Validate id of ActivityPub representations (#5114)
Additionally, ActivityPub::FetchRemoteStatusService no longer parses activities. OStatus::Activity::Creation no longer delegates to ActivityPub because the provided ActivityPub representations are not signed while OStatus representations are.
This commit is contained in:
		
				
					committed by
					
						 Eugen Rochko
						Eugen Rochko
					
				
			
			
				
	
			
			
			
						parent
						
							ec13cfa4f9
						
					
				
				
					commit
					63f0979799
				
			| @@ -117,7 +117,7 @@ module SignatureVerification | ||||
|       ResolveRemoteAccountService.new.call(key_id.gsub(/\Aacct:/, '')) | ||||
|     elsif !ActivityPub::TagManager.instance.local_uri?(key_id) | ||||
|       account   = ActivityPub::TagManager.instance.uri_to_resource(key_id, Account) | ||||
|       account ||= ActivityPub::FetchRemoteKeyService.new.call(key_id) | ||||
|       account ||= ActivityPub::FetchRemoteKeyService.new.call(key_id, id: false) | ||||
|       account | ||||
|     end | ||||
|   end | ||||
|   | ||||
| @@ -22,7 +22,18 @@ module JsonLdHelper | ||||
|     graph.dump(:normalize) | ||||
|   end | ||||
|  | ||||
|   def fetch_resource(uri) | ||||
|   def fetch_resource(uri, id) | ||||
|     unless id | ||||
|       json = fetch_resource_without_id_validation(uri) | ||||
|       return unless json | ||||
|       uri = json['id'] | ||||
|     end | ||||
|  | ||||
|     json = fetch_resource_without_id_validation(uri) | ||||
|     json.present? && json['id'] == uri ? json : nil | ||||
|   end | ||||
|  | ||||
|   def fetch_resource_without_id_validation(uri) | ||||
|     response = build_request(uri).perform | ||||
|     return if response.code != 200 | ||||
|     body_to_json(response.to_s) | ||||
|   | ||||
| @@ -27,7 +27,7 @@ class ActivityPub::Activity::Announce < ActivityPub::Activity | ||||
|     if object_uri.start_with?('http') | ||||
|       return if ActivityPub::TagManager.instance.local_uri?(object_uri) | ||||
|  | ||||
|       ActivityPub::FetchRemoteStatusService.new.call(object_uri) | ||||
|       ActivityPub::FetchRemoteStatusService.new.call(object_uri, id: true) | ||||
|     elsif @object['url'].present? | ||||
|       ::FetchRemoteStatusService.new.call(@object['url']) | ||||
|     end | ||||
|   | ||||
| @@ -80,7 +80,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity | ||||
|     return if tag['href'].blank? | ||||
|  | ||||
|     account = account_from_uri(tag['href']) | ||||
|     account = FetchRemoteAccountService.new.call(tag['href']) if account.nil? | ||||
|     account = FetchRemoteAccountService.new.call(tag['href'], id: false) if account.nil? | ||||
|     return if account.nil? | ||||
|     account.mentions.create(status: status) | ||||
|   end | ||||
|   | ||||
| @@ -19,7 +19,7 @@ class ActivityPub::LinkedDataSignature | ||||
|     return unless type == 'RsaSignature2017' | ||||
|  | ||||
|     creator   = ActivityPub::TagManager.instance.uri_to_resource(creator_uri, Account) | ||||
|     creator ||= ActivityPub::FetchRemoteKeyService.new.call(creator_uri) | ||||
|     creator ||= ActivityPub::FetchRemoteKeyService.new.call(creator_uri, id: false) | ||||
|  | ||||
|     return if creator.nil? | ||||
|  | ||||
|   | ||||
| @@ -9,11 +9,6 @@ class OStatus::Activity::Creation < OStatus::Activity::Base | ||||
|  | ||||
|     return [nil, false] if @account.suspended? | ||||
|  | ||||
|     if activitypub_uri? && [:public, :unlisted].include?(visibility_scope) | ||||
|       result = perform_via_activitypub | ||||
|       return result if result.first.present? | ||||
|     end | ||||
|  | ||||
|     RedisLock.acquire(lock_options) do |lock| | ||||
|       if lock.acquired? | ||||
|         # Return early if status already exists in db | ||||
| @@ -66,10 +61,6 @@ class OStatus::Activity::Creation < OStatus::Activity::Base | ||||
|     status | ||||
|   end | ||||
|  | ||||
|   def perform_via_activitypub | ||||
|     [find_status(activitypub_uri) || ActivityPub::FetchRemoteStatusService.new.call(activitypub_uri), false] | ||||
