Fix object spoofing vulnerability in attachments

Validate the content-type of the response when fetching an object, according to https://www.w3.org/TR/activitypub/#x3-2-retrieving-objects. content-type headers had to be added to many mocks in order to support this, some of this was done with a regex. While I did go over the resulting files to check I didn't modify anything unrelated, there is a possibility I missed something. Closes pleroma#1948
2020-10-28 18:08:23 +03:00 · 2020-10-28 18:08:23 +03:00 · 6ca709816f
commit 6ca709816f
parent 99bc175f02
10 changed files with 253 additions and 79 deletions
--- a/lib/pleroma/object/fetcher.ex
+++ b/lib/pleroma/object/fetcher.ex
@ -232,8 +232,24 @@ defmodule Pleroma.Object.Fetcher do
      |> sign_fetch(id, date)

    case HTTP.get(id, headers) do
-      {:ok, %{body: body, status: code}} when code in 200..299 ->
-        {:ok, body}
+      {:ok, %{body: body, status: code, headers: headers}} when code in 200..299 ->
+        case List.keyfind(headers, "content-type", 0) do
+          {_, content_type} ->
+            case Plug.Conn.Utils.media_type(content_type) do
+              {:ok, "application", "activity+json", _} ->
+                {:ok, body}
+
+              {:ok, "application", "ld+json",
+               %{"profile" => "https://www.w3.org/ns/activitystreams"}} ->
+                {:ok, body}
+
+              _ ->
+                {:error, {:content_type, content_type}}
+            end
+
+          _ ->
+            {:error, {:content_type, nil}}
+        end

      {:ok, %{status: code}} when code in [404, 410] ->
        {:error, "Object has been deleted"}