slight refactor of receiving spec, wrote a spec that exposed malicious friend attack

vector

slight refactor of receiving spec, wrote a spec that exposed malicious friend attack
38877121 · ilya · c646db95 · 38877121 · 38877121 · 38877121
--- a/lib/diaspora/user/receiving.rb
+++ b/lib/diaspora/user/receiving.rb
@@ -13,7 +13,7 @@ module Diaspora
        object = Diaspora::Parser.from_xml(xml)
        Rails.logger.debug("Receiving object for #{self.real_name}:\n#{object.inspect}")
        Rails.logger.debug("From: #{object.person.inspect}") if object.person
-
+        
        if object.is_a? Retraction
          receive_retraction object, xml
        elsif object.is_a? Request

--- a/spec/models/user/attack_vectors_spec.rb
+++ b/spec/models/user/attack_vectors_spec.rb
+#   Copyright (c) 2010, Diaspora Inc.  This file is
+#   licensed under the Affero General Public License version 3 or later.  See
+#   the COPYRIGHT file.
+
+require 'spec_helper'
+
+describe User do
+
+  let(:user) { Factory(:user) }
+  let(:aspect) { user.aspect(:name => 'heroes') }
+
+  let(:user2) { Factory(:user) }
+  let(:aspect2) { user2.aspect(:name => 'losers') }
+
+  let(:user3) { Factory(:user) }
+  let(:aspect3) { user3.aspect(:name => 'heroes') }
+
+  before do
+    friend_users(user, aspect, user2, aspect2)
+    friend_users(user, aspect, user3, aspect3)
+  end
+
+  context 'malicious friend attack vector' do
+    it 'ovewrites messages with a different user' do 
+      original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id
+
+      user.receive_salmon(user2.salmon(original_message).xml_for(user.person))
+      user.raw_visible_posts.count.should be 1
+
+      malicious_message = Factory.build( :status_message, :id => original_message.id, :message => 'BAD!!!', :person => user3.person)
+      user.receive_salmon(user3.salmon(malicious_message).xml_for(user.person))
+
+      user.raw_visible_posts.count.should be 1
+      user.raw_visible_posts.first.message.should == "store this!"
+    end
+     
+    it 'ovewrites messages which apear to ' do 
+      original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id
+      user.receive_salmon(user2.salmon(original_message).xml_for(user.person))
+      user.raw_visible_posts.count.should be 1
+
+      malicious_message = Factory.build( :status_message, :id => original_message.id, :message => 'BAD!!!', :person => user2.person)
+      user.receive_salmon(user3.salmon(malicious_message).xml_for(user.person))
+
+      user.raw_visible_posts.count.should be 1
+      user.raw_visible_posts.first.message.should == "store this!"
+    end
+
+    it 'overites another persons profile' do 
+      profile = user2.profile.clone
+      profile.first_name = "Not BOB"
+
+      user2.reload
+      user2.profile.first_name.should == "Robert"
+      user.receive_salmon(user3.salmon(profile).xml_for(user.person))
+      user2.reload
+      user2.profile.first_name.should == "Robert"
+    end
+
+    it 'overwrites requests' do
+      pending
+    end
+  end
+end
--- a/spec/models/user/receive_spec.rb
+++ b/spec/models/user/receive_spec.rb
@@ -6,108 +6,105 @@ require 'spec_helper'

 describe User do

-  before do
-    @user = Factory.create :user
-    @aspect = @user.aspect(:name => 'heroes')
+  let(:user) { Factory(:user) }
+  let(:aspect) { user.aspect(:name => 'heroes') }

-    @user2 = Factory.create(:user)
-    @aspect2 = @user2.aspect(:name => 'losers')
+  let(:user2) { Factory(:user) }
+  let(:aspect2) { user2.aspect(:name => 'losers') }

-    @user3 = Factory.create(:user)
-    @aspect3 = @user3.aspect(:name => 'heroes')
+  let(:user3) { Factory(:user) }
+  let(:aspect3) { user3.aspect(:name => 'heroes') }

