mirror of
https://git.pleroma.social/pleroma/pleroma.git
synced 2024-12-23 08:36:29 +00:00
Merge branch 'security/activitypub-reject-bogus-ids' into 'develop'
security: activitypub: reject activities with bogus ids See merge request pleroma/pleroma!286
This commit is contained in:
commit
e416469a40
2 changed files with 18 additions and 0 deletions
|
@ -177,6 +177,12 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
|
|||
|
||||
def fix_content_map(object), do: object
|
||||
|
||||
# disallow objects with bogus IDs
|
||||
def handle_incoming(%{"id" => nil}), do: :error
|
||||
def handle_incoming(%{"id" => ""}), do: :error
|
||||
# length of https:// = 8, should validate better, but good enough for now.
|
||||
def handle_incoming(%{"id" => id}) when not (is_binary(id) and length(id) > 8), do: :error
|
||||
|
||||
# TODO: validate those with a Ecto scheme
|
||||
# - tags
|
||||
# - emoji
|
||||
|
|
|
@ -615,6 +615,18 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
|
|||
|
||||
assert User.following?(follower, followed) == false
|
||||
end
|
||||
|
||||
test "it rejects activities without a valid ID" do
|
||||
user = insert(:user)
|
||||
|
||||
data =
|
||||
File.read!("test/fixtures/mastodon-follow-activity.json")
|
||||
|> Poison.decode!()
|
||||
|> Map.put("object", user.ap_id)
|
||||
|> Map.put("id", "")
|
||||
|
||||
:error = Transmogrifier.handle_incoming(data)
|
||||
end
|
||||
end
|
||||
|
||||
describe "prepare outgoing" do
|
||||
|
|
Loading…
Reference in a new issue