scalie-business/mastodon
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add tests for CVE-2022-24307 (#17733)

Browse source 
Follow-up to #17426
This commit is contained in:
Claire 2022-03-10 00:11:40 +01:00 committed by GitHub
parent 29ee3c61a3
commit 63c9d2bc28
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 140 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

140
spec/services/activitypub/process_collection_service_spec.rb
View file

@ -91,6 +91,146 @@ RSpec.describe ActivityPub::ProcessCollectionService, type: :service do
subject.call(json, forwarder)
end
context 'when receiving a fabricated status' do
let!(:actor) do
Fabricate(:account,
username: 'bob',
domain: 'example.com',
uri: 'https://example.com/users/bob',
public_key: "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuuYyoyfsRkYnXRotMsId\nW3euBDDfiv9oVqOxUVC7bhel8KednIMrMCRWFAkgJhbrlzbIkjVr68o1MP9qLcn7\nCmH/BXHp7yhuFTr4byjdJKpwB+/i2jNEsvDH5jR8WTAeTCe0x/QHg21V3F7dSI5m\nCCZ/1dSIyOXLRTWVlfDlm3rE4ntlCo+US3/7oSWbg/4/4qEnt1HC32kvklgScxua\n4LR5ATdoXa5bFoopPWhul7MJ6NyWCyQyScUuGdlj8EN4kmKQJvphKHrI9fvhgOuG\nTvhTR1S5InA4azSSchY0tXEEw/VNxraeX0KPjbgr6DPcwhPd/m0nhVDq0zVyVBBD\nMwIDAQAB\n-----END PUBLIC KEY-----\n",
private_key: nil)
end
let(:payload) do
{
'@context': [
'https://www.w3.org/ns/activitystreams',
nil,
{'object': 'https://www.w3.org/ns/activitystreams#object'}
],
'id': 'https://example.com/users/bob/fake-status/activity',
'type': 'Create',
'actor': 'https://example.com/users/bob',
'published': '2022-01-22T15:00:00Z',
'to': [
'https://www.w3.org/ns/activitystreams#Public'
],
'cc': [
'https://example.com/users/bob/followers'
],
'signature': {
'type': 'RsaSignature2017',
'creator': 'https://example.com/users/bob#main-key',
'created': '2022-03-09T21:57:25Z',
'signatureValue': 'WculK0LelTQ0MvGwU9TPoq5pFzFfGYRDCJqjZ232/Udj4CHqDTGOSw5UTDLShqBOyycCkbZGrQwXG+dpyDpQLSe1UVPZ5TPQtc/9XtI57WlS2nMNpdvRuxGnnb2btPdesXZ7n3pCxo0zjaXrJMe0mqQh5QJO22mahb4bDwwmfTHgbD3nmkD+fBfGi+UV2qWwqr+jlV4L4JqNkh0gWljF5KTePLRRZCuWiQ/FAt7c67636cdIPf7fR+usjuZltTQyLZKEGuK8VUn2Gkfsx5qns7Vcjvlz1JqlAjyO8HPBbzTTHzUG2nUOIgC3PojCSWv6mNTmRGoLZzOscCAYQA6cKw=='
},
'@id': 'https://example.com/users/bob/statuses/107928807471117876/activity',
'@type': 'https://www.w3.org/ns/activitystreams#Create',
'https://www.w3.org/ns/activitystreams#actor': {
'@id': 'https://example.com/users/bob'
},
'https://www.w3.org/ns/activitystreams#cc': {
'@id': 'https://example.com/users/bob/followers'
},
'object': {
'id': 'https://example.com/users/bob/fake-status',
'type': 'Note',
'published': '2022-01-22T15:00:00Z',
'url': 'https://www.youtube.com/watch?v=dQw4w9WgXcQ&feature=puck-was-here',
'attributedTo': 'https://example.com/users/bob',
'to': [
'https://www.w3.org/ns/activitystreams#Public'
],
'cc': [
'https://example.com/users/bob/followers'
],
'sensitive': false,
'atomUri': 'https://example.com/users/bob/fake-status',
'conversation': 'tag:example.com,2022-03-09:objectId=15:objectType=Conversation',
'content': '<p>puck was here</p>',
'@id': 'https://example.com/users/bob/statuses/107928807471117876',
'@type': 'https://www.w3.org/ns/activitystreams#Note',
'http://ostatus.org#atomUri': 'https://example.com/users/bob/statuses/107928807471117876',
'http://ostatus.org#conversation': 'tag:example.com,2022-03-09:objectId=15:objectType=Conversation',
'https://www.w3.org/ns/activitystreams#attachment': [],
'https://www.w3.org/ns/activitystreams#attributedTo': {
'@id': 'https://example.com/users/bob'
},
'https://www.w3.org/ns/activitystreams#cc': {
'@id': 'https://example.com/users/bob/followers'
},
'https://www.w3.org/ns/activitystreams#content': [
'<p>hello world</p>',
{
'@value': '<p>hello world</p>',
'@language': 'en'
}
],
'https://www.w3.org/ns/activitystreams#published': {
'@type': 'http://www.w3.org/2001/XMLSchema#dateTime',
'@value': '2022-03-09T21:55:07Z'
},
'https://www.w3.org/ns/activitystreams#replies': {
'@id': 'https://example.com/users/bob/statuses/107928807471117876/replies',
'@type': 'https://www.w3.org/ns/activitystreams#Collection',
'https://www.w3.org/ns/activitystreams#first': {
'@type': 'https://www.w3.org/ns/activitystreams#CollectionPage',
'https://www.w3.org/ns/activitystreams#items': [],
'https://www.w3.org/ns/activitystreams#next': {
'@id': 'https://example.com/users/bob/statuses/107928807471117876/replies?only_other_accounts=true&page=true'
},
'https://www.w3.org/ns/activitystreams#partOf': {
'@id': 'https://example.com/users/bob/statuses/107928807471117876/replies'
}
}
},
'https://www.w3.org/ns/activitystreams#sensitive': false,
'https://www.w3.org/ns/activitystreams#tag': [],
'https://www.w3.org/ns/activitystreams#to': {
'@id': 'https://www.w3.org/ns/activitystreams#Public'
},
'https://www.w3.org/ns/activitystreams#url': {
'@id': 'https://example.com/@bob/107928807471117876'
}
},
'https://www.w3.org/ns/activitystreams#published': {
'@type': 'http://www.w3.org/2001/XMLSchema#dateTime',
'@value': '2022-03-09T21:55:07Z'
},
'https://www.w3.org/ns/activitystreams#to': {
'@id': 'https://www.w3.org/ns/activitystreams#Public'
}
}
end
it 'does not process forged payload' do
expect(ActivityPub::Activity).not_to receive(:factory).with(
hash_including(
'object' => hash_including(
'id' => 'https://example.com/users/bob/fake-status'
)
),
anything(),
anything()
)
expect(ActivityPub::Activity).not_to receive(:factory).with(
hash_including(
'object' => hash_including(
'content' => '<p>puck was here</p>'
)
),
anything(),
anything()
)
subject.call(json, forwarder)
expect(Status.where(uri: 'https://example.com/users/bob/fake-status').exists?).to be false
end
end
end
end
end