Fix url guessing attacks.

test/web/activity_pub/activity_pub_controller_test.exs

@@ -4,6 +4,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
   alias Pleroma.Web.ActivityPub.{UserView, ObjectView}
   alias Pleroma.{Repo, User}
   alias Pleroma.Activity
+  alias Pleroma.Web.CommonAPI
 
   describe "/users/:nickname" do
     test "it returns a json representation of the user", %{conn: conn} do
@@ -32,6 +33,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
 
       assert json_response(conn, 200) == ObjectView.render("object.json", %{object: note})
     end
+
+    test "it returns 404 for non-public messages", %{conn: conn} do
+      note = insert(:direct_note)
+      uuid = String.split(note.data["id"], "/") |> List.last()
+
+      conn =
+        conn
+        |> put_req_header("accept", "application/activity+json")
+        |> get("/objects/#{uuid}")
+
+      assert json_response(conn, 404)
+    end
   end
 
   describe "/users/:nickname/inbox" do

test/web/ostatus/ostatus_controller_test.exs

@@ -77,6 +77,19 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do
     assert response(conn, 200) == expected
   end
 
+  test "404s on private objects", %{conn: conn} do
+    note_activity = insert(:direct_note_activity)
+    user = User.get_by_ap_id(note_activity.data["actor"])
+    [_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["object"]["id"]))
+    url = "/objects/#{uuid}"
+
+    conn =
+      conn
+      |> get(url)
+
+    assert response(conn, 404)
+  end
+
   test "gets an activity", %{conn: conn} do
     note_activity = insert(:note_activity)
     [_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["id"]))
@@ -89,6 +102,18 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do
     assert response(conn, 200)
   end
 
+  test "404s on private activities", %{conn: conn} do
+    note_activity = insert(:direct_note_activity)
+    [_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["id"]))
+    url = "/activities/#{uuid}"
+
+    conn =
+      conn
+      |> get(url)
+
+    assert response(conn, 404)
+  end
+
   test "gets a notice", %{conn: conn} do
     note_activity = insert(:note_activity)
     url = "/notice/#{note_activity.id}"
@@ -99,4 +124,15 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do
 
     assert response(conn, 200)
   end
+
+  test "404s a private notice", %{conn: conn} do
+    note_activity = insert(:direct_note_activity)
+    url = "/notice/#{note_activity.id}"
+
+    conn =
+      conn
+      |> get(url)
+
+    assert response(conn, 404)
+  end
 end