Merge branch 'security/as2-object-render-hardening' into 'develop'

activitypub: object view: avoid leaking private details

See merge request pleroma/pleroma!463
This commit is contained in:
lambda 2018-11-17 22:43:45 +00:00
commit 5143501426
2 changed files with 52 additions and 1 deletions

View File

@ -10,7 +10,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectView do
Map.merge(base, additional)
end
def render("object.json", %{object: %Activity{} = activity}) do
def render("object.json", %{object: %Activity{data: %{"type" => "Create"}} = activity}) do
base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header()
object = Object.normalize(activity.data["object"])
@ -20,4 +20,15 @@ defmodule Pleroma.Web.ActivityPub.ObjectView do
Map.merge(base, additional)
end
def render("object.json", %{object: %Activity{} = activity}) do
base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header()
object = Object.normalize(activity.data["object"])
additional =
Transmogrifier.prepare_object(activity.data)
|> Map.put("object", object.data["id"])
Map.merge(base, additional)
end
end

View File

@ -2,6 +2,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectViewTest do
use Pleroma.DataCase
import Pleroma.Factory
alias Pleroma.Web.CommonAPI
alias Pleroma.Web.ActivityPub.ObjectView
test "renders a note object" do
@ -15,4 +16,43 @@ defmodule Pleroma.Web.ActivityPub.ObjectViewTest do
assert result["type"] == "Note"
assert result["@context"]
end
test "renders a note activity" do
note = insert(:note_activity)
result = ObjectView.render("object.json", %{object: note})
assert result["id"] == note.data["id"]
assert result["to"] == note.data["to"]
assert result["object"]["type"] == "Note"
assert result["object"]["content"] == note.data["object"]["content"]
assert result["type"] == "Create"
assert result["@context"]
end
test "renders a like activity" do
note = insert(:note_activity)
user = insert(:user)
{:ok, like_activity, _} = CommonAPI.favorite(note.id, user)
result = ObjectView.render("object.json", %{object: like_activity})
assert result["id"] == like_activity.data["id"]
assert result["object"] == note.data["object"]["id"]
assert result["type"] == "Like"
end
test "renders an announce activity" do
note = insert(:note_activity)
user = insert(:user)
{:ok, announce_activity, _} = CommonAPI.repeat(note.id, user)
result = ObjectView.render("object.json", %{object: announce_activity})
assert result["id"] == announce_activity.data["id"]
assert result["object"] == note.data["object"]["id"]
assert result["type"] == "Announce"
end
end