Add test for preventing spoofing

2024-07-04 03:45:47 +00:00 · 2020-12-01 08:37:47 +09:00 · 2020-12-01 08:37:47 +09:00 · 569979374f
parent 3c666080a9
commit 569979374f
2 changed files with 67 additions and 0 deletions
--- a/plume-models/src/inbox.rs
+++ b/plume-models/src/inbox.rs
@ -173,6 +173,36 @@ pub(crate) mod tests {
        });
    }

+    #[test]
+    fn spoof_comment() {
+        let r = rockets();
+        let conn = &*r.conn;
+        conn.test_transaction::<_, (), _>(|| {
+            let (posts, users, _) = fill_database(&r);
+            let act = json!({
+                "id": "https://plu.me/comment/1/activity",
+                "actor": users[0].ap_url,
+                "object": {
+                    "type": "Note",
+                    "id": "https://plu.me/comment/1",
+                    "attributedTo": users[1].ap_url,
+                    "inReplyTo": posts[0].ap_url,
+                    "content": "Hello.",
+                    "to": [plume_common::activity_pub::PUBLIC_VISIBILITY]
+                },
+                "type": "Create",
+            });
+
+            assert!(matches!(
+                super::inbox(&r, act.clone()),
+                Err(super::Error::Inbox(
+                    box plume_common::activity_pub::inbox::InboxError::InvalidObject(_),
+                ))
+            ));
+            Ok(())
+        });
+    }
+
    #[test]
    fn create_post() {
        let r = rockets();
@ -214,6 +244,42 @@ pub(crate) mod tests {
        });
    }

+    #[test]
+    fn spoof_post() {
+        let r = rockets();
+        let conn = &*r.conn;
+        conn.test_transaction::<_, (), _>(|| {
+            let (_, users, blogs) = fill_database(&r);
+            let act = json!({
+                "id": "https://plu.me/comment/1/activity",
+                "actor": users[0].ap_url,
+                "object": {
+                    "type": "Article",
+                    "id": "https://plu.me/~/Blog/my-article",
+                    "attributedTo": [users[1].ap_url, blogs[0].ap_url],
+                    "content": "Hello.",
+                    "name": "My Article",
+                    "summary": "Bye.",
+                    "source": {
+                        "content": "Hello.",
+                        "mediaType": "text/markdown"
+                    },
+                    "published": "2014-12-12T12:12:12Z",
+                    "to": [plume_common::activity_pub::PUBLIC_VISIBILITY]
+                },
+                "type": "Create",
+            });
+
+            assert!(matches!(
+                super::inbox(&r, act.clone()),
+                Err(super::Error::Inbox(
+                    box plume_common::activity_pub::inbox::InboxError::InvalidObject(_),
+                ))
+            ));
+            Ok(())
+        });
+    }
+
    #[test]
    fn delete_comment() {
        use crate::comments::*;
--- a/plume-models/src/lib.rs
+++ b/plume-models/src/lib.rs
@ -1,6 +1,7 @@
 #![feature(try_trait)]
 #![feature(never_type)]
 #![feature(proc_macro_hygiene)]
+#![feature(box_patterns)]

 #[macro_use]
 extern crate diesel;