attack vector where you take posts from valid (unknown) diaspora people is now fixed

e7f764ff · maxwell · d3d01821 · e7f764ff · e7f764ff · e7f764ff
Commit e7f764ff authored 14 years ago by maxwell
--- a/lib/diaspora/user/receiving.rb
+++ b/lib/diaspora/user/receiving.rb
@@ -17,17 +17,23 @@ module Diaspora
        sender_in_xml = sender(object, xml)
        if (salmon_author == sender_in_xml)
-          if object.is_a? Retraction
-            receive_retraction object, xml
+          if object.is_a? Request
-          elsif object.is_a? Request
            receive_request object, sender_in_xml
-          elsif object.is_a? Profile
+          elsif self.friend_ids.include? salmon_author.id
-            receive_profile object, xml
+            if object.is_a? Retraction
-          elsif object.is_a?(Comment)
+              receive_retraction object, xml
-            receive_comment object, xml
+            elsif object.is_a? Profile
+              receive_profile object, xml
+            elsif object.is_a?(Comment)
+              receive_comment object, xml
+            else
+              receive_post object, xml
+            end
          else
-            receive_post object, xml
+            raise "Not friends with that person"
          end
        else
          raise "Malicious Post, #{salmon_author.real_name} with id #{salmon_author.id} is sending a #{object.class} as #{sender_in_xml.real_name} with id #{sender_in_xml.id} "
        end

--- a/spec/controllers/publics_controller_spec.rb
+++ b/spec/controllers/publics_controller_spec.rb
@@ -8,7 +8,8 @@ describe PublicsController do
  render_views
  let(:user) {Factory.create :user}
  let(:user2){Factory.create :user}
+  let(:aspect1){user.aspect(:name => "foo")}
+  let(:aspect2){user2.aspect(:name => "far")}
  before do
    sign_in :user, user
  end
@@ -21,7 +22,8 @@ describe PublicsController do
    it 'should accept a post from another node and save the information' do
      message = user2.build_post(:status_message, :message => "hi")
+      friend_users(user, aspect1, user2, aspect2)
      user.reload
      user.visible_post_ids.include?(message.id).should be false

--- a/spec/lib/diaspora_parser_spec.rb
+++ b/spec/lib/diaspora_parser_spec.rb
@@ -12,6 +12,8 @@ describe Diaspora::Parser do
    @user3 = Factory.create :user
    @person = @user3.person
    @user2 = Factory.create(:user)
+    @aspect2 = @user2.aspect(:name => "pandas")
+    friend_users(@user, @aspect, @user2, @aspect2) 
  end
  describe "parsing compliant XML object" do
@@ -49,7 +51,7 @@ describe Diaspora::Parser do
    end
    it 'should marshal retractions' do
-      person = Factory.create(:person)
+      person = @user2.person
      message = Factory.create(:status_message, :person => person)
      retraction = Retraction.for(message)
      xml = retraction.to_diaspora_xml
@@ -95,17 +97,17 @@ describe Diaspora::Parser do
    end
    it "should activate the Person if I initiated a request to that url" do
-      request = @user.send_friend_request_to( @user2.person, @aspect)
+      request = @user.send_friend_request_to( @user3.person, @aspect)
      @user.reload
-      request.reverse_for @user2
+      request.reverse_for @user3
      xml = request.to_diaspora_xml
-      @user2.person.destroy
+      @user3.person.destroy
-      @user2.destroy
+      @user3.destroy
-      @user.receive xml, @user2.person
+      @user.receive xml, @user3.person
-      new_person = Person.first(:url => @user2.person.url)
+      new_person = Person.first(:url => @user3.person.url)
      new_person.nil?.should be false
      @user.reload
@@ -115,18 +117,20 @@ describe Diaspora::Parser do
    end
    it 'should process retraction for a person' do
+      user4 = Factory(:user)
      person_count = Person.all.count
-      request = @user.send_friend_request_to( @user2.person, @aspect)
+      request = @user.send_friend_request_to( user4.person, @aspect)
      @user.reload
-      request.reverse_for @user2
+      request.reverse_for user4
      xml = request.to_diaspora_xml
-      retraction = Retraction.for(@user2)
+      retraction = Retraction.for(user4)
      retraction_xml = retraction.to_diaspora_xml
-      @user2.person.destroy
+      user4.person.destroy
-      @user2.destroy
+      user4.destroy
-      @user.receive xml, @user2.person
+      @user.receive xml, user4.person
      @aspect.reload
@@ -134,7 +138,7 @@ describe Diaspora::Parser do
      #They are now friends
      Person.count.should == person_count
-      @user.receive retraction_xml, @user2.person
+      @user.receive retraction_xml, user4.person
      @aspect.reload
@@ -143,7 +147,7 @@ describe Diaspora::Parser do
    it 'should marshal a profile for a person' do
      #Create person
-      person = Factory.create(:person)
+      person = @user2.person
      id = person.id
      person.profile = Profile.new(:first_name => 'bob', :last_name => 'billytown', :image_url => "http://clown.com")
      person.save

--- a/spec/models/photo_spec.rb
+++ b/spec/models/photo_spec.rb
@@ -102,10 +102,18 @@ describe Photo do
    end
    it 'should set the remote_photo on marshalling' do
+      pending "did the socket get unstubbed?"
      @photo.image.store! File.open(@fixture_name)
+      #security hax
+      user2 = Factory.create(:user)
+      aspect2 = user2.aspect(:name => "foobars")
+      friend_users(@user, @aspect, user2, aspect2)
+      @photo.person = user2.person
      @photo.save
-      @photo.reload
+      #@photo.reload
      url = @photo.url
      thumb_url = @photo.url :thumb_medium

--- a/spec/models/user/attack_vectors_spec.rb
+++ b/spec/models/user/attack_vectors_spec.rb
@@ -25,7 +25,6 @@ describe User do
  context 'non-friend valid user' do
    it 'raises if receives post by non-friend' do
-      pending "need to that posts come from friends.... requests need special treatment(because the person may not be in the db)"
      post_from_non_friend = bad_user.build_post( :status_message, :message => 'hi')
      xml = bad_user.salmon(post_from_non_friend).xml_for(user.person)