diff --git a/plume-common/src/activity_pub/inbox.rs b/plume-common/src/activity_pub/inbox.rs index fdfec3e1..5ce078c7 100644 --- a/plume-common/src/activity_pub/inbox.rs +++ b/plume-common/src/activity_pub/inbox.rs @@ -242,11 +242,11 @@ where match attributed_to { Array(v) => v.iter().all(|i| match i { String(s) => s != actor_id, - Object(_) => false, // TODO: Validate recursively" + Object(obj) => obj.get("id").map_or(true, |s| s != actor_id), _ => false, }), String(s) => s != actor_id, - Object(_) => false, // TODO: Validate Recursively + Object(obj) => obj.get("id").map_or(true, |s| s != actor_id), _ => false, } } diff --git a/plume-models/src/inbox.rs b/plume-models/src/inbox.rs index 1ffcc763..51782bfd 100644 --- a/plume-models/src/inbox.rs +++ b/plume-models/src/inbox.rs @@ -203,6 +203,67 @@ pub(crate) mod tests { }); } + #[test] + fn spoof_comment_by_object_with_id() { + let r = rockets(); + let conn = &*r.conn; + conn.test_transaction::<_, (), _>(|| { + let (posts, users, _) = fill_database(&r); + let act = json!({ + "id": "https://plu.me/comment/1/activity", + "actor": users[0].ap_url, + "object": { + "type": "Note", + "id": "https://plu.me/comment/1", + "attributedTo": { + "id": users[1].ap_url + }, + "inReplyTo": posts[0].ap_url, + "content": "Hello.", + "to": [plume_common::activity_pub::PUBLIC_VISIBILITY] + }, + "type": "Create", + }); + + assert!(matches!( + super::inbox(&r, act.clone()), + Err(super::Error::Inbox( + box plume_common::activity_pub::inbox::InboxError::InvalidObject(_), + )) + )); + Ok(()) + }); + } + #[test] + fn spoof_comment_by_object_without_id() { + let r = rockets(); + let conn = &*r.conn; + conn.test_transaction::<_, (), _>(|| { + let (posts, users, _) = fill_database(&r); + let act = json!({ + "id": "https://plu.me/comment/1/activity", + "actor": users[0].ap_url, + "object": { + "type": "Note", + "id": "https://plu.me/comment/1", + "attributedTo": {}, + "inReplyTo": posts[0].ap_url, + "content": "Hello.", + "to": [plume_common::activity_pub::PUBLIC_VISIBILITY] + }, + "type": "Create", + }); + + assert!(matches!( + super::inbox(&r, act.clone()), + Err(super::Error::Inbox( + box plume_common::activity_pub::inbox::InboxError::InvalidObject(_), + )) + )); + Ok(()) + }); + } + #[test] fn create_post() { let r = rockets(); @@ -280,6 +341,81 @@ pub(crate) mod tests { }); } + #[test] + fn spoof_post_by_object_with_id() { + let r = rockets(); + let conn = &*r.conn; + conn.test_transaction::<_, (), _>(|| { + let (_, users, blogs) = fill_database(&r); + let act = json!({ + "id": "https://plu.me/comment/1/activity", + "actor": users[0].ap_url, + "object": { + "type": "Article", + "id": "https://plu.me/~/Blog/my-article", + "attributedTo": [ + {"id": users[1].ap_url}, + blogs[0].ap_url + ], + "content": "Hello.", + "name": "My Article", + "summary": "Bye.", + "source": { + "content": "Hello.", + "mediaType": "text/markdown" + }, + "published": "2014-12-12T12:12:12Z", + "to": [plume_common::activity_pub::PUBLIC_VISIBILITY] + }, + "type": "Create", + }); + + assert!(matches!( + super::inbox(&r, act.clone()), + Err(super::Error::Inbox( + box plume_common::activity_pub::inbox::InboxError::InvalidObject(_), + )) + )); + Ok(()) + }); + } + + #[test] + fn spoof_post_by_object_without_id() { + let r = rockets(); + let conn = &*r.conn; + conn.test_transaction::<_, (), _>(|| { + let (_, users, blogs) = fill_database(&r); + let act = json!({ + "id": "https://plu.me/comment/1/activity", + "actor": users[0].ap_url, + "object": { + "type": "Article", + "id": "https://plu.me/~/Blog/my-article", + "attributedTo": [{}, blogs[0].ap_url], + "content": "Hello.", + "name": "My Article", + "summary": "Bye.", + "source": { + "content": "Hello.", + "mediaType": "text/markdown" + }, + "published": "2014-12-12T12:12:12Z", + "to": [plume_common::activity_pub::PUBLIC_VISIBILITY] + }, + "type": "Create", + }); + + assert!(matches!( + super::inbox(&r, act.clone()), + Err(super::Error::Inbox( + box plume_common::activity_pub::inbox::InboxError::InvalidObject(_), + )) + )); + Ok(()) + }); + } + #[test] fn delete_comment() { use crate::comments::*;