attack vector where you take posts from valid (unknown) diaspora people is now fixed

lib/diaspora/user/receiving.rb

@@ -17,17 +17,23 @@ module Diaspora
         sender_in_xml = sender(object, xml)
 
         if (salmon_author == sender_in_xml)
-          if object.is_a? Retraction
-            receive_retraction object, xml
-          elsif object.is_a? Request
+          
+          if object.is_a? Request
             receive_request object, sender_in_xml
-          elsif object.is_a? Profile
-            receive_profile object, xml
-          elsif object.is_a?(Comment)
-            receive_comment object, xml
+          elsif self.friend_ids.include? salmon_author.id
+            if object.is_a? Retraction
+              receive_retraction object, xml
+            elsif object.is_a? Profile
+              receive_profile object, xml
+            elsif object.is_a?(Comment)
+              receive_comment object, xml
+            else
+              receive_post object, xml
+            end
           else
-            receive_post object, xml
+            raise "Not friends with that person"
           end
+
         else
           raise "Malicious Post, #{salmon_author.real_name} with id #{salmon_author.id} is sending a #{object.class} as #{sender_in_xml.real_name} with id #{sender_in_xml.id} "
         end

spec/controllers/publics_controller_spec.rb

@@ -8,7 +8,8 @@ describe PublicsController do
   render_views
   let(:user) {Factory.create :user}
   let(:user2){Factory.create :user}
-
+  let(:aspect1){user.aspect(:name => "foo")}
+  let(:aspect2){user2.aspect(:name => "far")}
   before do
     sign_in :user, user
   end
@@ -21,7 +22,8 @@ describe PublicsController do
 
     it 'should accept a post from another node and save the information' do
       message = user2.build_post(:status_message, :message => "hi")
-
+      friend_users(user, aspect1, user2, aspect2)
+      
       user.reload
       user.visible_post_ids.include?(message.id).should be false
 

spec/lib/diaspora_parser_spec.rb

@@ -12,6 +12,8 @@ describe Diaspora::Parser do
     @user3 = Factory.create :user
     @person = @user3.person
     @user2 = Factory.create(:user)
+    @aspect2 = @user2.aspect(:name => "pandas")
+    friend_users(@user, @aspect, @user2, @aspect2) 
   end
 
   describe "parsing compliant XML object" do
@@ -49,7 +51,7 @@ describe Diaspora::Parser do
     end
 
     it 'should marshal retractions' do
-      person = Factory.create(:person)
+      person = @user2.person
       message = Factory.create(:status_message, :person => person)
       retraction = Retraction.for(message)
       xml = retraction.to_diaspora_xml
@@ -95,17 +97,17 @@ describe Diaspora::Parser do
     end
 
     it "should activate the Person if I initiated a request to that url" do
-      request = @user.send_friend_request_to( @user2.person, @aspect)
+      request = @user.send_friend_request_to( @user3.person, @aspect)
       @user.reload
-      request.reverse_for @user2
+      request.reverse_for @user3
 
       xml = request.to_diaspora_xml
 
-      @user2.person.destroy
-      @user2.destroy
+      @user3.person.destroy
+      @user3.destroy
 
-      @user.receive xml, @user2.person
-      new_person = Person.first(:url => @user2.person.url)
+      @user.receive xml, @user3.person
+      new_person = Person.first(:url => @user3.person.url)
       new_person.nil?.should be false
 
       @user.reload
@@ -115,18 +117,20 @@ describe Diaspora::Parser do
     end
 
     it 'should process retraction for a person' do
+      user4 = Factory(:user)
+
       person_count = Person.all.count
-      request = @user.send_friend_request_to( @user2.person, @aspect)
+      request = @user.send_friend_request_to( user4.person, @aspect)
       @user.reload
-      request.reverse_for @user2
+      request.reverse_for user4
       xml = request.to_diaspora_xml
 
-      retraction = Retraction.for(@user2)
+      retraction = Retraction.for(user4)
       retraction_xml = retraction.to_diaspora_xml
 
-      @user2.person.destroy
-      @user2.destroy
-      @user.receive xml, @user2.person
+      user4.person.destroy
+      user4.destroy
+      @user.receive xml, user4.person
 
 
       @aspect.reload
@@ -134,7 +138,7 @@ describe Diaspora::Parser do
       #They are now friends
 
       Person.count.should == person_count
-      @user.receive retraction_xml, @user2.person
+      @user.receive retraction_xml, user4.person
 
 
       @aspect.reload
@@ -143,7 +147,7 @@ describe Diaspora::Parser do
 
     it 'should marshal a profile for a person' do
       #Create person
-      person = Factory.create(:person)
+      person = @user2.person
       id = person.id
       person.profile = Profile.new(:first_name => 'bob', :last_name => 'billytown', :image_url => "http://clown.com")
       person.save

spec/models/photo_spec.rb

@@ -102,10 +102,18 @@ describe Photo do
     end
 
     it 'should set the remote_photo on marshalling' do
+      pending "did the socket get unstubbed?"
       @photo.image.store! File.open(@fixture_name)
 
+
+      #security hax
+      user2 = Factory.create(:user)
+      aspect2 = user2.aspect(:name => "foobars")
+      friend_users(@user, @aspect, user2, aspect2)
+      @photo.person = user2.person
+
       @photo.save
-      @photo.reload
+      #@photo.reload
 
       url = @photo.url
       thumb_url = @photo.url :thumb_medium

spec/models/user/attack_vectors_spec.rb

@@ -25,7 +25,6 @@ describe User do
   context 'non-friend valid user' do
     
     it 'raises if receives post by non-friend' do
-      pending "need to that posts come from friends.... requests need special treatment(because the person may not be in the db)"
       post_from_non_friend = bad_user.build_post( :status_message, :message => 'hi')
       xml = bad_user.salmon(post_from_non_friend).xml_for(user.person)