Add tests for CVE-2022-24307 (#17733)

Follow-up to #17426
mastodon · Mar 9, 2022 · 63c9d2b · 63c9d2b
1 parent 29ee3c6
commit 63c9d2b
Showing 1 changed file with 140 additions and 0 deletions.
diff --git a/spec/services/activitypub/process_collection_service_spec.rb b/spec/services/activitypub/process_collection_service_spec.rb
@@ -91,6 +91,146 @@
 
         subject.call(json, forwarder)
       end
+
+      context 'when receiving a fabricated status' do
+        let!(:actor) do
+          Fabricate(:account,
+            username: 'bob',
+            domain: 'example.com',
+            uri: 'https://example.com/users/bob',
+            public_key: "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuuYyoyfsRkYnXRotMsId\nW3euBDDfiv9oVqOxUVC7bhel8KednIMrMCRWFAkgJhbrlzbIkjVr68o1MP9qLcn7\nCmH/BXHp7yhuFTr4byjdJKpwB+/i2jNEsvDH5jR8WTAeTCe0x/QHg21V3F7dSI5m\nCCZ/1dSIyOXLRTWVlfDlm3rE4ntlCo+US3/7oSWbg/4/4qEnt1HC32kvklgScxua\n4LR5ATdoXa5bFoopPWhul7MJ6NyWCyQyScUuGdlj8EN4kmKQJvphKHrI9fvhgOuG\nTvhTR1S5InA4azSSchY0tXEEw/VNxraeX0KPjbgr6DPcwhPd/m0nhVDq0zVyVBBD\nMwIDAQAB\n-----END PUBLIC KEY-----\n",
+            private_key: nil)
+        end
+
+        let(:payload) do
+          {
+            '@context': [
+              'https://www.w3.org/ns/activitystreams',
+              nil,
+              {'object': 'https://www.w3.org/ns/activitystreams#object'}
+            ],
+            'id': 'https://example.com/users/bob/fake-status/activity',
+            'type': 'Create',
+            'actor': 'https://example.com/users/bob',
+            'published': '2022-01-22T15:00:00Z',
+            'to': [
+              'https://www.w3.org/ns/activitystreams#Public'
+            ],
+            'cc': [
+              'https://example.com/users/bob/followers'
+            ],
+            'signature': {
+              'type': 'RsaSignature2017',
+              'creator': 'https://example.com/users/bob#main-key',
+              'created': '2022-03-09T21:57:25Z',
+              'signatureValue': 'WculK0LelTQ0MvGwU9TPoq5pFzFfGYRDCJqjZ232/Udj4CHqDTGOSw5UTDLShqBOyycCkbZGrQwXG+dpyDpQLSe1UVPZ5TPQtc/9XtI57WlS2nMNpdvRuxGnnb2btPdesXZ7n3pCxo0zjaXrJMe0mqQh5QJO22mahb4bDwwmfTHgbD3nmkD+fBfGi+UV2qWwqr+jlV4L4JqNkh0gWljF5KTePLRRZCuWiQ/FAt7c67636cdIPf7fR+usjuZltTQyLZKEGuK8VUn2Gkfsx5qns7Vcjvlz1JqlAjyO8HPBbzTTHzUG2nUOIgC3PojCSWv6mNTmRGoLZzOscCAYQA6cKw=='
+            },
+            '@id': 'https://example.com/users/bob/statuses/107928807471117876/activity',
+            '@type': 'https://www.w3.org/ns/activitystreams#Create',
+            'https://www.w3.org/ns/activitystreams#actor': {
+              '@id': 'https://example.com/users/bob'
+            },
+            'https://www.w3.org/ns/activitystreams#cc': {
+              '@id': 'https://example.com/users/bob/followers'
+            },
+            'object': {
+              'id': 'https://example.com/users/bob/fake-status',
+              'type': 'Note',
+              'published': '2022-01-22T15:00:00Z',
+              'url': 'https://www.youtube.com/watch?v=dQw4w9WgXcQ&feature=puck-was-here',
+              'attributedTo': 'https://example.com/users/bob',
+              'to': [
+                'https://www.w3.org/ns/activitystreams#Public'
+              ],
+              'cc': [
+                'https://example.com/users/bob/followers'
+              ],
+              'sensitive': false,
+              'atomUri': 'https://example.com/users/bob/fake-status',
+              'conversation': 'tag:example.com,2022-03-09:objectId=15:objectType=Conversation',
+              'content': '<p>puck was here</p>',
+
+              '@id': 'https://example.com/users/bob/statuses/107928807471117876',
