Merge branch 'security/ir-generic-containment' into 'develop'
security: IR-based generic object containment See merge request pleroma/pleroma!1417
This commit is contained in:
commit
509d8058d9
|
@ -42,6 +42,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- Admin API: changed json structure for saving config settings.
|
- Admin API: changed json structure for saving config settings.
|
||||||
- RichMedia: parsers and their order are configured in `rich_media` config.
|
- RichMedia: parsers and their order are configured in `rich_media` config.
|
||||||
|
|
||||||
|
## [1.0.1] - 2019-07-14
|
||||||
|
### Security
|
||||||
|
- OStatus: fix an object spoofing vulnerability.
|
||||||
|
|
||||||
## [1.0.0] - 2019-06-29
|
## [1.0.0] - 2019-06-29
|
||||||
### Security
|
### Security
|
||||||
- Mastodon API: Fix display names not being sanitized
|
- Mastodon API: Fix display names not being sanitized
|
||||||
|
|
|
@ -48,6 +48,9 @@ def contain_origin(id, %{"actor" => _actor} = params) do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def contain_origin(id, %{"attributedTo" => actor} = params),
|
||||||
|
do: contain_origin(id, Map.put(params, "actor", actor))
|
||||||
|
|
||||||
def contain_origin_from_id(_id, %{"id" => nil}), do: :error
|
def contain_origin_from_id(_id, %{"id" => nil}), do: :error
|
||||||
|
|
||||||
def contain_origin_from_id(id, %{"id" => other_id} = _params) do
|
def contain_origin_from_id(id, %{"id" => other_id} = _params) do
|
||||||
|
@ -60,4 +63,9 @@ def contain_origin_from_id(id, %{"id" => other_id} = _params) do
|
||||||
:error
|
:error
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def contain_child(%{"object" => %{"id" => id, "attributedTo" => _} = object}),
|
||||||
|
do: contain_origin(id, object)
|
||||||
|
|
||||||
|
def contain_child(_), do: :ok
|
||||||
end
|
end
|
||||||
|
|
|
@ -8,6 +8,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
|
||||||
alias Pleroma.Conversation
|
alias Pleroma.Conversation
|
||||||
alias Pleroma.Notification
|
alias Pleroma.Notification
|
||||||
alias Pleroma.Object
|
alias Pleroma.Object
|
||||||
|
alias Pleroma.Object.Containment
|
||||||
alias Pleroma.Object.Fetcher
|
alias Pleroma.Object.Fetcher
|
||||||
alias Pleroma.Pagination
|
alias Pleroma.Pagination
|
||||||
alias Pleroma.Repo
|
alias Pleroma.Repo
|
||||||
|
@ -126,6 +127,7 @@ def insert(map, local \\ true, fake \\ false) when is_map(map) do
|
||||||
{:ok, map} <- MRF.filter(map),
|
{:ok, map} <- MRF.filter(map),
|
||||||
{recipients, _, _} = get_recipients(map),
|
{recipients, _, _} = get_recipients(map),
|
||||||
{:fake, false, map, recipients} <- {:fake, fake, map, recipients},
|
{:fake, false, map, recipients} <- {:fake, fake, map, recipients},
|
||||||
|
:ok <- Containment.contain_child(map),
|
||||||
{:ok, map, object} <- insert_full_object(map) do
|
{:ok, map, object} <- insert_full_object(map) do
|
||||||
{:ok, activity} =
|
{:ok, activity} =
|
||||||
Repo.insert(%Activity{
|
Repo.insert(%Activity{
|
||||||
|
|
|
@ -68,4 +68,34 @@ test "users cannot be collided through fake direction spoofing attempts" do
|
||||||
"[error] Could not decode user at fetch https://n1u.moe/users/rye, {:error, :error}"
|
"[error] Could not decode user at fetch https://n1u.moe/users/rye, {:error, :error}"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "containment of children" do
|
||||||
|
test "contain_child() catches spoofing attempts" do
|
||||||
|
data = %{
|
||||||
|
"id" => "http://example.com/whatever",
|
||||||
|
"type" => "Create",
|
||||||
|
"object" => %{
|
||||||
|
"id" => "http://example.net/~alyssa/activities/1234",
|
||||||
|
"attributedTo" => "http://example.org/~alyssa"
|
||||||
|
},
|
||||||
|
"actor" => "http://example.com/~bob"
|
||||||
|
}
|
||||||
|
|
||||||
|
:error = Containment.contain_child(data)
|
||||||
|
end
|
||||||
|
|
||||||
|
test "contain_child() allows correct origins" do
|
||||||
|
data = %{
|
||||||
|
"id" => "http://example.org/~alyssa/activities/5678",
|
||||||
|
"type" => "Create",
|
||||||
|
"object" => %{
|
||||||
|
"id" => "http://example.org/~alyssa/activities/1234",
|
||||||
|
"attributedTo" => "http://example.org/~alyssa"
|
||||||
|
},
|
||||||
|
"actor" => "http://example.org/~alyssa"
|
||||||
|
}
|
||||||
|
|
||||||
|
:ok = Containment.contain_child(data)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -416,6 +416,7 @@ test "it ensures that as:Public activities make it to their followers collection
|
||||||
|> Map.put("attributedTo", user.ap_id)
|
|> Map.put("attributedTo", user.ap_id)
|
||||||
|> Map.put("to", ["https://www.w3.org/ns/activitystreams#Public"])
|
|> Map.put("to", ["https://www.w3.org/ns/activitystreams#Public"])
|
||||||
|> Map.put("cc", [])
|
|> Map.put("cc", [])
|
||||||
|
|> Map.put("id", user.ap_id <> "/activities/12345678")
|
||||||
|
|
||||||
data = Map.put(data, "object", object)
|
data = Map.put(data, "object", object)
|
||||||
|
|
||||||
|
@ -439,6 +440,7 @@ test "it ensures that address fields become lists" do
|
||||||
|> Map.put("attributedTo", user.ap_id)
|
|> Map.put("attributedTo", user.ap_id)
|
||||||
|> Map.put("to", nil)
|
|> Map.put("to", nil)
|
||||||
|> Map.put("cc", nil)
|
|> Map.put("cc", nil)
|
||||||
|
|> Map.put("id", user.ap_id <> "/activities/12345678")
|
||||||
|
|
||||||
data = Map.put(data, "object", object)
|
data = Map.put(data, "object", object)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue