akkoma/test/fixtures
Oneric 8684964c5d Only allow exact id matches
This protects us from falling for obvious spoofs as from the current
upload exploit (unfortunately we can’t reasonably do anything about
spoofs with exact matches as was possible via emoji and proxy).

Such objects being invalid is supported by the spec, sepcifically
sections 3.1 and 3.2: https://www.w3.org/TR/activitypub/#obj-id

Anonymous objects are not relevant here (they can only exists within
parent objects iiuc) and neither is client-to-server or transient objects
(as those cannot be fetched in the first place).
This leaves us with the requirement for `id` to (a) exist and
(b) be a publicly dereferencable URI from the originating server.
This alone does not yet demand strict equivalence, but the spec then
further explains objects ought to be fetchable _via their ID_.
Meaning an object not retrievable via its ID, is invalid.

This reading is supported by the fact, e.g. GoToSocial (recently) and
Mastodon (for 6+ years) do already implement such strict ID checks,
additionally proving this doesn’t cause federation issues in practice.

However, apart from canonical IDs there can also be additional display
URLs. *omas first redirect those to their canonical location, but *keys
and Mastodon directly serve the AP representation without redirects.

Mastodon and GTS deal with this in two different ways,
but both constitute an effective countermeasure:
 - Mastodon:
   Unless it already is a known AP id, two fetches occur.
   The first fetch just reads the `id` property and then refetches from
   the id. The last fetch requires the returned id to exactly match the
   URL the content was fetched from. (This can be optimised by skipping
   the second fetch if it already matches)
   05eda8d193/app/helpers/jsonld_helper.rb (L168)
   63f0979799

 - GTS:
   Only does a single fetch and then checks if _either_ the id
   _or_ url property (which can be an object) match the original fetch
   URL. This relies on implementations always including their display URL
   as "url" if differing from the id. For actors this is true for all
   investigated implementations, for posts only Mastodon includes an
   "url", but it is also the only one with a differing display URL.
   2bafd7daf5 (diff-943bbb02c8ac74ac5dc5d20807e561dcdfaebdc3b62b10730f643a20ac23c24fR222)

