Validate id of ActivityPub representations (#5114)

Additionally, ActivityPub::FetchRemoteStatusService no longer parses
activities.
OStatus::Activity::Creation no longer delegates to ActivityPub because
the provided ActivityPub representations are not signed while OStatus
representations are.
This commit is contained in:
Akihiko Odaki 2017-10-04 08:13:48 +09:00 committed by Eugen Rochko
parent ec13cfa4f9
commit 63f0979799
17 changed files with 118 additions and 113 deletions

View file

@ -117,7 +117,7 @@ module SignatureVerification
ResolveRemoteAccountService.new.call(key_id.gsub(/\Aacct:/, '')) ResolveRemoteAccountService.new.call(key_id.gsub(/\Aacct:/, ''))
elsif !ActivityPub::TagManager.instance.local_uri?(key_id) elsif !ActivityPub::TagManager.instance.local_uri?(key_id)
account = ActivityPub::TagManager.instance.uri_to_resource(key_id, Account) account = ActivityPub::TagManager.instance.uri_to_resource(key_id, Account)
account ||= ActivityPub::FetchRemoteKeyService.new.call(key_id) account ||= ActivityPub::FetchRemoteKeyService.new.call(key_id, id: false)
account account
end end
end end

View file

@ -22,7 +22,18 @@ module JsonLdHelper
graph.dump(:normalize) graph.dump(:normalize)
end end
def fetch_resource(uri) def fetch_resource(uri, id)
unless id
json = fetch_resource_without_id_validation(uri)
return unless json
uri = json['id']
end
json = fetch_resource_without_id_validation(uri)
json.present? && json['id'] == uri ? json : nil
end
def fetch_resource_without_id_validation(uri)
response = build_request(uri).perform response = build_request(uri).perform
return if response.code != 200 return if response.code != 200
body_to_json(response.to_s) body_to_json(response.to_s)

View file

@ -27,7 +27,7 @@ class ActivityPub::Activity::Announce < ActivityPub::Activity
if object_uri.start_with?('http') if object_uri.start_with?('http')
return if ActivityPub::TagManager.instance.local_uri?(object_uri) return if ActivityPub::TagManager.instance.local_uri?(object_uri)
ActivityPub::FetchRemoteStatusService.new.call(object_uri) ActivityPub::FetchRemoteStatusService.new.call(object_uri, id: true)
elsif @object['url'].present? elsif @object['url'].present?
::FetchRemoteStatusService.new.call(@object['url']) ::FetchRemoteStatusService.new.call(@object['url'])
end end

View file

@ -80,7 +80,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
return if tag['href'].blank? return if tag['href'].blank?
account = account_from_uri(tag['href']) account = account_from_uri(tag['href'])
account = FetchRemoteAccountService.new.call(tag['href']) if account.nil? account = FetchRemoteAccountService.new.call(tag['href'], id: false) if account.nil?
return if account.nil? return if account.nil?
account.mentions.create(status: status) account.mentions.create(status: status)
end end

View file

@ -19,7 +19,7 @@ class ActivityPub::LinkedDataSignature
return unless type == 'RsaSignature2017' return unless type == 'RsaSignature2017'
creator = ActivityPub::TagManager.instance.uri_to_resource(creator_uri, Account) creator = ActivityPub::TagManager.instance.uri_to_resource(creator_uri, Account)
creator ||= ActivityPub::FetchRemoteKeyService.new.call(creator_uri) creator ||= ActivityPub::FetchRemoteKeyService.new.call(creator_uri, id: false)
return if creator.nil? return if creator.nil?

