From e7f764ffeb60b59b12b51b6e86756fc20f7950b7 Mon Sep 17 00:00:00 2001
From: maxwell <maxwell@joindiaspora.com>
Date: Wed, 20 Oct 2010 00:42:33 -0700
Subject: [PATCH] attack vector where you take posts from valid (unknown)
diaspora people is now fixed
---
lib/diaspora/user/receiving.rb | 22 ++++++++-----
spec/controllers/publics_controller_spec.rb | 6 ++--
spec/lib/diaspora_parser_spec.rb | 34 ++++++++++++---------
spec/models/photo_spec.rb | 10 +++++-
spec/models/user/attack_vectors_spec.rb | 1 -
5 files changed, 46 insertions(+), 27 deletions(-)
diff --git a/lib/diaspora/user/receiving.rb b/lib/diaspora/user/receiving.rb
index 3a8fc5fa68..f459862ba1 100644
--- a/lib/diaspora/user/receiving.rb
+++ b/lib/diaspora/user/receiving.rb
@@ -17,17 +17,23 @@ module Diaspora
sender_in_xml = sender(object, xml)
if (salmon_author == sender_in_xml)
- if object.is_a? Retraction
- receive_retraction object, xml
- elsif object.is_a? Request
+
+ if object.is_a? Request
receive_request object, sender_in_xml
- elsif object.is_a? Profile
- receive_profile object, xml
- elsif object.is_a?(Comment)
- receive_comment object, xml
+ elsif self.friend_ids.include? salmon_author.id
+ if object.is_a? Retraction
+ receive_retraction object, xml
+ elsif object.is_a? Profile
+ receive_profile object, xml
+ elsif object.is_a?(Comment)
+ receive_comment object, xml
+ else
+ receive_post object, xml
+ end
else
- receive_post object, xml
+ raise "Not friends with that person"
end
+
else
raise "Malicious Post, #{salmon_author.real_name} with id #{salmon_author.id} is sending a #{object.class} as #{sender_in_xml.real_name} with id #{sender_in_xml.id} "
end
diff --git a/spec/controllers/publics_controller_spec.rb b/spec/controllers/publics_controller_spec.rb
index 113ca4a9bb..cf1a71d88f 100644
--- a/spec/controllers/publics_controller_spec.rb
+++ b/spec/controllers/publics_controller_spec.rb
@@ -8,7 +8,8 @@ describe PublicsController do
render_views
let(:user) {Factory.create :user}
let(:user2){Factory.create :user}
-
+ let(:aspect1){user.aspect(:name => "foo")}
+ let(:aspect2){user2.aspect(:name => "far")}
before do
sign_in :user, user
end
@@ -21,7 +22,8 @@ describe PublicsController do
it 'should accept a post from another node and save the information' do
message = user2.build_post(:status_message, :message => "hi")
-
+ friend_users(user, aspect1, user2, aspect2)
+
user.reload
user.visible_post_ids.include?(message.id).should be false
diff --git a/spec/lib/diaspora_parser_spec.rb b/spec/lib/diaspora_parser_spec.rb
index 33efe2f0a5..6c3c697dfe 100644
--- a/spec/lib/diaspora_parser_spec.rb
+++ b/spec/lib/diaspora_parser_spec.rb
@@ -12,6 +12,8 @@ describe Diaspora::Parser do
@user3 = Factory.create :user
@person = @user3.person
@user2 = Factory.create(:user)
+ @aspect2 = @user2.aspect(:name => "pandas")
+ friend_users(@user, @aspect, @user2, @aspect2)
end
describe "parsing compliant XML object" do
@@ -49,7 +51,7 @@ describe Diaspora::Parser do
end
it 'should marshal retractions' do
- person = Factory.create(:person)
+ person = @user2.person
message = Factory.create(:status_message, :person => person)
retraction = Retraction.for(message)
xml = retraction.to_diaspora_xml
@@ -95,17 +97,17 @@ describe Diaspora::Parser do
end
it "should activate the Person if I initiated a request to that url" do
- request = @user.send_friend_request_to( @user2.person, @aspect)
+ request = @user.send_friend_request_to( @user3.person, @aspect)
@user.reload
- request.reverse_for @user2
+ request.reverse_for @user3
xml = request.to_diaspora_xml
- @user2.person.destroy
- @user2.destroy
+ @user3.person.destroy
+ @user3.destroy
- @user.receive xml, @user2.person
- new_person = Person.first(:url => @user2.person.url)
+ @user.receive xml, @user3.person
+ new_person = Person.first(:url => @user3.person.url)
new_person.nil?.should be false
@user.reload
@@ -115,18 +117,20 @@ describe Diaspora::Parser do
end
it 'should process retraction for a person' do
+ user4 = Factory(:user)
+
person_count = Person.all.count
- request = @user.send_friend_request_to( @user2.person, @aspect)
+ request = @user.send_friend_request_to( user4.person, @aspect)
@user.reload
- request.reverse_for @user2
+ request.reverse_for user4
xml = request.to_diaspora_xml
- retraction = Retraction.for(@user2)
+ retraction = Retraction.for(user4)
retraction_xml = retraction.to_diaspora_xml
- @user2.person.destroy
- @user2.destroy
- @user.receive xml, @user2.person
+ user4.person.destroy
+ user4.destroy
+ @user.receive xml, user4.person
@aspect.reload
@@ -134,7 +138,7 @@ describe Diaspora::Parser do
#They are now friends
Person.count.should == person_count
- @user.receive retraction_xml, @user2.person
+ @user.receive retraction_xml, user4.person
@aspect.reload
@@ -143,7 +147,7 @@ describe Diaspora::Parser do
it 'should marshal a profile for a person' do
#Create person
- person = Factory.create(:person)
+ person = @user2.person
id = person.id
person.profile = Profile.new(:first_name => 'bob', :last_name => 'billytown', :image_url => "http://clown.com")
person.save
diff --git a/spec/models/photo_spec.rb b/spec/models/photo_spec.rb
index 51b1c058d2..d97f14d759 100644
--- a/spec/models/photo_spec.rb
+++ b/spec/models/photo_spec.rb
@@ -102,10 +102,18 @@ describe Photo do
end
it 'should set the remote_photo on marshalling' do
+ pending "did the socket get unstubbed?"
@photo.image.store! File.open(@fixture_name)
+
+ #security hax
+ user2 = Factory.create(:user)
+ aspect2 = user2.aspect(:name => "foobars")
+ friend_users(@user, @aspect, user2, aspect2)
+ @photo.person = user2.person
+
@photo.save
- @photo.reload
+ #@photo.reload
url = @photo.url
thumb_url = @photo.url :thumb_medium
diff --git a/spec/models/user/attack_vectors_spec.rb b/spec/models/user/attack_vectors_spec.rb
index ebab7cf378..67235f447f 100644
--- a/spec/models/user/attack_vectors_spec.rb
+++ b/spec/models/user/attack_vectors_spec.rb
@@ -25,7 +25,6 @@ describe User do
context 'non-friend valid user' do
it 'raises if receives post by non-friend' do
- pending "need to that posts come from friends.... requests need special treatment(because the person may not be in the db)"
post_from_non_friend = bad_user.build_post( :status_message, :message => 'hi')
xml = bad_user.salmon(post_from_non_friend).xml_for(user.person)
--
GitLab