|   end | ||||
|  | ||||
|   def content | ||||
|     @xml.at_xpath('./xmlns:content', xmlns: OStatus::TagManager::XMLNS).content | ||||
|   end | ||||
|   | ||||
| @@ -5,14 +5,18 @@ class ActivityPub::FetchRemoteAccountService < BaseService | ||||
|  | ||||
|   # Should be called when uri has already been checked for locality | ||||
|   # Does a WebFinger roundtrip on each call | ||||
|   def call(uri, prefetched_json = nil) | ||||
|     @json = body_to_json(prefetched_json) || fetch_resource(uri) | ||||
|   def call(uri, id: true, prefetched_body: nil) | ||||
|     @json = if prefetched_body.nil? | ||||
|               fetch_resource(uri, id) | ||||
|             else | ||||
|               body_to_json(prefetched_body) | ||||
|             end | ||||
|  | ||||
|     return unless supported_context? && expected_type? | ||||
|  | ||||
|     @uri      = @json['id'] | ||||
|     @username = @json['preferredUsername'] | ||||
|     @domain   = Addressable::URI.parse(uri).normalized_host | ||||
|     @domain   = Addressable::URI.parse(@uri).normalized_host | ||||
|  | ||||
|     return unless verified_webfinger? | ||||
|  | ||||
|   | ||||
| @@ -4,13 +4,26 @@ class ActivityPub::FetchRemoteKeyService < BaseService | ||||
|   include JsonLdHelper | ||||
|  | ||||
|   # Returns account that owns the key | ||||
|   def call(uri, prefetched_json = nil) | ||||
|     @json = body_to_json(prefetched_json) || fetch_resource(uri) | ||||
|   def call(uri, id: true, prefetched_body: nil) | ||||
|     if prefetched_body.nil? | ||||
|       if id | ||||
|         @json = fetch_resource_without_id_validation(uri) | ||||
|         if person? | ||||
|           @json = fetch_resource(@json['id'], true) | ||||
|         elsif uri != @json['id'] | ||||
|           return | ||||
|         end | ||||
|       else | ||||
|         @json = fetch_resource(uri, id) | ||||
|       end | ||||
|     else | ||||
|       @json = body_to_json(prefetched_body) | ||||
|     end | ||||
|  | ||||
|     return unless supported_context?(@json) && expected_type? | ||||
|     return find_account(uri, @json) if person? | ||||
|     return find_account(@json['id'], @json) if person? | ||||
|  | ||||
|     @owner = fetch_resource(owner_uri) | ||||
|     @owner = fetch_resource(owner_uri, true) | ||||
|  | ||||
|     return unless supported_context?(@owner) && confirmed_owner? | ||||
|  | ||||
| @@ -19,9 +32,9 @@ class ActivityPub::FetchRemoteKeyService < BaseService | ||||
|  | ||||
|   private | ||||
|  | ||||
|   def find_account(uri, prefetched_json) | ||||
|   def find_account(uri, prefetched_body) | ||||
|     account   = ActivityPub::TagManager.instance.uri_to_resource(uri, Account) | ||||
|     account ||= ActivityPub::FetchRemoteAccountService.new.call(uri, prefetched_json) | ||||
|     account ||= ActivityPub::FetchRemoteAccountService.new.call(uri, prefetched_body: prefetched_body) | ||||
|     account | ||||
|   end | ||||
|  | ||||
|   | ||||
| @@ -4,36 +4,33 @@ class ActivityPub::FetchRemoteStatusService < BaseService | ||||
|   include JsonLdHelper | ||||
|  | ||||
|   # Should be called when uri has already been checked for locality | ||||
|   def call(uri, prefetched_json = nil) | ||||
|     @json = body_to_json(prefetched_json) || fetch_resource(uri) | ||||
|   def call(uri, id: true, prefetched_body: nil) | ||||
|     @json = if prefetched_body.nil? | ||||
|               fetch_resource(uri, id) | ||||
|             else | ||||
|               body_to_json(prefetched_body) | ||||
|             end | ||||
|  | ||||
|     return unless supported_context? | ||||
|     return unless expected_type? && supported_context? | ||||
|  | ||||
|     activity = activity_json | ||||
|     actor_id = value_or_id(activity['actor']) | ||||
|  | ||||
|     return unless expected_type?(activity) && trustworthy_attribution?(uri, actor_id) | ||||
|     return if actor_id.nil? || !trustworthy_attribution?(@json['id'], actor_id) | ||||
|  | ||||
|     actor = ActivityPub::TagManager.instance.uri_to_resource(actor_id, Account) | ||||