View file

@ -9,11 +9,6 @@ class OStatus::Activity::Creation < OStatus::Activity::Base
return [nil, false] if @account.suspended? return [nil, false] if @account.suspended?
if activitypub_uri? && [:public, :unlisted].include?(visibility_scope)
result = perform_via_activitypub
return result if result.first.present?
end
RedisLock.acquire(lock_options) do |lock| RedisLock.acquire(lock_options) do |lock|
if lock.acquired? if lock.acquired?
# Return early if status already exists in db # Return early if status already exists in db
@ -66,10 +61,6 @@ class OStatus::Activity::Creation < OStatus::Activity::Base
status status
end end
def perform_via_activitypub
[find_status(activitypub_uri) || ActivityPub::FetchRemoteStatusService.new.call(activitypub_uri), false]
end
def content def content
@xml.at_xpath('./xmlns:content', xmlns: OStatus::TagManager::XMLNS).content @xml.at_xpath('./xmlns:content', xmlns: OStatus::TagManager::XMLNS).content
end end

View file

@ -5,14 +5,18 @@ class ActivityPub::FetchRemoteAccountService < BaseService
# Should be called when uri has already been checked for locality # Should be called when uri has already been checked for locality
# Does a WebFinger roundtrip on each call # Does a WebFinger roundtrip on each call
def call(uri, prefetched_json = nil) def call(uri, id: true, prefetched_body: nil)
@json = body_to_json(prefetched_json) || fetch_resource(uri) @json = if prefetched_body.nil?
fetch_resource(uri, id)
else
body_to_json(prefetched_body)
end
return unless supported_context? && expected_type? return unless supported_context? && expected_type?
@uri = @json['id'] @uri = @json['id']
@username = @json['preferredUsername'] @username = @json['preferredUsername']
@domain = Addressable::URI.parse(uri).normalized_host @domain = Addressable::URI.parse(@uri).normalized_host
return unless verified_webfinger? return unless verified_webfinger?

View file

@ -4,13 +4,26 @@ class ActivityPub::FetchRemoteKeyService < BaseService
include JsonLdHelper include JsonLdHelper
# Returns account that owns the key # Returns account that owns the key
def call(uri, prefetched_json = nil) def call(uri, id: true, prefetched_body: nil)
@json = body_to_json(prefetched_json) || fetch_resource(uri) if prefetched_body.nil?
if id
@json = fetch_resource_without_id_validation(uri)
if person?
@json = fetch_resource(@json['id'], true)
elsif uri != @json['id']
return
end
else
@json = fetch_resource(uri, id)
end
else
@json = body_to_json(prefetched_body)
end
return unless supported_context?(@json) && expected_type? return unless supported_context?(@json) && expected_type?
return find_account(uri, @json) if person? return find_account(@json['id'], @json) if person?
@owner = fetch_resource(owner_uri) @owner = fetch_resource(owner_uri, true)
return unless supported_context?(@owner) && confirmed_owner? return unless supported_context?(@owner) && confirmed_owner?
@ -19,9 +32,9 @@ class ActivityPub::FetchRemoteKeyService < BaseService
private private
def find_account(uri, prefetched_json) def find_account(uri, prefetched_body)
account = ActivityPub::TagManager.instance.uri_to_resource(uri, Account) account = ActivityPub::TagManager.instance.uri_to_resource(uri, Account)
account ||= ActivityPub::FetchRemoteAccountService.new.call(uri, prefetched_json) account ||= ActivityPub::FetchRemoteAccountService.new.call(uri, prefetched_body: prefetched_body)
account account
end end

