Fix url guessing attacks.

author lain <lain@soykaf.club>

Wed, 30 May 2018 18:00:27 +0000 (20:00 +0200)

committer lain <lain@soykaf.club>

Wed, 30 May 2018 18:00:45 +0000 (20:00 +0200)
author lain <lain@soykaf.club>
Wed, 30 May 2018 18:00:27 +0000 (20:00 +0200)
committer lain <lain@soykaf.club>
Wed, 30 May 2018 18:00:45 +0000 (20:00 +0200)
diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex

index c7d50893f2b852764c6ac86e9ff5bba4157aae07..a6a9b99eff30604563d37981f5114318a2a1bd8c 100644 (file)
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -20,10 +20,16 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
  
    def object(conn, %{"uuid" => uuid}) do
      with ap_id <- o_status_url(conn, :object, uuid),
  
    def object(conn, %{"uuid" => uuid}) do
      with ap_id <- o_status_url(conn, :object, uuid),
-         %Object{} = object <- Object.get_cached_by_ap_id(ap_id) do
+         %Object{} = object <- Object.get_cached_by_ap_id(ap_id),
+         {_, true} <- {:public?, ActivityPub.is_public?(object)} do
        conn
        |> put_resp_header("content-type", "application/activity+json")
        |> json(ObjectView.render("object.json", %{object: object}))
        conn
        |> put_resp_header("content-type", "application/activity+json")
        |> json(ObjectView.render("object.json", %{object: object}))
+    else
+      {:public?, false} ->
+        conn
+        |> put_status(404)
+        |> json("Not found")
      end
    end
  
      end
    end
  
diff --git a/lib/pleroma/web/ostatus/ostatus_controller.ex b/lib/pleroma/web/ostatus/ostatus_controller.ex

index f39ebaf2b5f92d0701e4f6efae1d0b0d1ec45db0..53278431e1b766b78c8cc09f825f8e43b4703d76 100644 (file)
--- a/lib/pleroma/web/ostatus/ostatus_controller.ex
+++ b/lib/pleroma/web/ostatus/ostatus_controller.ex
@@ -68,37 +68,47 @@ defmodule Pleroma.Web.OStatus.OStatusController do
      |> send_resp(200, "")
    end
  
      |> send_resp(200, "")
    end
  
-  # TODO: Data leak
    def object(conn, %{"uuid" => uuid} = params) do
      if get_format(conn) == "activity+json" do
        ActivityPubController.object(conn, params)
      else
        with id <- o_status_url(conn, :object, uuid),
             %Activity{} = activity <- Activity.get_create_activity_by_object_ap_id(id),
    def object(conn, %{"uuid" => uuid} = params) do
      if get_format(conn) == "activity+json" do
        ActivityPubController.object(conn, params)
      else
        with id <- o_status_url(conn, :object, uuid),
             %Activity{} = activity <- Activity.get_create_activity_by_object_ap_id(id),
+           {_, true} <- {:public?, ActivityPub.is_public?(activity)},
             %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do
          case get_format(conn) do
            "html" -> redirect(conn, to: "/notice/#{activity.id}")
            _ -> represent_activity(conn, activity, user)
          end
             %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do
          case get_format(conn) do
            "html" -> redirect(conn, to: "/notice/#{activity.id}")
            _ -> represent_activity(conn, activity, user)
          end
+      else
+        {:public?, false} ->
+          conn
+          |> put_status(404)
+          |> json("Not found")
        end
      end
    end
  
        end
      end
    end
  
-  # TODO: Data leak
    def activity(conn, %{"uuid" => uuid}) do
      with id <- o_status_url(conn, :activity, uuid),
           %Activity{} = activity <- Activity.get_by_ap_id(id),
    def activity(conn, %{"uuid" => uuid}) do
      with id <- o_status_url(conn, :activity, uuid),
           %Activity{} = activity <- Activity.get_by_ap_id(id),
+         {_, true} <- {:public?, ActivityPub.is_public?(activity)},
           %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do
        case get_format(conn) do
          "html" -> redirect(conn, to: "/notice/#{activity.id}")
          _ -> represent_activity(conn, activity, user)
        end
           %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do
        case get_format(conn) do
          "html" -> redirect(conn, to: "/notice/#{activity.id}")
          _ -> represent_activity(conn, activity, user)
        end
+    else
+      {:public?, false} ->
+        conn
+        |> put_status(404)
+        |> json("Not found")
      end
    end
  