|     actor = ActivityPub::FetchRemoteAccountService.new.call(actor_id) if actor.nil? | ||||
|     actor = ActivityPub::FetchRemoteAccountService.new.call(actor_id, id: true) if actor.nil? | ||||
|  | ||||
|     return if actor.suspended? | ||||
|  | ||||
|     ActivityPub::Activity.factory(activity, actor).perform | ||||
|     ActivityPub::Activity.factory(activity_json, actor).perform | ||||
|   end | ||||
|  | ||||
|   private | ||||
|  | ||||
|   def activity_json | ||||
|     if %w(Note Article).include? @json['type'] | ||||
|       { | ||||
|         'type'   => 'Create', | ||||
|         'actor'  => first_of_value(@json['attributedTo']), | ||||
|         'object' => @json, | ||||
|       } | ||||
|     else | ||||
|       @json | ||||
|     end | ||||
|     { 'type' => 'Create', 'actor' => actor_id, 'object' => @json } | ||||
|   end | ||||
|  | ||||
|   def actor_id | ||||
|     first_of_value(@json['attributedTo']) | ||||
|   end | ||||
|  | ||||
|   def trustworthy_attribution?(uri, attributed_to) | ||||
| @@ -44,7 +41,7 @@ class ActivityPub::FetchRemoteStatusService < BaseService | ||||
|     super(@json) | ||||
|   end | ||||
|  | ||||
|   def expected_type?(json) | ||||
|     %w(Create Announce).include? json['type'] | ||||
|   def expected_type? | ||||
|     %w(Note Article).include? @json['type'] | ||||
|   end | ||||
| end | ||||
|   | ||||
| @@ -90,7 +90,7 @@ class ActivityPub::ProcessAccountService < BaseService | ||||
|     return if value.nil? | ||||
|     return value['url'] if value.is_a?(Hash) | ||||
|  | ||||
|     image = fetch_resource(value) | ||||
|     image = fetch_resource_without_id_validation(value) | ||||
|     image['url'] if image | ||||
|   end | ||||
|  | ||||
| @@ -100,7 +100,7 @@ class ActivityPub::ProcessAccountService < BaseService | ||||
|     return if value.nil? | ||||
|     return value['publicKeyPem'] if value.is_a?(Hash) | ||||
|  | ||||
|     key = fetch_resource(value) | ||||
|     key = fetch_resource_without_id_validation(value) | ||||
|     key['publicKeyPem'] if key | ||||
|   end | ||||
|  | ||||
| @@ -130,7 +130,7 @@ class ActivityPub::ProcessAccountService < BaseService | ||||
|     return if @json[type].blank? | ||||
|     return @collections[type] if @collections.key?(type) | ||||
|  | ||||
|     collection = fetch_resource(@json[type]) | ||||
|     collection = fetch_resource_without_id_validation(@json[type]) | ||||
|  | ||||
|     @collections[type] = collection.is_a?(Hash) && collection['totalItems'].present? && collection['totalItems'].is_a?(Numeric) ? collection['totalItems'] : nil | ||||
|   rescue HTTP::Error, OpenSSL::SSL::SSLError | ||||
|   | ||||
| @@ -41,10 +41,11 @@ class FetchAtomService < BaseService | ||||
|     return nil if @response.code != 200 | ||||
|  | ||||
|     if @response.mime_type == 'application/atom+xml' | ||||
|       [@url, @response.to_s, :ostatus] | ||||
|       [@url, { prefetched_body: @response.to_s }, :ostatus] | ||||
|     elsif ['application/activity+json', 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'].include?(@response.mime_type) | ||||
|       if supported_activity?(@response.to_s) | ||||
|         [@url, @response.to_s, :activitypub] | ||||
|       json = body_to_json(body) | ||||
|       if supported_context?(json) && json['type'] == 'Person' && json['inbox'].present? | ||||
|         [json['id'], { id: true }, :activitypub] | ||||
|       else | ||||
|         @unsupported_activity = true | ||||
|         nil | ||||
| @@ -79,10 +80,4 @@ class FetchAtomService < BaseService | ||||
|  | ||||
|     result | ||||
|   end | ||||
|  | ||||
|   def supported_activity?(body) | ||||
|     json = body_to_json(body) | ||||
|     return false unless supported_context?(json) | ||||
|     json['type'] == 'Person' ? json['inbox'].present? : true | ||||
|   end | ||||
| end | ||||
|   | ||||
| @@ -5,24 +5,24 @@ class FetchRemoteAccountService < BaseService | ||||
|  | ||||
|   def call(url, prefetched_body = nil, protocol = :ostatus) | ||||
|     if prefetched_body.nil? | ||||