Albeit Mastodon’s refetch offers higher compatibility with theoretical
implmentations using either multiple different display URL or not
denoting any of them as "url" at all, for now we chose to adopt a
GTS-like refetch-free approach to avoid additional implementation
concerns wrt to whether redirects should be allowed when fetching a
canonical AP id and potential for accidentally loosening some checks
(e.g. cross-domain refetches) for one of the fetches.
This may be reconsidered in the future.
2024-03-25 14:05:05 -01:00
..
bridgy Sanity check fetched user data 2024-03-25 14:05:05 -01:00
collections Add collection fetching module 2022-07-03 19:20:59 +01:00
config Remove quack, ensure adapter is finch 2022-12-11 23:22:35 +00:00
emoji/packs tests for emoji mix task 2020-04-06 11:13:59 +03:00
fedibird Quote posting (#113) 2022-07-25 16:30:06 +00:00
fetch_mocks Fetcher: Work when we can't get the OP. 2020-07-01 11:48:51 +02:00
friendica Add support for a first reference in pinned objects 2022-07-03 17:25:20 +01:00
mastodon add inbound language test 2023-01-11 15:42:13 +00:00
microblogpub microblogpub federation fixes (#288) 2022-11-18 11:14:35 +00:00
misskey Interpret \n as newline for MFM 2023-02-18 19:56:11 +01:00
modules MRF: create MRF.Policy behaviour separate from MRF module 2021-06-07 14:22:08 -05:00
peertube Video: Handle peertube videos only stashing attachments in x-mpegURL 2021-02-21 23:41:28 +01:00
preload_static/instance Preload: Load the correct instance panel 2020-06-30 11:35:54 +02:00
quote_post Quote posting (#113) 2022-07-25 16:30:06 +00:00
relay relay list shows hosts without accepted follow 2020-03-02 09:27:20 +03:00
rich_media add the rich media ttl based on image exp time 2019-07-17 00:20:34 +05:45
rsa_keys Use set of pregenerated RSA keys 2022-09-11 20:14:58 +01:00
runtime_modules extend custom runtime system (#108) 2022-07-24 16:42:43 +00:00
statuses mastodon pins 2021-03-25 13:03:40 +03:00
tesla_mock Only allow exact id matches 2024-03-25 14:05:05 -01:00
users_mock Never fetch resource from ourselves 2024-03-25 14:05:05 -01:00
warnings/otp_version otp_version refactor 2020-03-03 12:21:10 +03:00
webfinger Support reaching user@sub.domain.tld at user@domain.tld (#134) 2022-08-02 13:54:22 +00:00
activitypub-client-post-activity.json Pipeline Ingestion: Note 2021-04-05 19:19:11 +02:00
avatar_data_uri Fix more specs. 2018-02-25 17:48:31 +01:00
bogus-mastodon-announce.json Add test for handling Announces with inlined object from different origin 2019-10-05 13:56:40 +02:00
bookwyrm-article.json just drop unknown tags 2022-01-07 20:14:04 +00:00
bookwyrm-replies-collection.json Add compatibility with bookwyrm's weird entities 2022-01-07 16:51:04 +00:00
create-chat-message.json ChatMessage: Correctly ingest emoji tags. 2020-04-23 16:19:49 +02:00
create-pleroma-reply-to-misskey-thread.json Transmogrifier: fix reply context fixing 2022-08-04 12:57:48 +01:00
custom-emoji-reaction.json fix emoji tests 2022-06-11 14:08:54 +01:00
custom_instance_panel.html AdminAPI: Allow to modify Terms of Service and Instance Panel via Admin API 2020-09-17 16:48:07 +03:00
DSCN0010.jpg Support Exiftool for stripping EXIF data 2020-07-10 16:46:26 -05:00
emoji-reaction-no-emoji.json EmojiReactions: Rename to EmojiReacts 2020-02-06 18:09:57 +01:00
emoji-reaction-too-long.json EmojiReactions: Rename to EmojiReacts 2020-02-06 18:09:57 +01:00
emoji-reaction.json EmojiReactions: Rename to EmojiReacts 2020-02-06 18:09:57 +01:00
emojis.zip finland-emojis.zip -> emojis.zip 2020-09-22 21:58:30 +03:00
empty.zip added tests 2020-08-24 15:01:45 +03:00
friendica_salmon.xml Ignore padding for salmon public keys. 2017-08-25 15:09:05 +02:00
guppe-actor.json ActivtityPub Test: Add example for guppe actor 2021-01-07 16:20:30 +01:00
host-meta-zetsubou.xn--q9jyb4c.xml support for idna domains 2019-07-10 15:23:25 +00:00
hubzilla-follow-activity.json tests: add test for hubzilla follow activity too 2018-05-19 03:28:32 -05:00
image.gif [#2497] Configurability of :min_content_length (preview proxy). Refactoring, documentation, tests. 2020-09-17 17:13:40 +03:00
image.jpg used imageOptim to reduce size of image files 2019-03-19 10:10:48 +01:00
image.png [#2497] Configurability of :min_content_length (preview proxy). Refactoring, documentation, tests. 2020-09-17 17:13:40 +03:00
kroeg-announce-with-inline-actor.json Transmogrifier Test: Extract Announce handling. 2020-05-18 14:48:37 +02:00
kroeg-array-less-emoji.json transmogrifier: Add support for array-less hashtags, add broken announce, harden get_actor 2018-09-27 20:00:47 +02:00
kroeg-array-less-hashtag.json transmogrifier: Add support for array-less hashtags, add broken announce, harden get_actor 2018-09-27 20:00:47 +02:00
kroeg-post-activity.json test: add kroeg fixtures 2018-08-14 17:09:17 +00:00
lain.xml support for idna domains 2019-07-10 15:23:25 +00:00