      end
    end
  
-  # TODO: Data leak
    def notice(conn, %{"id" => id}) do
      with %Activity{} = activity <- Repo.get(Activity, id),
    def notice(conn, %{"id" => id}) do
      with %Activity{} = activity <- Repo.get(Activity, id),
+         {_, true} <- {:public?, ActivityPub.is_public?(activity)},
           %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do
        case get_format(conn) do
          "html" ->
           %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do
        case get_format(conn) do
          "html" ->
@@ -109,6 +119,11 @@ defmodule Pleroma.Web.OStatus.OStatusController do
          _ ->
            represent_activity(conn, activity, user)
        end
          _ ->
            represent_activity(conn, activity, user)
        end
+    else
+      {:public?, false} ->
+        conn
+        |> put_status(404)
+        |> json("Not found")
      end
    end
  
      end
    end
  
diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs

index 25b47ee31db4e3c32e9c91d698bded388de44542..305f9d0e05a692af25a9e1c9bbf6ecda3b10b78e 100644 (file)
--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@@ -4,6 +4,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
    alias Pleroma.Web.ActivityPub.{UserView, ObjectView}
    alias Pleroma.{Repo, User}
    alias Pleroma.Activity
    alias Pleroma.Web.ActivityPub.{UserView, ObjectView}
    alias Pleroma.{Repo, User}
    alias Pleroma.Activity
+  alias Pleroma.Web.CommonAPI
  
    describe "/users/:nickname" do
      test "it returns a json representation of the user", %{conn: conn} do
  
    describe "/users/:nickname" do
      test "it returns a json representation of the user", %{conn: conn} do
@@ -32,6 +33,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
  
        assert json_response(conn, 200) == ObjectView.render("object.json", %{object: note})
      end
  
        assert json_response(conn, 200) == ObjectView.render("object.json", %{object: note})
      end
+
+    test "it returns 404 for non-public messages", %{conn: conn} do
+      note = insert(:direct_note)
+      uuid = String.split(note.data["id"], "/") |> List.last()
+
+      conn =
+        conn
+        |> put_req_header("accept", "application/activity+json")
+        |> get("/objects/#{uuid}")
+
+      assert json_response(conn, 404)
+    end
    end
  
    describe "/users/:nickname/inbox" do
    end
  
    describe "/users/:nickname/inbox" do
diff --git a/test/web/ostatus/ostatus_controller_test.exs b/test/web/ostatus/ostatus_controller_test.exs

index ba885509358787988b5e325e449324922b3d7855..faee4fc3e5a8da2a7c943e930e2c16d6bda0f4f4 100644 (file)
--- a/test/web/ostatus/ostatus_controller_test.exs
+++ b/test/web/ostatus/ostatus_controller_test.exs
@@ -77,6 +77,19 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do
      assert response(conn, 200) == expected
    end
  
      assert response(conn, 200) == expected
    end
  
+  test "404s on private objects", %{conn: conn} do
+    note_activity = insert(:direct_note_activity)
+    user = User.get_by_ap_id(note_activity.data["actor"])
+    [_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["object"]["id"]))
+    url = "/objects/#{uuid}"
+
+    conn =
+      conn
+      |> get(url)
+
+    assert response(conn, 404)
+  end
+
    test "gets an activity", %{conn: conn} do
      note_activity = insert(:note_activity)
      [_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["id"]))
    test "gets an activity", %{conn: conn} do
      note_activity = insert(:note_activity)
      [_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["id"]))
@@ -89,6 +102,18 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do
      assert response(conn, 200)
    end
  
      assert response(conn, 200)
    end
  
+  test "404s on private activities", %{conn: conn} do
+    note_activity = insert(:direct_note_activity)
+    [_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["id"]))
+    url = "/activities/#{uuid}"
+
+    conn =
+      conn
+      |> get(url)
+
+    assert response(conn, 404)
+  end
+
    test "gets a notice", %{conn: conn} do
      note_activity = insert(:note_activity)
      url = "/notice/#{note_activity.id}"
    test "gets a notice", %{conn: conn} do
      note_activity = insert(:note_activity)
      url = "/notice/#{note_activity.id}"
@@ -99,4 +124,15 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do
  
      assert response(conn, 200)
    end
  
      assert response(conn, 200)
    end
+
+  test "404s a private notice", %{conn: conn} do
+    note_activity = insert(:direct_note_activity)
+    url = "/notice/#{note_activity.id}"
+
+    conn =
+      conn
+      |> get(url)
+
+    assert response(conn, 404)
+  end
  end
  end
author	lain <lain@soykaf.club>
	Wed, 30 May 2018 18:00:27 +0000 (20:00 +0200)
committer	lain <lain@soykaf.club>
	Wed, 30 May 2018 18:00:45 +0000 (20:00 +0200)
lib/pleroma/web/activity_pub/activity_pub_controller.ex		patch \| blob \| history
lib/pleroma/web/ostatus/ostatus_controller.ex		patch \| blob \| history
test/web/activity_pub/activity_pub_controller_test.exs		patch \| blob \| history
test/web/ostatus/ostatus_controller_test.exs		patch \| blob \| history