Merge pull request #1715 from ClearlyClaire/glitch-soc/merge-upstream

Merge upstream changes

2 files changed, 146 insertions, 11 deletions

diff --git a/spec/services/activitypub/process_collection_service_spec.rb b/spec/services/activitypub/process_collection_service_spec.rb
index 00d71a86a..3eccaab5b 100644
--- a/spec/services/activitypub/process_collection_service_spec.rb
+++ b/spec/services/activitypub/process_collection_service_spec.rb
@@ -91,6 +91,146 @@ RSpec.describe ActivityPub::ProcessCollectionService, type: :service do
 
         subject.call(json, forwarder)
       end
+
+      context 'when receiving a fabricated status' do
+        let!(:actor) do
+          Fabricate(:account,
+            username: 'bob',
+            domain: 'example.com',
+            uri: 'https://example.com/users/bob',
+            public_key: "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuuYyoyfsRkYnXRotMsId\nW3euBDDfiv9oVqOxUVC7bhel8KednIMrMCRWFAkgJhbrlzbIkjVr68o1MP9qLcn7\nCmH/BXHp7yhuFTr4byjdJKpwB+/i2jNEsvDH5jR8WTAeTCe0x/QHg21V3F7dSI5m\nCCZ/1dSIyOXLRTWVlfDlm3rE4ntlCo+US3/7oSWbg/4/4qEnt1HC32kvklgScxua\n4LR5ATdoXa5bFoopPWhul7MJ6NyWCyQyScUuGdlj8EN4kmKQJvphKHrI9fvhgOuG\nTvhTR1S5InA4azSSchY0tXEEw/VNxraeX0KPjbgr6DPcwhPd/m0nhVDq0zVyVBBD\nMwIDAQAB\n-----END PUBLIC KEY-----\n",
+            private_key: nil)
+        end
+
+        let(:payload) do
+          {
+            '@context': [
+              'https://www.w3.org/ns/activitystreams',
+              nil,
+              {'object': 'https://www.w3.org/ns/activitystreams#object'}
+            ],
+            'id': 'https://example.com/users/bob/fake-status/activity',
+            'type': 'Create',
+            'actor': 'https://example.com/users/bob',
+            'published': '2022-01-22T15:00:00Z',
+            'to': [
+              'https://www.w3.org/ns/activitystreams#Public'
+            ],
+            'cc': [
+              'https://example.com/users/bob/followers'
+            ],
+            'signature': {
+              'type': 'RsaSignature2017',
+              'creator': 'https://example.com/users/bob#main-key',
+              'created': '2022-03-09T21:57:25Z',
+              'signatureValue': 'WculK0LelTQ0MvGwU9TPoq5pFzFfGYRDCJqjZ232/Udj4CHqDTGOSw5UTDLShqBOyycCkbZGrQwXG+dpyDpQLSe1UVPZ5TPQtc/9XtI57WlS2nMNpdvRuxGnnb2btPdesXZ7n3pCxo0zjaXrJMe0mqQh5QJO22mahb4bDwwmfTHgbD3nmkD+fBfGi+UV2qWwqr+jlV4L4JqNkh0gWljF5KTePLRRZCuWiQ/FAt7c67636cdIPf7fR+usjuZltTQyLZKEGuK8VUn2Gkfsx5qns7Vcjvlz1JqlAjyO8HPBbzTTHzUG2nUOIgC3PojCSWv6mNTmRGoLZzOscCAYQA6cKw=='
+            },
+            '@id': 'https://example.com/users/bob/statuses/107928807471117876/activity',
+            '@type': 'https://www.w3.org/ns/activitystreams#Create',
+            'https://www.w3.org/ns/activitystreams#actor': {
+              '@id': 'https://example.com/users/bob'
+            },
+            'https://www.w3.org/ns/activitystreams#cc': {
+              '@id': 'https://example.com/users/bob/followers'
+            },
+            'object': {
+              'id': 'https://example.com/users/bob/fake-status',
+              'type': 'Note',
+              'published': '2022-01-22T15:00:00Z',
+              'url': 'https://www.youtube.com/watch?v=dQw4w9WgXcQ&feature=puck-was-here',
+              'attributedTo': 'https://example.com/users/bob',
+              'to': [
+                'https://www.w3.org/ns/activitystreams#Public'
+              ],
+              'cc': [
+                'https://example.com/users/bob/followers'
+              ],
+              'sensitive': false,
+              'atomUri': 'https://example.com/users/bob/fake-status',
+              'conversation': 'tag:example.com,2022-03-09:objectId=15:objectType=Conversation',
+              'content': '<p>puck was here</p>',
+
+              '@id': 'https://example.com/users/bob/statuses/107928807471117876',
+              '@type': 'https://www.w3.org/ns/activitystreams#Note',
+              'http://ostatus.org#atomUri': 'https://example.com/users/bob/statuses/107928807471117876',
+              'http://ostatus.org#conversation': 'tag:example.com,2022-03-09:objectId=15:objectType=Conversation',
+              'https://www.w3.org/ns/activitystreams#attachment': [],
+              'https://www.w3.org/ns/activitystreams#attributedTo': {
+                '@id': 'https://example.com/users/bob'
+              },
+              'https://www.w3.org/ns/activitystreams#cc': {
+                '@id': 'https://example.com/users/bob/followers'
+              },
+              'https://www.w3.org/ns/activitystreams#content': [
+                '<p>hello world</p>',
+                {
+                  '@value': '<p>hello world</p>',
+                  '@language': 'en'
+                }
+              ],
+              'https://www.w3.org/ns/activitystreams#published': {
+                '@type': 'http://www.w3.org/2001/XMLSchema#dateTime',
+                '@value': '2022-03-09T21:55:07Z'
+              },
+              'https://www.w3.org/ns/activitystreams#replies': {
+                '@id': 'https://example.com/users/bob/statuses/107928807471117876/replies',
+                '@type': 'https://www.w3.org/ns/activitystreams#Collection',
+                'https://www.w3.org/ns/activitystreams#first': {
+                  '@type': 'https://www.w3.org/ns/activitystreams#CollectionPage',
+                  'https://www.w3.org/ns/activitystreams#items': [],
+                  'https://www.w3.org/ns/activitystreams#next': {
+                    '@id': 'https://example.com/users/bob/statuses/107928807471117876/replies?only_other_accounts=true&page=true'
+                  },
+                  'https://www.w3.org/ns/activitystreams#partOf': {
+                    '@id': 'https://example.com/users/bob/statuses/107928807471117876/replies'
+                  }
+                }
+              },
+              'https://www.w3.org/ns/activitystreams#sensitive': false,
+              'https://www.w3.org/ns/activitystreams#tag': [],
+              'https://www.w3.org/ns/activitystreams#to': {
+                '@id': 'https://www.w3.org/ns/activitystreams#Public'
+              },
+              'https://www.w3.org/ns/activitystreams#url': {
+                '@id': 'https://example.com/@bob/107928807471117876'
+              }
+            },
+            'https://www.w3.org/ns/activitystreams#published': {
+              '@type': 'http://www.w3.org/2001/XMLSchema#dateTime',
+              '@value': '2022-03-09T21:55:07Z'
+            },
+            'https://www.w3.org/ns/activitystreams#to': {
+              '@id': 'https://www.w3.org/ns/activitystreams#Public'
+            }
+          }
+        end
+
+        it 'does not process forged payload' do
+          expect(ActivityPub::Activity).not_to receive(:factory).with(
+            hash_including(
+              'object' => hash_including(
+                'id' => 'https://example.com/users/bob/fake-status'
+              )
+            ),
+            anything(),
+            anything()
+          )
+
+          expect(ActivityPub::Activity).not_to receive(:factory).with(
+            hash_including(
+              'object' => hash_including(
+                'content' => '<p>puck was here</p>'
+              )
+            ),
+            anything(),
+            anything()
+          )
+
+          subject.call(json, forwarder)
+
+          expect(Status.where(uri: 'https://example.com/users/bob/fake-status').exists?).to be false
+        end
+      end
     end
   end
 end
diff --git a/spec/services/activitypub/process_status_update_service_spec.rb b/spec/services/activitypub/process_status_update_service_spec.rb
index 6ee1dcb43..40b405217 100644
--- a/spec/services/activitypub/process_status_update_service_spec.rb
+++ b/spec/services/activitypub/process_status_update_service_spec.rb
@@ -124,7 +124,7 @@ RSpec.describe ActivityPub::ProcessStatusUpdateService, type: :service do
       end
 
