Fix a security issue that author_signature is not checked on the to-downstream...

Fix a security issue that author_signature is not checked on the to-downstream receive of a federated relayable entity, allowing to forge relayables if you are an owner of the pod where a parent object is stored. closes #6539

Fix a security issue that author_signature is not checked on the to-downstream...
f0fc62e9 · cmrd Senya · Jonne Haß · 922d26f9 · f0fc62e9 · f0fc62e9
--- a/Changelog.md
+++ b/Changelog.md
 # 0.5.6.0

 ## Refactor
+* Add more integration tests with the help of the new diaspora-federation gem [#6539](https://github.com/diaspora/diaspora/pull/6539)

 ## Bug fixes
 * Fix mention autocomplete when pasting the username [#6510](https://github.com/diaspora/diaspora/pull/6510)
 * Use and update updated\_at for notifications [#6573](https://github.com/diaspora/diaspora/pull/6573)
+* Ensure the author signature is checked when receiving a relayable [#6539](https://github.com/diaspora/diaspora/pull/6539) 

 ## Features


--- a/lib/diaspora/relayable.rb
+++ b/lib/diaspora/relayable.rb
@@ -69,6 +69,12 @@ module Diaspora
    def receive(user, person=nil)
      comment_or_like = self.class.where(guid: self.guid).first || self

+      unless comment_or_like.signature_valid?
+        logger.warn "event=receive status=abort reason='object signature not valid' recipient=#{user.diaspora_handle} "\
+                    "sender=#{parent.author.diaspora_handle} payload_type=#{self.class} parent_id=#{parent.id}"
+        return
+      end
+
      # Check to make sure the signature of the comment or like comes from the person claiming to author it
      unless comment_or_like.parent_author == user.person || comment_or_like.verify_parent_author_signature
        logger.warn "event=receive status=abort reason='object signature not valid' recipient=#{user.diaspora_handle} "\

--- a/spec/integration/federation/federation_messages_generation.rb
+++ b/spec/integration/federation/federation_messages_generation.rb
@@ -117,6 +117,13 @@ def generate_relayable_local_parent_wrong_author_key(entity_name)
  generate_relayable_local_parent(entity_name)
 end

+# Checks when a remote pod B wants to send us a relayable with authorship from a remote pod C user
+# without having correct signature from him.
+def generate_relayable_remote_parent_wrong_author_key(entity_name)
+  substitute_wrong_key(@remote_user2, 1)
+  generate_relayable_remote_parent(entity_name)
+end
+
 # Checks when a remote pod C wants to send us a relayable from its user, but bypassing the pod B where
 # remote status came from.
 def generate_relayable_remote_parent_wrong_parent_key(entity_name)

--- a/spec/integration/federation/shared_receive_relayable.rb
+++ b/spec/integration/federation/shared_receive_relayable.rb
@@ -21,6 +21,14 @@ shared_examples_for "it deals correctly with a relayable" do
    expect(received_entity.author.diaspora_handle).to eq(@remote_person2.diaspora_handle)
  end

+  it "rejects a downstream entity with a malformed author signature" do
+    Workers::ReceiveEncryptedSalmon.new.perform(
+      @user.id,
+      generate_relayable_remote_parent_wrong_author_key(entity_name)
+    )
+    expect(klass.exists?(guid: @entity.guid)).to be(false)
+  end
+
  it "declines downstream receive when sender signed with a wrong key" do
    Workers::ReceiveEncryptedSalmon.new.perform(
      @user.id,