From f8310114a6a4154118e54ebaac6f4a96941be4a6 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 10 Nov 2018 12:04:09 +0000 Subject: [PATCH 1/3] activitypub: object view: sanitize both the activity and the object when an activity is given for rendering --- lib/pleroma/web/activity_pub/views/object_view.ex | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/lib/pleroma/web/activity_pub/views/object_view.ex b/lib/pleroma/web/activity_pub/views/object_view.ex index df734a871..1911ddfb7 100644 --- a/lib/pleroma/web/activity_pub/views/object_view.ex +++ b/lib/pleroma/web/activity_pub/views/object_view.ex @@ -1,11 +1,23 @@ defmodule Pleroma.Web.ActivityPub.ObjectView do use Pleroma.Web, :view + alias Pleroma.{Object, Activity} alias Pleroma.Web.ActivityPub.Transmogrifier - def render("object.json", %{object: object}) do + def render("object.json", %{object: %Object{} = object}) do base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header() additional = Transmogrifier.prepare_object(object.data) Map.merge(base, additional) end + + def render("object.json", %{object: %Activity{} = activity}) do + base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header() + object = Object.normalize(activity.data["object"]) + + additional = + Transmogrifier.prepare_object(activity.data) + |> Map.put("object", Transmogrifier.prepare_object(object.data)) + + Map.merge(base, additional) + end end From 97e50f3191f6ea8479729b639921180fcadccf73 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 10 Nov 2018 12:08:53 +0000 Subject: [PATCH 2/3] activitypub: transmogrifier: sanitize internal representation details from outgoing objects this causes JSON-LD parsers to get upset and has also lead to developer confusion from outside projects which tried to parse our internal data. accordingly, it seems better to just remove it. --- .../web/activity_pub/transmogrifier.ex | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/lib/pleroma/web/activity_pub/transmogrifier.ex b/lib/pleroma/web/activity_pub/transmogrifier.ex index 6a0fdb433..d51d8626b 100644 --- a/lib/pleroma/web/activity_pub/transmogrifier.ex +++ b/lib/pleroma/web/activity_pub/transmogrifier.ex @@ -589,6 +589,8 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do |> prepare_attachments |> set_conversation |> set_reply_to_uri + |> strip_internal_fields + |> strip_internal_tags end # @doc @@ -755,6 +757,29 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do |> Map.put("attachment", attachments) end + defp strip_internal_fields(object) do + object + |> Map.drop([ + "likes", + "like_count", + "announcements", + "announcement_count", + "emoji", + "context_id" + ]) + end + + defp strip_internal_tags(%{"tag" => tags} = object) do + tags = + tags + |> Enum.filter(fn x -> is_map(x) end) + + object + |> Map.put("tag", tags) + end + + defp strip_internal_tags(object), do: object + defp user_upgrade_task(user) do old_follower_address = User.ap_followers(user) From 69b8c0e299c9d4ec16bd056adf2fede326de7f69 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 10 Nov 2018 12:16:10 +0000 Subject: [PATCH 3/3] tests: add test for internal data stripping --- test/web/activity_pub/transmogrifier_test.exs | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs index 6e4820dbc..0278ef5d1 100644 --- a/test/web/activity_pub/transmogrifier_test.exs +++ b/test/web/activity_pub/transmogrifier_test.exs @@ -743,6 +743,39 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do assert modified["object"]["inReplyTo"] == "http://gs.example.org:4040/index.php/notice/29" end + + test "it strips internal hashtag data" do + user = insert(:user) + + {:ok, activity} = CommonAPI.post(user, %{"status" => "#2hu"}) + + expected_tag = %{ + "href" => Pleroma.Web.Endpoint.url() <> "/tags/2hu", + "type" => "Hashtag", + "name" => "#2hu" + } + + {:ok, modified} = Transmogrifier.prepare_outgoing(activity.data) + + assert modified["object"]["tag"] == [expected_tag] + end + + test "it strips internal fields" do + user = insert(:user) + + {:ok, activity} = CommonAPI.post(user, %{"status" => "#2hu :moominmamma:"}) + + {:ok, modified} = Transmogrifier.prepare_outgoing(activity.data) + + assert length(modified["object"]["tag"]) == 2 + + assert is_nil(modified["object"]["emoji"]) + assert is_nil(modified["object"]["likes"]) + assert is_nil(modified["object"]["like_count"]) + assert is_nil(modified["object"]["announcements"]) + assert is_nil(modified["object"]["announcement_count"]) + assert is_nil(modified["object"]["context_id"]) + end end describe "user upgrade" do