heartles/egirlskey
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

look inside url when checking activity origin - #512

Browse source 
The previous assertion that:

> if it's a complicated thing and the `activity.id` doesn't match, I
> think we're fine rejecting the activity

was wrong: at least peertube sends activities that have `url` as an
array of objects.

Notice that this does *not*, in fact, fix #512: the peertube activity
does not contain its short URL (`https://example.com/w/someid`), so
there's no way to confirm that it is the activity we requested.
This commit is contained in:
dakkar 2024-05-18 16:36:06 +01:00
parent 95ec40d3c8
commit c05cc63e24
2 changed files with 66 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

51
packages/backend/test/unit/misc/check-against-url.ts Normal file
View file

@ -0,0 +1,51 @@
/*
* SPDX-FileCopyrightText: dakkar and sharkey-project
* SPDX-License-Identifier: AGPL-3.0-only
*/
import type { IObject } from '@/core/activitypub/type.js';
import { describe, expect, test } from '@jest/globals';
import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js';
function assertOne(activity: IObject) {
// return a function so we can use `.toThrow`
return () => assertActivityMatchesUrls(activity, ['good']);
}
describe('assertActivityMatchesUrls', () => {
test('id', () => {
expect(assertOne({ id: 'bad' })).toThrow(/bad Activity/);
expect(assertOne({ id: 'good' })).not.toThrow();
});
test('simple url', () => {
expect(assertOne({ url: 'bad' })).toThrow(/bad Activity/);
expect(assertOne({ url: 'good' })).not.toThrow();
});
test('array of urls', () => {
expect(assertOne({ url: ['bad'] })).toThrow(/bad Activity/);
expect(assertOne({ url: ['bad', 'other'] })).toThrow(/bad Activity/);
expect(assertOne({ url: ['good'] })).not.toThrow();
expect(assertOne({ url: ['bad', 'good'] })).not.toThrow();
});
test('array of objects', () => {
expect(assertOne({ url: [{ href: 'bad' }] })).toThrow(/bad Activity/);
expect(assertOne({ url: [{ href: 'bad' }, { href: 'other' }] })).toThrow(/bad Activity/);
expect(assertOne({ url: [{ href: 'good' }] })).not.toThrow();
expect(assertOne({ url: [{ href: 'bad' }, { href: 'good' }] })).not.toThrow();
});
test('mixed array', () => {
expect(assertOne({ url: [{ href: 'bad' }, 'other'] })).toThrow(/bad Activity/);
expect(assertOne({ url: [{ href: 'bad' }, 'good'] })).not.toThrow();
expect(assertOne({ url: ['bad', { href: 'good' }] })).not.toThrow();
});
test('id and url', () => {
expect(assertOne({ id: 'other', url: 'bad' })).toThrow(/bad Activity/);
expect(assertOne({ id: 'bad', url: 'good' })).not.toThrow();
expect(assertOne({ id: 'good', url: 'bad' })).not.toThrow();
});
});