From 84cc131b59ad6c8910735c982757fee598de8757 Mon Sep 17 00:00:00 2001 From: Sergey Suprunenko Date: Tue, 4 Jun 2019 05:46:19 +0000 Subject: Add missing HTTP Request mocks --- test/object/containment_test.exs | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'test/object') diff --git a/test/object/containment_test.exs b/test/object/containment_test.exs index 452064093..a7a046203 100644 --- a/test/object/containment_test.exs +++ b/test/object/containment_test.exs @@ -6,6 +6,11 @@ defmodule Pleroma.Object.ContainmentTest do import Pleroma.Factory + setup_all do + Tesla.Mock.mock_global(fn env -> apply(HttpRequestMock, :request, [env]) end) + :ok + end + describe "general origin containment" do test "contain_origin_from_id() catches obvious spoofing attempts" do data = %{ -- cgit v1.2.3 From afae3ada22fb714735fd75448c574276353f2e1d Mon Sep 17 00:00:00 2001 From: Egor Kislitsyn Date: Thu, 13 Jun 2019 16:34:03 +0700 Subject: Handle HTTP "410 Gone" response --- test/object/fetcher_test.exs | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) (limited to 'test/object') diff --git a/test/object/fetcher_test.exs b/test/object/fetcher_test.exs index d604fd5f5..58abcfe55 100644 --- a/test/object/fetcher_test.exs +++ b/test/object/fetcher_test.exs @@ -7,7 +7,14 @@ defmodule Pleroma.Object.FetcherTest do import Tesla.Mock setup do - mock(fn env -> apply(HttpRequestMock, :request, [env]) end) + mock(fn + %{method: :get, url: "https://mastodon.example.org/users/userisgone"} -> + %Tesla.Env{status: 410} + + env -> + apply(HttpRequestMock, :request, [env]) + end) + :ok end @@ -81,10 +88,17 @@ defmodule Pleroma.Object.FetcherTest do end test "all objects with fake directions are rejected by the object fetcher" do - {:error, _} = - Fetcher.fetch_and_contain_remote_object_from_id( - "https://info.pleroma.site/activity4.json" - ) + assert {:error, _} = + Fetcher.fetch_and_contain_remote_object_from_id( + "https://info.pleroma.site/activity4.json" + ) + end + + test "handle HTTP 410 Gone response" do + assert {:error, "Object has been deleted"} == + Fetcher.fetch_and_contain_remote_object_from_id( + "https://mastodon.example.org/users/userisgone" + ) end end -- cgit v1.2.3 From 30e54fd7e2f967364f2c1c17d739b629d2900167 Mon Sep 17 00:00:00 2001 From: Egor Kislitsyn Date: Thu, 13 Jun 2019 17:13:35 +0700 Subject: Handle HTTP 404 response --- test/object/fetcher_test.exs | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'test/object') diff --git a/test/object/fetcher_test.exs b/test/object/fetcher_test.exs index 58abcfe55..26dc9496d 100644 --- a/test/object/fetcher_test.exs +++ b/test/object/fetcher_test.exs @@ -11,6 +11,9 @@ defmodule Pleroma.Object.FetcherTest do %{method: :get, url: "https://mastodon.example.org/users/userisgone"} -> %Tesla.Env{status: 410} + %{method: :get, url: "https://mastodon.example.org/users/userisgone404"} -> + %Tesla.Env{status: 404} + env -> apply(HttpRequestMock, :request, [env]) end) @@ -100,6 +103,13 @@ defmodule Pleroma.Object.FetcherTest do "https://mastodon.example.org/users/userisgone" ) end + + test "handle HTTP 404 response" do + assert {:error, "Object has been deleted"} == + Fetcher.fetch_and_contain_remote_object_from_id( + "https://mastodon.example.org/users/userisgone404" + ) + end end describe "pruning" do -- cgit v1.2.3 From 0f59265a50c0985d6ab0ce47b12dd135cfd1e8ac Mon Sep 17 00:00:00 2001 From: Alex S Date: Sun, 16 Jun 2019 18:49:24 +0800 Subject: salmon fix removed some ownership sandbox error --- test/object/containment_test.exs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'test/object') diff --git a/test/object/containment_test.exs b/test/object/containment_test.exs index a7a046203..a860355b8 100644 --- a/test/object/containment_test.exs +++ b/test/object/containment_test.exs @@ -5,6 +5,7 @@ defmodule Pleroma.Object.ContainmentTest do alias Pleroma.User import Pleroma.Factory + import ExUnit.CaptureLog setup_all do Tesla.Mock.mock_global(fn env -> apply(HttpRequestMock, :request, [env]) end) @@ -57,7 +58,10 @@ defmodule Pleroma.Object.ContainmentTest do follower_address: User.ap_followers(%User{nickname: "rye@niu.moe"}) }) - {:error, _} = User.get_or_fetch_by_ap_id("https://n1u.moe/users/rye") + assert capture_log(fn -> + {:error, _} = User.get_or_fetch_by_ap_id("https://n1u.moe/users/rye") + end) =~ + "[error] Could not decode user at fetch https://n1u.moe/users/rye, {:error, :error}" end end end -- cgit v1.2.3 From 93a0eeab16dc98b9278ee8649b233c3acd7807ec Mon Sep 17 00:00:00 2001 From: feld Date: Wed, 10 Jul 2019 05:13:23 +0000 Subject: Add license/copyright to all