lambadalambda.json twitter api registration 2019-04-06 17:18:59 +07:00
margaret-corbin-grave-west-point.html meta tag parser respect first title header 2020-01-28 19:29:27 +03:00
mastodon-accept-activity.json ActivityPub: Send out Accept after Follow. 2018-02-17 16:08:55 +01:00
mastodon-announce-private.json Import object from self-Announce whenever possible 2019-10-05 13:56:40 +02:00
mastodon-announce.json Add test fixtures. 2018-02-17 21:56:52 +01:00
mastodon-block-activity.json Formatting and add tests for blocks/unblocks 2018-05-19 21:23:52 -04:00
mastodon-create-with-attachment.json ActivityPub: Handle attachments. 2018-02-17 18:38:58 +01:00
mastodon-delete-user.json Send and handle "Delete" activity for deleted users 2019-07-10 05:16:08 +00:00
mastodon-delete.json Fix badly formatted JSON fixtures which causes Jason to erroneously detect control characters 2020-11-23 14:48:14 -06:00
mastodon-follow-activity.json ActivityPub: Partly handle incoming follows. 2018-02-17 14:55:44 +01:00
mastodon-like.json ActivityPub: Handle incoming likes. 2018-02-17 20:13:12 +01:00
mastodon-note-object.json Announcements: Handle through common pipeline. 2020-05-20 15:44:37 +02:00
mastodon-post-activity-contentmap.json tests: add regression test for contentMap-only posts 2018-06-18 22:14:51 +00:00
mastodon-post-activity-hashtag.json activitypub transmogrifier: rewrite incoming hashtags 2018-03-24 16:42:17 -05:00
mastodon-post-activity-nsfw.json Transmogrifier: Downcase incoming Hashtags 2020-10-19 15:40:50 +02:00
mastodon-post-activity.json [#1505] Improved replies-handling tests: updated Mastodon message fixture, used exact Pleroma federation message. 2020-02-10 11:46:16 +03:00
mastodon-question-activity.json question_validator: fix for mastodon poll expiration 2020-07-15 11:39:56 +02:00
mastodon-reject-activity.json activitypub transmogrifier: cleanups and tests for incoming accepts/rejects 2018-05-25 12:53:12 +00:00
mastodon-unblock-activity.json Fix unblock handling 2018-05-21 05:00:58 -04:00
mastodon-undo-announce.json Update test fixture 2018-05-12 11:10:49 -04:00
mastodon-undo-like-compact-object.json Transmogrifier: Handle compact objects in undos. 2019-09-30 18:13:05 +02:00
mastodon-undo-like.json Support Undo like activities (Fix #139) 2018-05-19 22:14:15 +02:00
mastodon-unfollow-activity.json Fix unfollows 2018-05-20 21:01:14 -04:00
mastodon-update.json Support user attachment update in Transmogrifier 2019-08-14 14:52:54 +07:00
mastodon-vote.json Handle poll votes 2019-05-21 14:12:10 +03:00
mewmew_no_name.json purge chat and shout endpoints 2022-07-21 11:29:28 +01:00
misskey-like.json fix emoji tests 2022-06-11 14:08:54 +01:00
nypd-facial-recognition-children-teenagers.html [#1150] fixed parser TwitterCard 2019-08-06 20:19:28 +00:00
nypd-facial-recognition-children-teenagers2.html [#1150] fixed parser TwitterCard 2019-08-06 20:19:28 +00:00
nypd-facial-recognition-children-teenagers3.html [#1150] fixed parser TwitterCard 2019-08-06 20:19:28 +00:00
nypd-facial-recognition-children-teenagers4.html title parse improvement 2020-01-29 11:13:34 +03:00
osada-follow-activity.json Fix badly formatted JSON fixtures which causes Jason to erroneously detect control characters 2020-11-23 14:48:14 -06:00
owncast-note-with-attachment.json Fix broken attachments from owncast (#31) 2022-07-01 11:14:55 +00:00
prismo-url-map.json add missing prismo testcase data 2018-11-10 11:11:01 +00:00
private_key.pem Salmon creation. 2017-04-26 14:25:44 +02:00
quoted_status.json Quote posting (#113) 2022-07-25 16:30:06 +00:00
rel_me_anchor.html Pleroma.Web.RelMeTest: Add test against Pleroma.Web.RelMe 2019-03-02 06:31:33 +01:00
rel_me_anchor_nofollow.html Web.RelMe: Fix having other values in rel attr 2019-03-05 02:13:22 +01:00
rel_me_link.html Pleroma.Web.RelMeTest: Add test against Pleroma.Web.RelMe 2019-03-02 06:31:33 +01:00
rel_me_null.html Web.RelMe: Fix having other values in rel attr 2019-03-05 02:13:22 +01:00
salmon.xml Decode and verify salmons. 2017-04-23 15:21:58 +02:00
salmon2.xml Make key fetching use ostatus fetching. 2017-04-29 19:47:56 +02:00
sound.mp3 Add mascot get/set tests 2019-05-20 12:58:06 +01:00
spoofed-object.json Fix object spoofing vulnerability in attachments 2020-11-12 15:25:33 +03:00
test.txt Mix Task Frontend test: Expand. 2020-08-07 16:03:06 +02:00
user_full.xml Add incoming xml fixtures. 2017-04-24 18:46:02 +02:00
user_name_only.xml Add incoming xml fixtures. 2017-04-24 18:46:02 +02:00
video.mp4 Add test for AnalyzeMetadata upload filter fetching dimensions from a video 2021-06-08 14:02:56 -05:00
webfinger.xml Add some basic webfingering. 2017-04-28 17:41:12 +02:00
xml_billion_laughs.xml Completely disable xml entity resolution 2023-08-05 12:32:05 +00:00
xml_external_entities.xml Add unit test for external entity loading 2023-08-04 22:24:32 +01:00
xml_normal.xml Add XML matcher 2023-08-07 11:12:14 +01:00