git.squeep.com Git - akkoma/blob - test/object/containment_test.exs

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Object.ContainmentTest do
   6   use Pleroma.DataCase
   7
   8   alias Pleroma.Object.Containment
   9   alias Pleroma.User
  10
  11   import Pleroma.Factory
  12   import ExUnit.CaptureLog
  13
  14   setup_all do
  15     Tesla.Mock.mock_global(fn env -> apply(HttpRequestMock, :request, [env]) end)
  16     :ok
  17   end
  18
  19   describe "general origin containment" do
  20     test "contain_origin_from_id() catches obvious spoofing attempts" do
  21       data = %{
  22         "id" => "http://example.com/~alyssa/activities/1234.json"
  23       }
  24
  25       :error =
  26         Containment.contain_origin_from_id(
  27           "http://example.org/~alyssa/activities/1234.json",
  28           data
  29         )
  30     end
  31
  32     test "contain_origin_from_id() allows alternate IDs within the same origin domain" do
  33       data = %{
  34         "id" => "http://example.com/~alyssa/activities/1234.json"
  35       }
  36
  37       :ok =
  38         Containment.contain_origin_from_id(
  39           "http://example.com/~alyssa/activities/1234",
  40           data
  41         )
  42     end
  43
  44     test "contain_origin_from_id() allows matching IDs" do
  45       data = %{
  46         "id" => "http://example.com/~alyssa/activities/1234.json"
  47       }
  48
  49       :ok =
  50         Containment.contain_origin_from_id(
  51           "http://example.com/~alyssa/activities/1234.json",
  52           data
  53         )
  54     end
  55
  56     test "users cannot be collided through fake direction spoofing attempts" do
  57       _user =
  58         insert(:user, %{
  59           nickname: "rye@niu.moe",
  60           local: false,
  61           ap_id: "https://niu.moe/users/rye",
  62           follower_address: User.ap_followers(%User{nickname: "rye@niu.moe"})
  63         })
  64
  65       assert capture_log(fn ->
  66                {:error, _} = User.get_or_fetch_by_ap_id("https://n1u.moe/users/rye")
  67              end) =~
  68                "[error] Could not decode user at fetch https://n1u.moe/users/rye"
  69     end
  70
  71     test "contain_origin_from_id() gracefully handles cases where no ID is present" do
  72       data = %{
  73         "type" => "Create",
  74         "object" => %{
  75           "id" => "http://example.net/~alyssa/activities/1234",
  76           "attributedTo" => "http://example.org/~alyssa"
  77         },
  78         "actor" => "http://example.com/~bob"
  79       }
  80
  81       :error =
  82         Containment.contain_origin_from_id("http://example.net/~alyssa/activities/1234", data)
  83     end
  84   end
  85
  86   describe "containment of children" do
  87     test "contain_child() catches spoofing attempts" do
  88       data = %{
  89         "id" => "http://example.com/whatever",
  90         "type" => "Create",
  91         "object" => %{
  92           "id" => "http://example.net/~alyssa/activities/1234",
  93           "attributedTo" => "http://example.org/~alyssa"
  94         },
  95         "actor" => "http://example.com/~bob"
  96       }
  97
  98       :error = Containment.contain_child(data)
  99     end
 100
 101     test "contain_child() allows correct origins" do
 102       data = %{
 103         "id" => "http://example.org/~alyssa/activities/5678",
 104         "type" => "Create",
 105         "object" => %{
 106           "id" => "http://example.org/~alyssa/activities/1234",
 107           "attributedTo" => "http://example.org/~alyssa"
 108         },
 109         "actor" => "http://example.org/~alyssa"
 110       }
 111
 112       :ok = Containment.contain_child(data)
 113     end
 114   end
 115 end