squeegily
/
pleroma
1
0
Forka 0
Codice Problemi 0 Pull Requests 0 Rilasci 42 Wiki Attività
Sfoglia il codice sorgente

Merge branch 'security/as2-object-render-hardening' into 'develop' 

activitypub: object view: avoid leaking private details

See merge request pleroma/pleroma!463
tags/v0.9.9
lambda 5 anni fa
parent
b471344b63 f6be980f4f
commit
5143501426
2 ha cambiato i file con 52 aggiunte e 1 eliminazioni
Visualizzazione separata
Diff Options
Show Stats Download Patch File Download Diff File
  1. +12
    -1
      lib/pleroma/web/activity_pub/views/object_view.ex
  2. +40
    -0
      test/web/activity_pub/views/object_view_test.exs

+ 12
- 1
lib/pleroma/web/activity_pub/views/object_view.ex Vedi File

@@ -10,7 +10,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectView do
Map.merge(base, additional)
end

def render("object.json", %{object: %Activity{} = activity}) do
def render("object.json", %{object: %Activity{data: %{"type" => "Create"}} = activity}) do
base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header()
object = Object.normalize(activity.data["object"])

@@ -20,4 +20,15 @@ defmodule Pleroma.Web.ActivityPub.ObjectView do

Map.merge(base, additional)
end

def render("object.json", %{object: %Activity{} = activity}) do
base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header()
object = Object.normalize(activity.data["object"])

additional =
Transmogrifier.prepare_object(activity.data)
|> Map.put("object", object.data["id"])

Map.merge(base, additional)
end
end

+ 40
- 0
test/web/activity_pub/views/object_view_test.exs Vedi File

@@ -2,6 +2,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectViewTest do
use Pleroma.DataCase
import Pleroma.Factory

alias Pleroma.Web.CommonAPI
alias Pleroma.Web.ActivityPub.ObjectView

test "renders a note object" do
@@ -15,4 +16,43 @@ defmodule Pleroma.Web.ActivityPub.ObjectViewTest do
assert result["type"] == "Note"
assert result["@context"]
end

test "renders a note activity" do
note = insert(:note_activity)

result = ObjectView.render("object.json", %{object: note})

assert result["id"] == note.data["id"]
assert result["to"] == note.data["to"]
assert result["object"]["type"] == "Note"
assert result["object"]["content"] == note.data["object"]["content"]
assert result["type"] == "Create"
assert result["@context"]
end

test "renders a like activity" do
note = insert(:note_activity)
user = insert(:user)

{:ok, like_activity, _} = CommonAPI.favorite(note.id, user)

result = ObjectView.render("object.json", %{object: like_activity})

assert result["id"] == like_activity.data["id"]
assert result["object"] == note.data["object"]["id"]
assert result["type"] == "Like"
end

test "renders an announce activity" do
note = insert(:note_activity)
user = insert(:user)

{:ok, announce_activity, _} = CommonAPI.repeat(note.id, user)

result = ObjectView.render("object.json", %{object: announce_activity})

assert result["id"] == announce_activity.data["id"]
assert result["object"] == note.data["object"]["id"]
assert result["type"] == "Announce"
end
end

Write Preview
Loading…
Annulla
Salva