       "statuses_count" => 0,
@@ -191,8 +191,8 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
       "name" => user.name,
       "screen_name" => user.nickname,
       "name_html" => user.name,
-      "description" => HtmlSanitizeEx.strip_tags(user.bio),
-      "description_html" => HtmlSanitizeEx.strip_tags(user.bio),
+      "description" => HtmlSanitizeEx.strip_tags(user.bio |> String.replace("<br>", "\n")),
+      "description_html" => HtmlSanitizeEx.basic_html(user.bio),
       "created_at" => user.inserted_at |> Utils.format_naive_asctime(),
       "favourites_count" => 0,
       "statuses_count" => 0,