| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
 | # Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Object.ContainmentTest do
  use Pleroma.DataCase
  alias Pleroma.Object.Containment
  alias Pleroma.User
  import Pleroma.Factory
  import ExUnit.CaptureLog
  setup_all do
    Tesla.Mock.mock_global(fn env -> apply(HttpRequestMock, :request, [env]) end)
    :ok
  end
  describe "general origin containment" do
    test "works for completely actorless posts" do
      assert :error ==
               Containment.contain_origin("https://glaceon.social/users/monorail", %{
                 "deleted" => "2019-10-30T05:48:50.249606Z",
                 "formerType" => "Note",
                 "id" => "https://glaceon.social/users/monorail/statuses/103049757364029187",
                 "type" => "Tombstone"
               })
    end
    test "contain_origin_from_id() catches obvious spoofing attempts" do
      data = %{
        "id" => "http://example.com/~alyssa/activities/1234.json"
      }
      :error =
        Containment.contain_origin_from_id(
          "http://example.org/~alyssa/activities/1234.json",
          data
        )
    end
    test "contain_origin_from_id() allows alternate IDs within the same origin domain" do
      data = %{
        "id" => "http://example.com/~alyssa/activities/1234.json"
      }
      :ok =
        Containment.contain_origin_from_id(
          "http://example.com/~alyssa/activities/1234",
          data
        )
    end
    test "contain_origin_from_id() allows matching IDs" do
      data = %{
        "id" => "http://example.com/~alyssa/activities/1234.json"
      }
      :ok =
        Containment.contain_origin_from_id(
          "http://example.com/~alyssa/activities/1234.json",
          data
        )
    end
    test "users cannot be collided through fake direction spoofing attempts" do
      _user =
        insert(:user, %{
          nickname: "rye@niu.moe",
          local: false,
          ap_id: "https://niu.moe/users/rye",
          follower_address: User.ap_followers(%User{nickname: "rye@niu.moe"})
        })
      assert capture_log(fn ->
               {:error, _} = User.get_or_fetch_by_ap_id("https://n1u.moe/users/rye")
             end) =~
               "[error] Could not decode user at fetch https://n1u.moe/users/rye"
    end
    test "contain_origin_from_id() gracefully handles cases where no ID is present" do
      data = %{
        "type" => "Create",
        "object" => %{
          "id" => "http://example.net/~alyssa/activities/1234",
          "attributedTo" => "http://example.org/~alyssa"
        },
        "actor" => "http://example.com/~bob"
      }
      :error =
        Containment.contain_origin_from_id("http://example.net/~alyssa/activities/1234", data)
    end
  end
  describe "containment of children" do
    test "contain_child() catches spoofing attempts" do
      data = %{
        "id" => "http://example.com/whatever",
        "type" => "Create",
        "object" => %{
          "id" => "http://example.net/~alyssa/activities/1234",
          "attributedTo" => "http://example.org/~alyssa"
        },
        "actor" => "http://example.com/~bob"
      }
      :error = Containment.contain_child(data)
    end
    test "contain_child() allows correct origins" do
      data = %{
        "id" => "http://example.org/~alyssa/activities/5678",
        "type" => "Create",
        "object" => %{
          "id" => "http://example.org/~alyssa/activities/1234",
          "attributedTo" => "http://example.org/~alyssa"
        },
        "actor" => "http://example.org/~alyssa"
      }
      :ok = Containment.contain_child(data)
    end
  end
end
 |