mirror of https://github.com/mastodon/mastodon
Fix webfinger redirect handling in ResolveAccountService (#15187)
* Fix webfinger redirect handling in ResolveAccountService ResolveAccountService#process_webfinger! handled a one-step webfinger redirection, but only accepting the result if it matched the exact URI passed as input, defeating the point of a redirection check. Instead, use the same logic as in `ActivityPub::FetchRemoteAccountService`, updating the resulting `acct:` URI with the result of the first webfinger query. * Add tests
This commit is contained in:
parent
96c1e71329
commit
8b8004a962
|
@ -29,6 +29,7 @@ class ResolveAccountService < BaseService
|
||||||
# At this point we are in need of a Webfinger query, which may
|
# At this point we are in need of a Webfinger query, which may
|
||||||
# yield us a different username/domain through a redirect
|
# yield us a different username/domain through a redirect
|
||||||
process_webfinger!(@uri)
|
process_webfinger!(@uri)
|
||||||
|
@domain = nil if TagManager.instance.local_domain?(@domain)
|
||||||
|
|
||||||
# Because the username/domain pair may be different than what
|
# Because the username/domain pair may be different than what
|
||||||
# we already checked, we need to check if we've already got
|
# we already checked, we need to check if we've already got
|
||||||
|
@ -78,25 +79,31 @@ class ResolveAccountService < BaseService
|
||||||
@uri = [@username, @domain].compact.join('@')
|
@uri = [@username, @domain].compact.join('@')
|
||||||
end
|
end
|
||||||
|
|
||||||
def process_webfinger!(uri, redirected = false)
|
def process_webfinger!(uri)
|
||||||
@webfinger = webfinger!("acct:#{uri}")
|
@webfinger = webfinger!("acct:#{uri}")
|
||||||
confirmed_username, confirmed_domain = @webfinger.subject.gsub(/\Aacct:/, '').split('@')
|
confirmed_username, confirmed_domain = split_acct(@webfinger.subject)
|
||||||
|
|
||||||
if confirmed_username.casecmp(@username).zero? && confirmed_domain.casecmp(@domain).zero?
|
if confirmed_username.casecmp(@username).zero? && confirmed_domain.casecmp(@domain).zero?
|
||||||
@username = confirmed_username
|
@username = confirmed_username
|
||||||
@domain = confirmed_domain
|
@domain = confirmed_domain
|
||||||
@uri = uri
|
return
|
||||||
elsif !redirected
|
|
||||||
return process_webfinger!("#{confirmed_username}@#{confirmed_domain}", true)
|
|
||||||
else
|
|
||||||
raise Webfinger::RedirectError, "The URI #{uri} tries to hijack #{@username}@#{@domain}"
|
|
||||||
end
|
end
|
||||||
|
|
||||||
@domain = nil if TagManager.instance.local_domain?(@domain)
|
# Account doesn't match, so it may have been redirected
|
||||||
|
@webfinger = webfinger!("acct:#{confirmed_username}@#{confirmed_domain}")
|
||||||
|
@username, @domain = split_acct(@webfinger.subject)
|
||||||
|
|
||||||
|
unless confirmed_username.casecmp(@username).zero? && confirmed_domain.casecmp(@domain).zero?
|
||||||
|
raise Webfinger::RedirectError, "The URI #{uri} tries to hijack #{@username}@#{@domain}"
|
||||||
|
end
|
||||||
rescue Webfinger::GoneError
|
rescue Webfinger::GoneError
|
||||||
@gone = true
|
@gone = true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def split_acct(acct)
|
||||||
|
acct.gsub(/\Aacct:/, '').split('@')
|
||||||
|
end
|
||||||
|
|
||||||
def process_account!
|
def process_account!
|
||||||
return unless activitypub_ready?
|
return unless activitypub_ready?