|       resource_url, body, protocol = FetchAtomService.new.call(url) | ||||
|       resource_url, resource_options, protocol = FetchAtomService.new.call(url) | ||||
|     else | ||||
|       resource_url = url | ||||
|       body         = prefetched_body | ||||
|       resource_url     = url | ||||
|       resource_options = { prefetched_body: prefetched_body } | ||||
|     end | ||||
|  | ||||
|     case protocol | ||||
|     when :ostatus | ||||
|       process_atom(resource_url, body) | ||||
|       process_atom(resource_url, **resource_options) | ||||
|     when :activitypub | ||||
|       ActivityPub::FetchRemoteAccountService.new.call(resource_url, body) | ||||
|       ActivityPub::FetchRemoteAccountService.new.call(resource_url, **resource_options) | ||||
|     end | ||||
|   end | ||||
|  | ||||
|   private | ||||
|  | ||||
|   def process_atom(url, body) | ||||
|     xml = Nokogiri::XML(body) | ||||
|   def process_atom(url, prefetched_body:) | ||||
|     xml = Nokogiri::XML(prefetched_body) | ||||
|     xml.encoding = 'utf-8' | ||||
|  | ||||
|     account = author_from_xml(xml.at_xpath('/xmlns:feed', xmlns: OStatus::TagManager::XMLNS), false) | ||||
|   | ||||
| @@ -5,26 +5,26 @@ class FetchRemoteStatusService < BaseService | ||||
|  | ||||
|   def call(url, prefetched_body = nil, protocol = :ostatus) | ||||
|     if prefetched_body.nil? | ||||
|       resource_url, body, protocol = FetchAtomService.new.call(url) | ||||
|       resource_url, resource_options, protocol = FetchAtomService.new.call(url) | ||||
|     else | ||||
|       resource_url = url | ||||
|       body         = prefetched_body | ||||
|       resource_url     = url | ||||
|       resource_options = { prefetched_body: prefetched_body } | ||||
|     end | ||||
|  | ||||
|     case protocol | ||||
|     when :ostatus | ||||
|       process_atom(resource_url, body) | ||||
|       process_atom(resource_url, **resource_options) | ||||
|     when :activitypub | ||||
|       ActivityPub::FetchRemoteStatusService.new.call(resource_url, body) | ||||
|       ActivityPub::FetchRemoteStatusService.new.call(resource_url, **resource_options) | ||||
|     end | ||||
|   end | ||||
|  | ||||
|   private | ||||
|  | ||||
|   def process_atom(url, body) | ||||
|   def process_atom(url, prefetched_body:) | ||||
|     Rails.logger.debug "Processing Atom for remote status at #{url}" | ||||
|  | ||||
|     xml = Nokogiri::XML(body) | ||||
|     xml = Nokogiri::XML(prefetched_body) | ||||
|     xml.encoding = 'utf-8' | ||||
|  | ||||
|     account = author_from_xml(xml.at_xpath('/xmlns:entry', xmlns: OStatus::TagManager::XMLNS)) | ||||
| @@ -32,7 +32,7 @@ class FetchRemoteStatusService < BaseService | ||||
|  | ||||
|     return nil unless !account.nil? && confirmed_domain?(domain, account) | ||||
|  | ||||
|     statuses = ProcessFeedService.new.call(body, account) | ||||
|     statuses = ProcessFeedService.new.call(prefetched_body, account) | ||||
|     statuses.first | ||||
|   rescue Nokogiri::XML::XPath::SyntaxError | ||||
|     Rails.logger.debug 'Invalid XML or missing namespace' | ||||
|   | ||||
| @@ -189,7 +189,7 @@ class ResolveRemoteAccountService < BaseService | ||||
|   def actor_json | ||||
|     return @actor_json if defined?(@actor_json) | ||||
|  | ||||
|     json        = fetch_resource(actor_url) | ||||
|     json        = fetch_resource(actor_url, false) | ||||
|     @actor_json = supported_context?(json) && json['type'] == 'Person' ? json : nil | ||||
|   end | ||||
|  | ||||
|   | ||||
| @@ -30,6 +30,39 @@ describe JsonLdHelper do | ||||
|   end | ||||
|  | ||||
|   describe '#fetch_resource' do | ||||
|     pending | ||||
|     context 'when the second argument is false' do | ||||
|       it 'returns resource even if the retrieved ID and the given URI does not match' do | ||||
|         stub_request(:get, 'https://bob/').to_return body: '{"id": "https://alice/"}' | ||||
|         stub_request(:get, 'https://alice/').to_return body: '{"id": "https://alice/"}' | ||||
|  | ||||