project files --- test/object/containment_test.exs | 4 ++++ test/object/fetcher_test.exs | 4 ++++ 2 files changed, 8 insertions(+) (limited to 'test/object') diff --git a/test/object/containment_test.exs b/test/object/containment_test.exs index a860355b8..1beed6236 100644 --- a/test/object/containment_test.exs +++ b/test/object/containment_test.exs @@ -1,3 +1,7 @@ +# Pleroma: A lightweight social networking server +# Copyright © 2017-2019 Pleroma Authors +# SPDX-License-Identifier: AGPL-3.0-only + defmodule Pleroma.Object.ContainmentTest do use Pleroma.DataCase diff --git a/test/object/fetcher_test.exs b/test/object/fetcher_test.exs index 26dc9496d..3b666e0d1 100644 --- a/test/object/fetcher_test.exs +++ b/test/object/fetcher_test.exs @@ -1,3 +1,7 @@ +# Pleroma: A lightweight social networking server +# Copyright © 2017-2019 Pleroma Authors +# SPDX-License-Identifier: AGPL-3.0-only + defmodule Pleroma.Object.FetcherTest do use Pleroma.DataCase -- cgit v1.2.3 From a2c601acb5e91ccfee2f38cb24ec3f86aaafc8a1 Mon Sep 17 00:00:00 2001 From: "Haelwenn (lanodan) Monnier" Date: Sun, 14 Jul 2019 14:24:56 +0200 Subject: FetcherTest: Containment refute called(OStatus.fetch_activity_from_url) --- test/object/fetcher_test.exs | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) (limited to 'test/object') diff --git a/test/object/fetcher_test.exs b/test/object/fetcher_test.exs index 3b666e0d1..56a9d775f 100644 --- a/test/object/fetcher_test.exs +++ b/test/object/fetcher_test.exs @@ -9,6 +9,7 @@ defmodule Pleroma.Object.FetcherTest do alias Pleroma.Object alias Pleroma.Object.Fetcher import Tesla.Mock + import Mock setup do mock(fn @@ -26,16 +27,31 @@ defmodule Pleroma.Object.FetcherTest do end describe "actor origin containment" do - test "it rejects objects with a bogus origin" do + test_with_mock "it rejects objects with a bogus origin", + Pleroma.Web.OStatus, + [:passthrough], + [] do {:error, _} = Fetcher.fetch_object_from_id("https://info.pleroma.site/activity.json") + + refute called(Pleroma.Web.OStatus.fetch_activity_from_url(:_)) end - test "it rejects objects when attributedTo is wrong (variant 1)" do + test_with_mock "it rejects objects when attributedTo is wrong (variant 1)", + Pleroma.Web.OStatus, + [:passthrough], + [] do {:error, _} = Fetcher.fetch_object_from_id("https://info.pleroma.site/activity2.json") + + refute called(Pleroma.Web.OStatus.fetch_activity_from_url(:_)) end - test "it rejects objects when attributedTo is wrong (variant 2)" do + test_with_mock "it rejects objects when attributedTo is wrong (variant 2)", + Pleroma.Web.OStatus, + [:passthrough], + [] do {:error, _} = Fetcher.fetch_object_from_id("https://info.pleroma.site/activity3.json") + + refute called(Pleroma.Web.OStatus.fetch_activity_from_url(:_)) end end -- cgit v1.2.3 From 739bbe0d3bbe06ca9d634498ea5909f35fc5ad84 Mon Sep 17 00:00:00 2001 From: Ariadne Conill Date: Sun, 14 Jul 2019 17:47:08 +0000 Subject: security: detect object containment violations at the IR level It is more efficient to check for object containment violations at the IR level instead of in the protocol handlers. OStatus containment is especially a tricky situation, as the containment rules don't match those of IR and ActivityPub. Accordingly, we just always do a final containment check at the IR level before the object is added to the IR object graph. --- test/object/containment_test.exs | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'test/object') diff --git a/test/object/containment_test.exs b/test/object/containment_test.exs index 1beed6236..61cd1b412 100644 --- a/test/object/containment_test.exs +++ b/test/object/containment_test.exs @@ -68,4 +68,34 @@ defmodule Pleroma.Object.ContainmentTest do "[error] Could not decode user at fetch https://n1u.moe/users/rye, {:error, :error}" end end + + describe "containment of children" do + test "contain_child() catches spoofing attempts" do + data = %{ + "id" => "http://example.com/whatever", + "type" => "Create", + "object" => %{ + "id" => "http://example.net/~alyssa/activities/1234", + "attributedTo" => "http://example.org/~alyssa" + }, + "actor" => "http://example.com/~bob" + } + + :error = Containment.contain_child(data) + end + + test "contain_child() allows correct origins" do + data = %{ + "id" => "http://example.org/~alyssa/activities/5678", + "type" => "Create", + "object" => %{ + "id" => "http://example.org/~alyssa/activities/1234", + "attributedTo" => "http://example.org/~alyssa" + }, + "actor" => "http://example.org/~alyssa" + } + + :ok = Containment.contain_child(data) + end + end end -- cgit v1.2.3