View file

@ -4,36 +4,33 @@ class ActivityPub::FetchRemoteStatusService < BaseService
include JsonLdHelper include JsonLdHelper
# Should be called when uri has already been checked for locality # Should be called when uri has already been checked for locality
def call(uri, prefetched_json = nil) def call(uri, id: true, prefetched_body: nil)
@json = body_to_json(prefetched_json) || fetch_resource(uri) @json = if prefetched_body.nil?
fetch_resource(uri, id)
else
body_to_json(prefetched_body)
end
return unless supported_context? return unless expected_type? && supported_context?
activity = activity_json return if actor_id.nil? || !trustworthy_attribution?(@json['id'], actor_id)
actor_id = value_or_id(activity['actor'])
return unless expected_type?(activity) && trustworthy_attribution?(uri, actor_id)
actor = ActivityPub::TagManager.instance.uri_to_resource(actor_id, Account) actor = ActivityPub::TagManager.instance.uri_to_resource(actor_id, Account)
actor = ActivityPub::FetchRemoteAccountService.new.call(actor_id) if actor.nil? actor = ActivityPub::FetchRemoteAccountService.new.call(actor_id, id: true) if actor.nil?
return if actor.suspended? return if actor.suspended?
ActivityPub::Activity.factory(activity, actor).perform ActivityPub::Activity.factory(activity_json, actor).perform
end end
private private
def activity_json def activity_json
if %w(Note Article).include? @json['type'] { 'type' => 'Create', 'actor' => actor_id, 'object' => @json }
{ end
'type' => 'Create',
'actor' => first_of_value(@json['attributedTo']), def actor_id
'object' => @json, first_of_value(@json['attributedTo'])
}
else
@json
end
end end
def trustworthy_attribution?(uri, attributed_to) def trustworthy_attribution?(uri, attributed_to)
@ -44,7 +41,7 @@ class ActivityPub::FetchRemoteStatusService < BaseService
super(@json) super(@json)
end end
def expected_type?(json) def expected_type?
%w(Create Announce).include? json['type'] %w(Note Article).include? @json['type']
end end
end end

View file

@ -90,7 +90,7 @@ class ActivityPub::ProcessAccountService < BaseService
return if value.nil? return if value.nil?
return value['url'] if value.is_a?(Hash) return value['url'] if value.is_a?(Hash)
image = fetch_resource(value) image = fetch_resource_without_id_validation(value)
image['url'] if image image['url'] if image
end end
@ -100,7 +100,7 @@ class ActivityPub::ProcessAccountService < BaseService
return if value.nil? return if value.nil?
return value['publicKeyPem'] if value.is_a?(Hash) return value['publicKeyPem'] if value.is_a?(Hash)
key = fetch_resource(value) key = fetch_resource_without_id_validation(value)
key['publicKeyPem'] if key key['publicKeyPem'] if key
end end
@ -130,7 +130,7 @@ class ActivityPub::ProcessAccountService < BaseService
return if @json[type].blank? return if @json[type].blank?
return @collections[type] if @collections.key?(type) return @collections[type] if @collections.key?(type)
collection = fetch_resource(@json[type]) collection = fetch_resource_without_id_validation(@json[type])
@collections[type] = collection.is_a?(Hash) && collection['totalItems'].present? && collection['totalItems'].is_a?(Numeric) ? collection['totalItems'] : nil @collections[type] = collection.is_a?(Hash) && collection['totalItems'].present? && collection['totalItems'].is_a?(Numeric) ? collection['totalItems'] : nil
rescue HTTP::Error, OpenSSL::SSL::SSLError rescue HTTP::Error, OpenSSL::SSL::SSLError

View file

@ -41,10 +41,11 @@ class FetchAtomService < BaseService
return nil if @response.code != 200 return nil if @response.code != 200
if @response.mime_type == 'application/atom+xml' if @response.mime_type == 'application/atom+xml'
[@url, @response.to_s, :ostatus] [@url, { prefetched_body: @response.to_s }, :ostatus]
elsif ['application/activity+json', 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'].include?(@response.mime_type) elsif ['application/activity+json', 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'].include?(@response.mime_type)
if supported_activity?(@response.to_s) json = body_to_json(body)
[@url, @response.to_s, :activitypub] if supported_context?(json) && json['type'] == 'Person' && json['inbox'].present?
[json['id'], { id: true }, :activitypub]
else else
@unsupported_activity = true @unsupported_activity = true
nil nil
@ -79,10 +80,4 @@ class FetchAtomService < BaseService
result result
end end
def supported_activity?(body)
json = body_to_json(body)
return false unless supported_context?(json)
json['type'] == 'Person' ? json['inbox'].present? : true
end
end end

