Remove containment tests from transmogrifier and fix thread visibility solver

This commit is contained in:
rinpatch 2019-04-17 17:59:15 +03:00
parent d1eb578a57
commit 35ac672b8d
4 changed files with 15 additions and 69 deletions

View file

@ -9,9 +9,6 @@ defmodule Pleroma.Object.Containment do
Object containment is an important step in validating remote objects to prevent Object containment is an important step in validating remote objects to prevent
spoofing, therefore removal of object containment functions is NOT recommended. spoofing, therefore removal of object containment functions is NOT recommended.
""" """
require Logger
def get_actor(%{"actor" => actor}) when is_binary(actor) do def get_actor(%{"actor" => actor}) when is_binary(actor) do
actor actor
end end

View file

@ -41,16 +41,19 @@ defmodule Pleroma.Web.ActivityPub.Visibility do
# guard # guard
def entire_thread_visible_for_user?(nil, _user), do: false def entire_thread_visible_for_user?(nil, _user), do: false
# child # XXX: Probably even more inefficient than the previous implementation, intended to be a placeholder untill https://git.pleroma.social/pleroma/pleroma/merge_requests/971 is in develop
def entire_thread_visible_for_user?( def entire_thread_visible_for_user?(
%Activity{data: %{"object" => %{"inReplyTo" => parent_id}}} = tail, %Activity{} = tail,
# %Activity{data: %{"object" => %{"inReplyTo" => parent_id}}} = tail,
user user
) ) do
when is_binary(parent_id) do case Object.normalize(tail) do
%{data: %{"inReplyTo" => parent_id}} when is_binary(parent_id) ->
parent = Activity.get_in_reply_to_activity(tail) parent = Activity.get_in_reply_to_activity(tail)
visible_for_user?(tail, user) && entire_thread_visible_for_user?(parent, user) visible_for_user?(tail, user) && entire_thread_visible_for_user?(parent, user)
end
# root _ ->
def entire_thread_visible_for_user?(tail, user), do: visible_for_user?(tail, user) visible_for_user?(tail, user)
end
end
end end

View file

@ -832,7 +832,9 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
activities = ActivityPub.fetch_activities([user1.ap_id | user1.following]) activities = ActivityPub.fetch_activities([user1.ap_id | user1.following])
private_activity_1 = Activity.get_by_ap_id_with_object(private_activity_1.data["id"]) private_activity_1 = Activity.get_by_ap_id_with_object(private_activity_1.data["id"])
assert [public_activity, private_activity_1, private_activity_3] == activities assert [public_activity, private_activity_1, private_activity_3] ==
activities
assert length(activities) == 3 assert length(activities) == 3
activities = ActivityPub.contain_timeline(activities, user1) activities = ActivityPub.contain_timeline(activities, user1)

View file

@ -1136,62 +1136,6 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
end end
end end
describe "general origin containment" do
test "contain_origin_from_id() catches obvious spoofing attempts" do
data = %{
"id" => "http://example.com/~alyssa/activities/1234.json"
}
:error =
Transmogrifier.contain_origin_from_id(
"http://example.org/~alyssa/activities/1234.json",
data
)
end
test "contain_origin_from_id() allows alternate IDs within the same origin domain" do
data = %{
"id" => "http://example.com/~alyssa/activities/1234.json"
}
:ok =
Transmogrifier.contain_origin_from_id(
"http://example.com/~alyssa/activities/1234",
data
)
end
test "contain_origin_from_id() allows matching IDs" do
data = %{
"id" => "http://example.com/~alyssa/activities/1234.json"
}
:ok =
Transmogrifier.contain_origin_from_id(
"http://example.com/~alyssa/activities/1234.json",
data
)
end
test "users cannot be collided through fake direction spoofing attempts" do
insert(:user, %{
nickname: "rye@niu.moe",
local: false,
ap_id: "https://niu.moe/users/rye",
follower_address: User.ap_followers(%User{nickname: "rye@niu.moe"})
})
{:error, _} = User.get_or_fetch_by_ap_id("https://n1u.moe/users/rye")
end
test "all objects with fake directions are rejected by the object fetcher" do
{:error, _} =
Fetcher.fetch_and_contain_remote_object_from_id(
"https://info.pleroma.site/activity4.json"
)
end
end
describe "reserialization" do describe "reserialization" do
test "successfully reserializes a message with inReplyTo == nil" do test "successfully reserializes a message with inReplyTo == nil" do
user = insert(:user) user = insert(:user)