-    friend_users(@user, @aspect, @user2, @aspect2)
+  before do
+    friend_users(user, aspect, user2, aspect2)
+    friend_users(user, aspect, user3, aspect3)
  end

  it 'should be able to parse and store a status message from xml' do
-    status_message = @user2.post :status_message, :message => 'store this!', :to => @aspect2.id
-    person = @user2.person
+    status_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id
+    person = user2.person

    xml = status_message.to_diaspora_xml
-    @user2.destroy
+    user2.destroy
    status_message.destroy
    StatusMessage.all.size.should == 0
-    @user.receive( xml )
+    user.receive( xml )

    Post.all(:person_id => person.id).first.message.should == 'store this!'
    StatusMessage.all.size.should == 1
  end

  it 'should not create new aspects on message receive' do
-    num_aspects = @user.aspects.size
+    num_aspects = user.aspects.size

    (0..5).each{ |n|
-      status_message = @user2.post :status_message, :message => "store this #{n}!", :to => @aspect2.id
+      status_message = user2.post :status_message, :message => "store this #{n}!", :to => aspect2.id
      xml = status_message.to_diaspora_xml
-      @user.receive( xml )
+      user.receive( xml )
    }

-    @user.aspects.size.should == num_aspects
+    user.aspects.size.should == num_aspects
  end

  describe 'post refs' do
-    before do
-
-    end
-
    it "should add a received post to the aspect and visible_posts array" do
-      status_message = @user.post :status_message, :message => "hi", :to => @aspect.id
-      @user.reload
-      salmon = @user.salmon(status_message).xml_for @user2.person
-      @user2.receive_salmon salmon
-      @user2.reload
-      @user2.raw_visible_posts.include?(status_message).should be true
-      @aspect2.reload
-      @aspect2.posts.include?(status_message).should be_true
+      status_message = user.post :status_message, :message => "hi", :to =>aspect.id
+      user.reload
+      salmon = user.salmon(status_message).xml_for user2.person
+      user2.receive_salmon salmon
+      user2.reload
+      user2.raw_visible_posts.include?(status_message).should be true
+      aspect2.reload
+      aspect2.posts.include?(status_message).should be_true
    end

    it 'should be removed on unfriending' do
-      status_message = @user2.post :status_message, :message => "hi", :to => @aspect2.id
-      @user.receive status_message.to_diaspora_xml
-      @user.reload
+      status_message = user2.post :status_message, :message => "hi", :to => aspect2.id
+      user.receive status_message.to_diaspora_xml
+      user.reload

-      @user.raw_visible_posts.count.should == 1
+      user.raw_visible_posts.count.should == 1

-      @user.unfriend(@user2.person)
+      user.unfriend(user2.person)

-      @user.reload
-      @user.raw_visible_posts.count.should == 0
+      user.reload
+      user.raw_visible_posts.count.should == 0

      Post.count.should be 1
    end

    it 'should be remove a post if the noone links to it' do
-      status_message = @user2.post :status_message, :message => "hi", :to => @aspect2.id
-      @user.receive status_message.to_diaspora_xml
-      @user.reload
+      status_message = user2.post :status_message, :message => "hi", :to => aspect2.id
+      user.receive status_message.to_diaspora_xml
+      user.reload

-      @user.raw_visible_posts.count.should == 1
+      user.raw_visible_posts.count.should == 1

-      person = @user2.person
-      @user2.destroy
-      @user.unfriend(person)
+      person = user2.person
+      user2.destroy
+      user.unfriend(person)

-      @user.reload
-      @user.raw_visible_posts.count.should == 0
+      user.reload
+      user.raw_visible_posts.count.should == 0