View file

@ -5,24 +5,24 @@ class FetchRemoteAccountService < BaseService
def call(url, prefetched_body = nil, protocol = :ostatus) def call(url, prefetched_body = nil, protocol = :ostatus)
if prefetched_body.nil? if prefetched_body.nil?
resource_url, body, protocol = FetchAtomService.new.call(url) resource_url, resource_options, protocol = FetchAtomService.new.call(url)
else else
resource_url = url resource_url = url
body = prefetched_body resource_options = { prefetched_body: prefetched_body }
end end
case protocol case protocol
when :ostatus when :ostatus
process_atom(resource_url, body) process_atom(resource_url, **resource_options)
when :activitypub when :activitypub
ActivityPub::FetchRemoteAccountService.new.call(resource_url, body) ActivityPub::FetchRemoteAccountService.new.call(resource_url, **resource_options)
end end
end end
private private
def process_atom(url, body) def process_atom(url, prefetched_body:)
xml = Nokogiri::XML(body) xml = Nokogiri::XML(prefetched_body)
xml.encoding = 'utf-8' xml.encoding = 'utf-8'
account = author_from_xml(xml.at_xpath('/xmlns:feed', xmlns: OStatus::TagManager::XMLNS), false) account = author_from_xml(xml.at_xpath('/xmlns:feed', xmlns: OStatus::TagManager::XMLNS), false)

View file

@ -5,26 +5,26 @@ class FetchRemoteStatusService < BaseService
def call(url, prefetched_body = nil, protocol = :ostatus) def call(url, prefetched_body = nil, protocol = :ostatus)
if prefetched_body.nil? if prefetched_body.nil?
resource_url, body, protocol = FetchAtomService.new.call(url) resource_url, resource_options, protocol = FetchAtomService.new.call(url)
else else
resource_url = url resource_url = url
body = prefetched_body resource_options = { prefetched_body: prefetched_body }
end end
case protocol case protocol
when :ostatus when :ostatus
process_atom(resource_url, body) process_atom(resource_url, **resource_options)
when :activitypub when :activitypub
ActivityPub::FetchRemoteStatusService.new.call(resource_url, body) ActivityPub::FetchRemoteStatusService.new.call(resource_url, **resource_options)
end end
end end
private private
def process_atom(url, body) def process_atom(url, prefetched_body:)
Rails.logger.debug "Processing Atom for remote status at #{url}" Rails.logger.debug "Processing Atom for remote status at #{url}"
xml = Nokogiri::XML(body) xml = Nokogiri::XML(prefetched_body)
xml.encoding = 'utf-8' xml.encoding = 'utf-8'
account = author_from_xml(xml.at_xpath('/xmlns:entry', xmlns: OStatus::TagManager::XMLNS)) account = author_from_xml(xml.at_xpath('/xmlns:entry', xmlns: OStatus::TagManager::XMLNS))
@ -32,7 +32,7 @@ class FetchRemoteStatusService < BaseService
return nil unless !account.nil? && confirmed_domain?(domain, account) return nil unless !account.nil? && confirmed_domain?(domain, account)
statuses = ProcessFeedService.new.call(body, account) statuses = ProcessFeedService.new.call(prefetched_body, account)
statuses.first statuses.first
rescue Nokogiri::XML::XPath::SyntaxError rescue Nokogiri::XML::XPath::SyntaxError
Rails.logger.debug 'Invalid XML or missing namespace' Rails.logger.debug 'Invalid XML or missing namespace'

