From 2ab8e287289d3b4d6458f6d9cc29c5d29dfcd102 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 17 Nov 2018 18:11:31 +0000 Subject: transmogrifier tests: fix defective spoofing test --- test/web/activity_pub/transmogrifier_test.exs | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'test/web/activity_pub') diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs index 0278ef5d1..9250598f4 100644 --- a/test/web/activity_pub/transmogrifier_test.exs +++ b/test/web/activity_pub/transmogrifier_test.exs @@ -872,12 +872,10 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do end test "it rejects activities which reference objects with bogus origins" do - user = insert(:user, %{local: false}) - data = %{ "@context" => "https://www.w3.org/ns/activitystreams", - "id" => user.ap_id <> "/activities/1234", - "actor" => user.ap_id, + "id" => "https://mastodon.example.org/users/admin/activities/1234", + "actor" => "https://mastodon.example.org/users/admin", "to" => ["https://www.w3.org/ns/activitystreams#Public"], "object" => "https://info.pleroma.site/activity.json", "type" => "Announce" -- cgit v1.2.3 From d9cb081f0723881343b6dd71e1bb1b52b5492f2b Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 17 Nov 2018 18:12:11 +0000 Subject: tests: add additional spoofing tests --- test/web/activity_pub/transmogrifier_test.exs | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'test/web/activity_pub') diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs index 9250598f4..0ba969263 100644 --- a/test/web/activity_pub/transmogrifier_test.exs +++ b/test/web/activity_pub/transmogrifier_test.exs @@ -883,5 +883,22 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do :error = Transmogrifier.handle_incoming(data) end + + test "it rejects objects when the ID does not match the fetched URI" do + {:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity2.json") + end + + test "it rejects activities which reference objects by mismatched URI" do + data = %{ + "@context" => "https://www.w3.org/ns/activitystreams", + "id" => "http://mastodon.example.org/users/admin/activities/1234", + "actor" => "http://mastodon.example.org/users/admin", + "to" => ["https://www.w3.org/ns/activitystreams#Public"], + "object" => "https://info.pleroma.site/activity2.json", + "type" => "Announce" + } + + :error = Transmogrifier.handle_incoming(data) + end end end -- cgit v1.2.3 From 9c8adfb6efb0adf0638f91533ff1bc9f9df36668 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 17 Nov 2018 18:16:55 +0000 Subject: test: fix more test defects --- test/web/activity_pub/transmogrifier_test.exs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'test/web/activity_pub') diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs index 0ba969263..e5308d125 100644 --- a/test/web/activity_pub/transmogrifier_test.exs +++ b/test/web/activity_pub/transmogrifier_test.exs @@ -874,8 +874,8 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do test "it rejects activities which reference objects with bogus origins" do data = %{ "@context" => "https://www.w3.org/ns/activitystreams", - "id" => "https://mastodon.example.org/users/admin/activities/1234", - "actor" => "https://mastodon.example.org/users/admin", + "id" => "http://mastodon.example.org/users/admin/activities/1234", + "actor" => "http://mastodon.example.org/users/admin", "to" => ["https://www.w3.org/ns/activitystreams#Public"], "object" => "https://info.pleroma.site/activity.json", "type" => "Announce" -- cgit v1.2.3 From b483ae0a724a2b76e8c61f63a96d7867339dacb1 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 17 Nov 2018 18:24:58 +0000 Subject: tests: add a second spoofing variant --- test/web/activity_pub/transmogrifier_test.exs | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'test/web/activity_pub') diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs index e5308d125..6320b5b6e 100644 --- a/test/web/activity_pub/transmogrifier_test.exs +++ b/test/web/activity_pub/transmogrifier_test.exs @@ -884,11 +884,11 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do :error = Transmogrifier.handle_incoming(data) end - test "it rejects objects when the ID does not match the fetched URI" do + test "it rejects objects when attributedTo is wrong (variant 1)" do {:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity2.json") end - test "it rejects activities which reference objects by mismatched URI" do + test "it rejects activities which reference objects that have an incorrect attribution (variant 1)" do data = %{ "@context" => "https://www.w3.org/ns/activitystreams", "id" => "http://mastodon.example.org/users/admin/activities/1234", @@ -900,5 +900,22 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do :error = Transmogrifier.handle_incoming(data) end + + test "it rejects objects when attributedTo is wrong (variant 2)" do + {:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity3.json") + end + + test "it rejects activities which reference objects that have an incorrect attribution (variant 2)" do + data = %{ + "@context" => "https://www.w3.org/ns/activitystreams", + "id" => "http://mastodon.example.org/users/admin/activities/1234", + "actor" => "http://mastodon.example.org/users/admin", + "to" => ["https://www.w3.org/ns/activitystreams#Public"], + "object" => "https://info.pleroma.site/activity3.json", + "type" => "Announce" + } + + :error = Transmogrifier.handle_incoming(data) + end end end -- cgit v1.2.3