Don't process ActivityPub payload if signature is invalid (#4752)

* Don't process ActivityPub payload if signature is invalid

* Fix style issue
fix-uploadarea-keyup-for-upstream
unarist 2017-09-01 00:18:49 +09:00 committed by Eugen Rochko
parent 6b2be5dbfb
commit f7937d903c
2 changed files with 48 additions and 4 deletions

View File

@ -9,7 +9,7 @@ class ActivityPub::ProcessCollectionService < BaseService
return if @account.suspended? || !supported_context? return if @account.suspended? || !supported_context?
verify_account! if different_actor? return if different_actor? && verify_account!.nil?
case @json['type'] case @json['type']
when 'Collection', 'CollectionPage' when 'Collection', 'CollectionPage'
@ -43,7 +43,6 @@ class ActivityPub::ProcessCollectionService < BaseService
end end
def verify_account! def verify_account!
account = ActivityPub::LinkedDataSignature.new(@json).verify_account! @account = ActivityPub::LinkedDataSignature.new(@json).verify_account!
@account = account unless account.nil?
end end
end end

View File

@ -1,10 +1,55 @@
require 'rails_helper' require 'rails_helper'
RSpec.describe ActivityPub::ProcessCollectionService do RSpec.describe ActivityPub::ProcessCollectionService do
let(:actor) { Fabricate(:account) }
let(:payload) do
{
'@context': 'https://www.w3.org/ns/activitystreams',
id: 'foo',
type: 'Create',
actor: ActivityPub::TagManager.instance.uri_for(actor),
object: {
id: 'bar',
type: 'Note',
content: 'Lorem ipsum',
},
}
end
let(:json) { Oj.dump(payload) }
subject { described_class.new } subject { described_class.new }
describe '#call' do describe '#call' do
context 'when actor is the sender' context 'when actor is the sender'
context 'when actor differs from sender' context 'when actor differs from sender' do
let(:forwarder) { Fabricate(:account) }
it 'processes payload with sender if no signature exists' do
expect_any_instance_of(ActivityPub::LinkedDataSignature).not_to receive(:verify_account!)
expect(ActivityPub::Activity).to receive(:factory).with(instance_of(Hash), forwarder)
subject.call(json, forwarder)
end
it 'processes payload with actor if valid signature exists' do
payload['signature'] = {'type' => 'RsaSignature2017'}
expect_any_instance_of(ActivityPub::LinkedDataSignature).to receive(:verify_account!).and_return(actor)
expect(ActivityPub::Activity).to receive(:factory).with(instance_of(Hash), actor)
subject.call(json, forwarder)
end
it 'does not process payload if invalid signature exists' do
payload['signature'] = {'type' => 'RsaSignature2017'}
expect_any_instance_of(ActivityPub::LinkedDataSignature).to receive(:verify_account!).and_return(nil)
expect(ActivityPub::Activity).not_to receive(:factory)
subject.call(json, forwarder)
end
end
end end
end end