Fix url guessing attacks.

2018-05-30 20:00:27 +02:00 · 2018-05-30 20:00:27 +02:00 · 349400c06a
commit 349400c06a
parent 196d36a7d5
4 changed files with 74 additions and 4 deletions
--- a/test/web/ostatus/ostatus_controller_test.exs
+++ b/test/web/ostatus/ostatus_controller_test.exs
@ -77,6 +77,19 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do
    assert response(conn, 200) == expected
  end

+  test "404s on private objects", %{conn: conn} do
+    note_activity = insert(:direct_note_activity)
+    user = User.get_by_ap_id(note_activity.data["actor"])
+    [_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["object"]["id"]))
+    url = "/objects/#{uuid}"
+
+    conn =
+      conn
+      |> get(url)
+
+    assert response(conn, 404)
+  end
+
  test "gets an activity", %{conn: conn} do
    note_activity = insert(:note_activity)
    [_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["id"]))
@ -89,6 +102,18 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do
    assert response(conn, 200)
  end

+  test "404s on private activities", %{conn: conn} do
+    note_activity = insert(:direct_note_activity)
+    [_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["id"]))
+    url = "/activities/#{uuid}"
+
+    conn =
+      conn
+      |> get(url)
+
+    assert response(conn, 404)
+  end
+
  test "gets a notice", %{conn: conn} do
    note_activity = insert(:note_activity)
    url = "/notice/#{note_activity.id}"
@ -99,4 +124,15 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do

    assert response(conn, 200)
  end
+
+  test "404s a private notice", %{conn: conn} do
+    note_activity = insert(:direct_note_activity)
+    url = "/notice/#{note_activity.id}"
+
+    conn =
+      conn
+      |> get(url)
+
+    assert response(conn, 404)
+  end
 end