+              '@type': 'https://www.w3.org/ns/activitystreams#Note',
+              'http://ostatus.org#atomUri': 'https://example.com/users/bob/statuses/107928807471117876',
+              'http://ostatus.org#conversation': 'tag:example.com,2022-03-09:objectId=15:objectType=Conversation',
+              'https://www.w3.org/ns/activitystreams#attachment': [],
+              'https://www.w3.org/ns/activitystreams#attributedTo': {
+                '@id': 'https://example.com/users/bob'
+              },
+              'https://www.w3.org/ns/activitystreams#cc': {
+                '@id': 'https://example.com/users/bob/followers'
+              },
+              'https://www.w3.org/ns/activitystreams#content': [
+                '<p>hello world</p>',
+                {
+                  '@value': '<p>hello world</p>',
+                  '@language': 'en'
+                }
+              ],
+              'https://www.w3.org/ns/activitystreams#published': {
+                '@type': 'http://www.w3.org/2001/XMLSchema#dateTime',
+                '@value': '2022-03-09T21:55:07Z'
+              },
+              'https://www.w3.org/ns/activitystreams#replies': {
+                '@id': 'https://example.com/users/bob/statuses/107928807471117876/replies',
+                '@type': 'https://www.w3.org/ns/activitystreams#Collection',
+                'https://www.w3.org/ns/activitystreams#first': {
+                  '@type': 'https://www.w3.org/ns/activitystreams#CollectionPage',
+                  'https://www.w3.org/ns/activitystreams#items': [],
+                  'https://www.w3.org/ns/activitystreams#next': {
+                    '@id': 'https://example.com/users/bob/statuses/107928807471117876/replies?only_other_accounts=true&page=true'
+                  },
+                  'https://www.w3.org/ns/activitystreams#partOf': {
+                    '@id': 'https://example.com/users/bob/statuses/107928807471117876/replies'
+                  }
+                }
+              },
+              'https://www.w3.org/ns/activitystreams#sensitive': false,
+              'https://www.w3.org/ns/activitystreams#tag': [],
+              'https://www.w3.org/ns/activitystreams#to': {
+                '@id': 'https://www.w3.org/ns/activitystreams#Public'
+              },
+              'https://www.w3.org/ns/activitystreams#url': {
+                '@id': 'https://example.com/@bob/107928807471117876'
+              }
+            },
+            'https://www.w3.org/ns/activitystreams#published': {
+              '@type': 'http://www.w3.org/2001/XMLSchema#dateTime',
+              '@value': '2022-03-09T21:55:07Z'
+            },
+            'https://www.w3.org/ns/activitystreams#to': {
+              '@id': 'https://www.w3.org/ns/activitystreams#Public'
+            }
+          }
+        end
+
+        it 'does not process forged payload' do
+          expect(ActivityPub::Activity).not_to receive(:factory).with(
+            hash_including(
+              'object' => hash_including(
+                'id' => 'https://example.com/users/bob/fake-status'
+              )
+            ),
+            anything(),
+            anything()
+          )
+
+          expect(ActivityPub::Activity).not_to receive(:factory).with(
+            hash_including(
+              'object' => hash_including(
+                'content' => '<p>puck was here</p>'
+              )
+            ),
+            anything(),
+            anything()
+          )
+
+          subject.call(json, forwarder)
+
+          expect(Status.where(uri: 'https://example.com/users/bob/fake-status').exists?).to be false
+        end
+      end
     end
   end
 end