View file

@ -189,7 +189,7 @@ class ResolveRemoteAccountService < BaseService
def actor_json def actor_json
return @actor_json if defined?(@actor_json) return @actor_json if defined?(@actor_json)
json = fetch_resource(actor_url) json = fetch_resource(actor_url, false)
@actor_json = supported_context?(json) && json['type'] == 'Person' ? json : nil @actor_json = supported_context?(json) && json['type'] == 'Person' ? json : nil
end end

View file

@ -30,6 +30,39 @@ describe JsonLdHelper do
end end
describe '#fetch_resource' do describe '#fetch_resource' do
pending context 'when the second argument is false' do
it 'returns resource even if the retrieved ID and the given URI does not match' do
stub_request(:get, 'https://bob/').to_return body: '{"id": "https://alice/"}'
stub_request(:get, 'https://alice/').to_return body: '{"id": "https://alice/"}'
expect(fetch_resource('https://bob/', false)).to eq({ 'id' => 'https://alice/' })
end
it 'returns nil if the object identified by the given URI and the object identified by the retrieved ID does not match' do
stub_request(:get, 'https://mallory/').to_return body: '{"id": "https://marvin/"}'
stub_request(:get, 'https://marvin/').to_return body: '{"id": "https://alice/"}'
expect(fetch_resource('https://mallory/', false)).to eq nil
end
end
context 'when the second argument is true' do
it 'returns nil if the retrieved ID and the given URI does not match' do
stub_request(:get, 'https://mallory/').to_return body: '{"id": "https://alice/"}'
expect(fetch_resource('https://mallory/', true)).to eq nil
end
end
end
describe '#fetch_resource_without_id_validation' do
it 'returns nil if the status code is not 200' do
stub_request(:get, 'https://host/').to_return status: 400, body: '{}'
expect(fetch_resource_without_id_validation('https://host/')).to eq nil
end
it 'returns hash' do
stub_request(:get, 'https://host/').to_return status: 200, body: '{}'
expect(fetch_resource_without_id_validation('https://host/')).to eq({})
end
end end
end end

View file

@ -16,7 +16,7 @@ RSpec.describe ActivityPub::FetchRemoteAccountService do
end end
describe '#call' do describe '#call' do
let(:account) { subject.call('https://example.com/alice') } let(:account) { subject.call('https://example.com/alice', id: true) }
shared_examples 'sets profile data' do shared_examples 'sets profile data' do
it 'returns an account' do it 'returns an account' do

View file

@ -15,21 +15,11 @@ RSpec.describe ActivityPub::FetchRemoteStatusService do
} }
end end
let(:create) do
{
'@context': 'https://www.w3.org/ns/activitystreams',
id: "https://#{valid_domain}/@foo/1234/activity",
type: 'Create',
actor: ActivityPub::TagManager.instance.uri_for(sender),
object: note,
}
end
subject { described_class.new } subject { described_class.new }
describe '#call' do describe '#call' do
before do before do
subject.call(object[:id], Oj.dump(object)) subject.call(object[:id], prefetched_body: Oj.dump(object))
end end
context 'with Note object' do context 'with Note object' do
@ -42,34 +32,5 @@ RSpec.describe ActivityPub::FetchRemoteStatusService do
expect(status.text).to eq 'Lorem ipsum' expect(status.text).to eq 'Lorem ipsum'
end end
end end
context 'with Create activity' do
let(:object) { create }
it 'creates status' do
status = sender.statuses.first
expect(status).to_not be_nil
expect(status.text).to eq 'Lorem ipsum'
end
end
context 'with Announce activity' do
let(:status) { Fabricate(:status, account: recipient) }
let(:object) do
{
'@context': 'https://www.w3.org/ns/activitystreams',
id: "https://#{valid_domain}/@foo/1234/activity",
type: 'Announce',
actor: ActivityPub::TagManager.instance.uri_for(sender),
object: ActivityPub::TagManager.instance.uri_for(status),
}
end
it 'creates a reblog by sender of status' do
expect(sender.reblogged?(status)).to be true
end
end
end end
end end