|
||||||
|
|
||||||
|
|
|
@ -4,11 +4,8 @@ RSpec.describe ResolveAccountService, type: :service do
|
||||||
subject { described_class.new }
|
subject { described_class.new }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
stub_request(:get, "https://quitter.no/.well-known/host-meta").to_return(request_fixture('.host-meta.txt'))
|
|
||||||
stub_request(:get, "https://example.com/.well-known/webfinger?resource=acct:catsrgr8@example.com").to_return(status: 404)
|
|
||||||
stub_request(:get, "https://example.com/.well-known/host-meta").to_return(status: 404)
|
stub_request(:get, "https://example.com/.well-known/host-meta").to_return(status: 404)
|
||||||
stub_request(:get, "https://quitter.no/avatar/7477-300-20160211190340.png").to_return(request_fixture('avatar.txt'))
|
stub_request(:get, "https://quitter.no/avatar/7477-300-20160211190340.png").to_return(request_fixture('avatar.txt'))
|
||||||
stub_request(:get, "https://quitter.no/.well-known/webfinger?resource=acct:catsrgr8@quitter.no").to_return(status: 404)
|
|
||||||
stub_request(:get, "https://ap.example.com/.well-known/webfinger?resource=acct:foo@ap.example.com").to_return(request_fixture('activitypub-webfinger.txt'))
|
stub_request(:get, "https://ap.example.com/.well-known/webfinger?resource=acct:foo@ap.example.com").to_return(request_fixture('activitypub-webfinger.txt'))
|
||||||
stub_request(:get, "https://ap.example.com/users/foo").to_return(request_fixture('activitypub-actor.txt'))
|
stub_request(:get, "https://ap.example.com/users/foo").to_return(request_fixture('activitypub-actor.txt'))
|
||||||
stub_request(:get, "https://ap.example.com/users/foo.atom").to_return(request_fixture('activitypub-feed.txt'))
|
stub_request(:get, "https://ap.example.com/users/foo.atom").to_return(request_fixture('activitypub-feed.txt'))
|
||||||
|
@ -16,12 +13,25 @@ RSpec.describe ResolveAccountService, type: :service do
|
||||||
stub_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:hoge@example.com').to_return(status: 410)
|
stub_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:hoge@example.com').to_return(status: 410)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns nil if no such user can be resolved via webfinger' do
|
context 'when there is an LRDD endpoint but no resolvable account' do
|
||||||
expect(subject.call('catsrgr8@quitter.no')).to be_nil
|
before do
|
||||||
|
stub_request(:get, "https://quitter.no/.well-known/host-meta").to_return(request_fixture('.host-meta.txt'))
|
||||||
|
stub_request(:get, "https://quitter.no/.well-known/webfinger?resource=acct:catsrgr8@quitter.no").to_return(status: 404)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns nil' do
|
||||||
|
expect(subject.call('catsrgr8@quitter.no')).to be_nil
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns nil if the domain does not have webfinger' do
|
context 'when there is no LRDD endpoint nor resolvable account' do
|
||||||
expect(subject.call('catsrgr8@example.com')).to be_nil
|
before do
|
||||||
|
stub_request(:get, "https://example.com/.well-known/webfinger?resource=acct:catsrgr8@example.com").to_return(status: 404)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns nil' do
|
||||||
|
expect(subject.call('catsrgr8@example.com')).to be_nil
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when webfinger returns http gone' do
|
context 'when webfinger returns http gone' do
|
||||||
|
@ -48,6 +58,34 @@ RSpec.describe ResolveAccountService, type: :service do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with a legitimate webfinger redirection' do
|
||||||
|
before do
|
||||||
|
webfinger = { subject: 'acct:foo@ap.example.com', links: [{ rel: 'self', href: 'https://ap.example.com/users/foo' }] }
|
||||||
|
stub_request(:get, 'https://redirected.example.com/.well-known/webfinger?resource=acct:Foo@redirected.example.com').to_return(body: Oj.dump(webfinger), headers: { 'Content-Type': 'application/jrd+json' })
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns new remote account' do
|
||||||
|
account = subject.call('Foo@redirected.example.com')
|
||||||
|
|
||||||
|
expect(account.activitypub?).to eq true
|
||||||
|
expect(account.acct).to eq 'foo@ap.example.com'
|
||||||
|
expect(account.inbox_url).to eq 'https://ap.example.com/users/foo/inbox'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with too many webfinger redirections' do
|
||||||
|
before do
|
||||||
|
webfinger = { subject: 'acct:foo@evil.example.com', links: [{ rel: 'self', href: 'https://ap.example.com/users/foo' }] }
|
||||||
|
stub_request(:get, 'https://redirected.example.com/.well-known/webfinger?resource=acct:Foo@redirected.example.com').to_return(body: Oj.dump(webfinger), headers: { 'Content-Type': 'application/jrd+json' })
|
||||||
|
webfinger2 = { subject: 'acct:foo@ap.example.com', links: [{ rel: 'self', href: 'https://ap.example.com/users/foo' }] }
|
||||||
|
stub_request(:get, 'https://evil.example.com/.well-known/webfinger?resource=acct:foo@evil.example.com').to_return(body: Oj.dump(webfinger2), headers: { 'Content-Type': 'application/jrd+json' })
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns new remote account' do
|
||||||
|
expect { subject.call('Foo@redirected.example.com') }.to raise_error Webfinger::RedirectError
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context 'with an ActivityPub account' do
|
context 'with an ActivityPub account' do
|
||||||
it 'returns new remote account' do
|
it 'returns new remote account' do
|
||||||
account = subject.call('foo@ap.example.com')
|
account = subject.call('foo@ap.example.com')
|
||||||
|
|
Loading…
Reference in New Issue