|         expect(fetch_resource('https://bob/', false)).to eq({ 'id' => 'https://alice/' }) | ||||
|       end | ||||
|  | ||||
|       it 'returns nil if the object identified by the given URI and the object identified by the retrieved ID does not match' do | ||||
|         stub_request(:get, 'https://mallory/').to_return body: '{"id": "https://marvin/"}' | ||||
|         stub_request(:get, 'https://marvin/').to_return body: '{"id": "https://alice/"}' | ||||
|  | ||||
|         expect(fetch_resource('https://mallory/', false)).to eq nil | ||||
|       end | ||||
|     end | ||||
|  | ||||
|     context 'when the second argument is true' do | ||||
|       it 'returns nil if the retrieved ID and the given URI does not match' do | ||||
|         stub_request(:get, 'https://mallory/').to_return body: '{"id": "https://alice/"}' | ||||
|         expect(fetch_resource('https://mallory/', true)).to eq nil | ||||
|       end | ||||
|     end | ||||
|   end | ||||
|  | ||||
|   describe '#fetch_resource_without_id_validation' do | ||||
|     it 'returns nil if the status code is not 200' do | ||||
|       stub_request(:get, 'https://host/').to_return status: 400, body: '{}' | ||||
|       expect(fetch_resource_without_id_validation('https://host/')).to eq nil | ||||
|     end | ||||
|  | ||||
|     it 'returns hash' do | ||||
|       stub_request(:get, 'https://host/').to_return status: 200, body: '{}' | ||||
|       expect(fetch_resource_without_id_validation('https://host/')).to eq({}) | ||||
|     end | ||||
|   end | ||||
| end | ||||
|   | ||||
| @@ -16,7 +16,7 @@ RSpec.describe ActivityPub::FetchRemoteAccountService do | ||||
|   end | ||||
|  | ||||
|   describe '#call' do | ||||
|     let(:account) { subject.call('https://example.com/alice') } | ||||
|     let(:account) { subject.call('https://example.com/alice', id: true) } | ||||
|  | ||||
|     shared_examples 'sets profile data' do | ||||
|       it 'returns an account' do | ||||
|   | ||||
| @@ -15,21 +15,11 @@ RSpec.describe ActivityPub::FetchRemoteStatusService do | ||||
|     } | ||||
|   end | ||||
|  | ||||
|   let(:create) do | ||||
|     { | ||||
|       '@context': 'https://www.w3.org/ns/activitystreams', | ||||
|       id: "https://#{valid_domain}/@foo/1234/activity", | ||||
|       type: 'Create', | ||||
|       actor: ActivityPub::TagManager.instance.uri_for(sender), | ||||
|       object: note, | ||||
|     } | ||||
|   end | ||||
|  | ||||
|   subject { described_class.new } | ||||
|  | ||||
|   describe '#call' do | ||||
|     before do | ||||
|       subject.call(object[:id], Oj.dump(object)) | ||||
|       subject.call(object[:id], prefetched_body: Oj.dump(object)) | ||||
|     end | ||||
|  | ||||
|     context 'with Note object' do | ||||
| @@ -42,34 +32,5 @@ RSpec.describe ActivityPub::FetchRemoteStatusService do | ||||
|         expect(status.text).to eq 'Lorem ipsum' | ||||
|       end | ||||
|     end | ||||
|  | ||||
|     context 'with Create activity' do | ||||
|       let(:object) { create } | ||||
|  | ||||
|       it 'creates status' do | ||||
|         status = sender.statuses.first | ||||
|          | ||||
|         expect(status).to_not be_nil | ||||
|         expect(status.text).to eq 'Lorem ipsum' | ||||
|       end | ||||
|     end | ||||
|  | ||||
|     context 'with Announce activity' do | ||||
|       let(:status) { Fabricate(:status, account: recipient) } | ||||
|  | ||||
|       let(:object) do | ||||
|         { | ||||
|           '@context': 'https://www.w3.org/ns/activitystreams', | ||||
|           id: "https://#{valid_domain}/@foo/1234/activity", | ||||
|           type: 'Announce', | ||||
|           actor: ActivityPub::TagManager.instance.uri_for(sender), | ||||
|           object: ActivityPub::TagManager.instance.uri_for(status), | ||||
|         } | ||||
|       end | ||||
|  | ||||
|       it 'creates a reblog by sender of status' do | ||||
|         expect(sender.reblogged?(status)).to be true | ||||
|       end | ||||
|     end | ||||
|   end | ||||
| end | ||||
|   | ||||
		Reference in New Issue
	
	Block a user