      Post.count.should be 0
    end

    it 'should keep track of user references for one person ' do
-      status_message = @user2.post :status_message, :message => "hi", :to => @aspect2.id
-      @user.receive status_message.to_diaspora_xml
-      @user.reload
+      status_message = user2.post :status_message, :message => "hi", :to => aspect2.id
+      user.receive status_message.to_diaspora_xml
+      user.reload

-      @user.raw_visible_posts.count.should == 1
+      user.raw_visible_posts.count.should == 1

      status_message.reload
      status_message.user_refs.should == 1

-      @user.unfriend(@user2.person)
+      user.unfriend(user2.person)
      status_message.reload

-      @user.reload
-      @user.raw_visible_posts.count.should == 0
+      user.reload
+      user.raw_visible_posts.count.should == 0

      status_message.reload
      status_message.user_refs.should == 0
@@ -116,25 +113,25 @@ describe User do
    end

    it 'should not override userrefs on receive by another person' do
-      @user3.activate_friend(@user2.person, @aspect3)
+      user3.activate_friend(user2.person, aspect3)

-      status_message = @user2.post :status_message, :message => "hi", :to => @aspect2.id
-      @user.receive status_message.to_diaspora_xml
+      status_message = user2.post :status_message, :message => "hi", :to => aspect2.id
+      user.receive status_message.to_diaspora_xml

-      @user3.receive status_message.to_diaspora_xml
-      @user.reload
-      @user3.reload
+      user3.receive status_message.to_diaspora_xml
+      user.reload
+      user3.reload

-      @user.raw_visible_posts.count.should == 1
+      user.raw_visible_posts.count.should == 1

      status_message.reload
      status_message.user_refs.should == 2

-      @user.unfriend(@user2.person)
+      user.unfriend(user2.person)
      status_message.reload

-      @user.reload
-      @user.raw_visible_posts.count.should == 0
+      user.reload
+      user.raw_visible_posts.count.should == 0

      status_message.reload
      status_message.user_refs.should == 1
@@ -146,44 +143,41 @@ describe User do
  describe 'comments' do
    it 'should correctly marshal a stranger for the downstream user' do

-      friend_users(@user, @aspect, @user3, @aspect3)
-      post = @user.post :status_message, :message => "hello", :to => @aspect.id
+      post = user.post :status_message, :message => "hello", :to => aspect.id

-      @user2.receive post.to_diaspora_xml
-      @user3.receive post.to_diaspora_xml
+      user2.receive post.to_diaspora_xml
+      user3.receive post.to_diaspora_xml

-      comment = @user2.comment('tada',:on => post)
-      @user.receive comment.to_diaspora_xml
-      @user.reload
+      comment = user2.comment('tada',:on => post)
+      user.receive comment.to_diaspora_xml
+      user.reload

-      commenter_id = @user2.person.id
+      commenter_id = user2.person.id

-      @user2.person.delete
-      @user2.delete
+      user2.person.delete
+      user2.delete
      comment_id = comment.id

      comment.delete
-      @user3.receive comment.to_diaspora_xml
-      @user3.reload
+      user3.receive comment.to_diaspora_xml
+      user3.reload

      new_comment = Comment.find_by_id(comment_id)
      new_comment.should_not be_nil
      new_comment.person.should_not be_nil
      new_comment.person.profile.should_not be_nil

-      @user3.visible_person_by_id(commenter_id).should_not be_nil
+      user3.visible_person_by_id(commenter_id).should_not be_nil
    end
  end

  describe 'salmon' do
-    before do
-      @post = @user.post :status_message, :message => "hello", :to => @aspect.id
-      @salmon = @user.salmon( @post )
-    end
+    let(:post){user.post :status_message, :message => "hello", :to => aspect.id}
+    let(:salmon){user.salmon( post )}

    it 'should receive a salmon for a post' do
-      @user2.receive_salmon( @salmon.xml_for @user2.person )
-      @user2.visible_post_ids.include?(@post.id).should be true
+      user2.receive_salmon( salmon.xml_for user2.person )
+      user2.visible_post_ids.include?(post.id).should be true
    end
  end
 end