mirror of
https://git.pleroma.social/pleroma/pleroma.git
synced 2024-12-23 08:36:29 +00:00
Merge branch 'security/activitypub-reject-bogus-ids' into 'develop'
security: activitypub: reject activities with bogus ids See merge request pleroma/pleroma!286
This commit is contained in:
commit
e416469a40
2 changed files with 18 additions and 0 deletions
|
@ -177,6 +177,12 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
|
||||||
|
|
||||||
def fix_content_map(object), do: object
|
def fix_content_map(object), do: object
|
||||||
|
|
||||||
|
# disallow objects with bogus IDs
|
||||||
|
def handle_incoming(%{"id" => nil}), do: :error
|
||||||
|
def handle_incoming(%{"id" => ""}), do: :error
|
||||||
|
# length of https:// = 8, should validate better, but good enough for now.
|
||||||
|
def handle_incoming(%{"id" => id}) when not (is_binary(id) and length(id) > 8), do: :error
|
||||||
|
|
||||||
# TODO: validate those with a Ecto scheme
|
# TODO: validate those with a Ecto scheme
|
||||||
# - tags
|
# - tags
|
||||||
# - emoji
|
# - emoji
|
||||||
|
|
|
@ -615,6 +615,18 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
|
||||||
|
|
||||||
assert User.following?(follower, followed) == false
|
assert User.following?(follower, followed) == false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "it rejects activities without a valid ID" do
|
||||||
|
user = insert(:user)
|
||||||
|
|
||||||
|
data =
|
||||||
|
File.read!("test/fixtures/mastodon-follow-activity.json")
|
||||||
|
|> Poison.decode!()
|
||||||
|
|> Map.put("object", user.ap_id)
|
||||||
|
|> Map.put("id", "")
|
||||||
|
|
||||||
|
:error = Transmogrifier.handle_incoming(data)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "prepare outgoing" do
|
describe "prepare outgoing" do
|
||||||
|
|
Loading…
Reference in a new issue