From c05cc63e24c654e5e5d2d098e00a2aa669b61adf Mon Sep 17 00:00:00 2001 From: dakkar Date: Sat, 18 May 2024 16:36:06 +0100 Subject: [PATCH] look inside `url` when checking activity origin - #512 The previous assertion that: > if it's a complicated thing and the `activity.id` doesn't match, I > think we're fine rejecting the activity was wrong: at least peertube sends activities that have `url` as an array of objects. Notice that this does *not*, in fact, fix #512: the peertube activity does not contain its short URL (`https://example.com/w/someid`), so there's no way to confirm that it is the activity we requested. --- .../activitypub/misc/check-against-url.ts | 22 +++++--- .../test/unit/misc/check-against-url.ts | 51 +++++++++++++++++++ 2 files changed, 66 insertions(+), 7 deletions(-) create mode 100644 packages/backend/test/unit/misc/check-against-url.ts diff --git a/packages/backend/src/core/activitypub/misc/check-against-url.ts b/packages/backend/src/core/activitypub/misc/check-against-url.ts index 78ba891a2e..34e4907267 100644 --- a/packages/backend/src/core/activitypub/misc/check-against-url.ts +++ b/packages/backend/src/core/activitypub/misc/check-against-url.ts @@ -4,16 +4,24 @@ */ import type { IObject } from '../type.js'; +function getHrefFrom(one: IObject|string): string | undefined { + if (typeof(one) === 'string') return one; + return one.href; +} + export function assertActivityMatchesUrls(activity: IObject, urls: string[]) { const idOk = activity.id !== undefined && urls.includes(activity.id); + if (idOk) return; - // technically `activity.url` could be an `ApObject = IObject | - // string | (IObject | string)[]`, but if it's a complicated thing - // and the `activity.id` doesn't match, I think we're fine - // rejecting the activity - const urlOk = typeof(activity.url) === 'string' && urls.includes(activity.url); + const url = activity.url; + if (url) { + // `activity.url` can be an `ApObject = IObject | string | (IObject + // | string)[]`, we have to look inside it + const activityUrls = Array.isArray(url) ? url.map(getHrefFrom) : [getHrefFrom(url)]; + const goodUrl = activityUrls.find(u => u && urls.includes(u)); - if (!idOk && !urlOk) { - throw new Error(`bad Activity: neither id(${activity?.id}) nor url(${activity?.url}) match location(${urls})`); + if (goodUrl) return; } + + throw new Error(`bad Activity: neither id(${activity?.id}) nor url(${JSON.stringify(activity?.url)}) match location(${urls})`); } diff --git a/packages/backend/test/unit/misc/check-against-url.ts b/packages/backend/test/unit/misc/check-against-url.ts new file mode 100644 index 0000000000..1cc12cbea2 --- /dev/null +++ b/packages/backend/test/unit/misc/check-against-url.ts @@ -0,0 +1,51 @@ +/* + * SPDX-FileCopyrightText: dakkar and sharkey-project + * SPDX-License-Identifier: AGPL-3.0-only + */ + +import type { IObject } from '@/core/activitypub/type.js'; +import { describe, expect, test } from '@jest/globals'; +import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js'; + +function assertOne(activity: IObject) { + // return a function so we can use `.toThrow` + return () => assertActivityMatchesUrls(activity, ['good']); +} + +describe('assertActivityMatchesUrls', () => { + test('id', () => { + expect(assertOne({ id: 'bad' })).toThrow(/bad Activity/); + expect(assertOne({ id: 'good' })).not.toThrow(); + }); + + test('simple url', () => { + expect(assertOne({ url: 'bad' })).toThrow(/bad Activity/); + expect(assertOne({ url: 'good' })).not.toThrow(); + }); + + test('array of urls', () => { + expect(assertOne({ url: ['bad'] })).toThrow(/bad Activity/); + expect(assertOne({ url: ['bad', 'other'] })).toThrow(/bad Activity/); + expect(assertOne({ url: ['good'] })).not.toThrow(); + expect(assertOne({ url: ['bad', 'good'] })).not.toThrow(); + }); + + test('array of objects', () => { + expect(assertOne({ url: [{ href: 'bad' }] })).toThrow(/bad Activity/); + expect(assertOne({ url: [{ href: 'bad' }, { href: 'other' }] })).toThrow(/bad Activity/); + expect(assertOne({ url: [{ href: 'good' }] })).not.toThrow(); + expect(assertOne({ url: [{ href: 'bad' }, { href: 'good' }] })).not.toThrow(); + }); + + test('mixed array', () => { + expect(assertOne({ url: [{ href: 'bad' }, 'other'] })).toThrow(/bad Activity/); + expect(assertOne({ url: [{ href: 'bad' }, 'good'] })).not.toThrow(); + expect(assertOne({ url: ['bad', { href: 'good' }] })).not.toThrow(); + }); + + test('id and url', () => { + expect(assertOne({ id: 'other', url: 'bad' })).toThrow(/bad Activity/); + expect(assertOne({ id: 'bad', url: 'good' })).not.toThrow(); + expect(assertOne({ id: 'good', url: 'bad' })).not.toThrow(); + }); +});