       it 'updates media attachments' do
-        media_attachment = status.media_attachments.reload.first
+        media_attachment = status.reload.ordered_media_attachments.first
 
         expect(media_attachment).to_not be_nil
         expect(media_attachment.remote_url).to eq 'https://example.com/foo.png'
@@ -135,7 +135,7 @@ RSpec.describe ActivityPub::ProcessStatusUpdateService, type: :service do
       end
 
       it 'records media change in edit' do
-        expect(status.edits.reload.last.media_attachments_changed).to be true
+        expect(status.edits.reload.last.ordered_media_attachment_ids).to_not be_empty
       end
     end
 
@@ -173,11 +173,11 @@ RSpec.describe ActivityPub::ProcessStatusUpdateService, type: :service do
       end
 
       it 'updates media attachments' do
-        expect(status.media_attachments.reload.map(&:remote_url)).to eq %w(https://example.com/foo.png)
+        expect(status.ordered_media_attachments.map(&:remote_url)).to eq %w(https://example.com/foo.png)
       end
 
       it 'records media change in edit' do
-        expect(status.edits.reload.last.media_attachments_changed).to be true
+        expect(status.edits.reload.last.ordered_media_attachment_ids).to_not be_empty
       end
     end
 
@@ -193,7 +193,7 @@ RSpec.describe ActivityPub::ProcessStatusUpdateService, type: :service do
       end
 
       it 'records media change in edit' do
-        expect(status.edits.reload.last.media_attachments_changed).to be true
+        expect(status.edits.reload.last.poll_options).to be_nil
       end
     end
 
@@ -226,7 +226,7 @@ RSpec.describe ActivityPub::ProcessStatusUpdateService, type: :service do
       end
 
       it 'records media change in edit' do
-        expect(status.edits.reload.last.media_attachments_changed).to be true
+        expect(status.edits.reload.last.poll_options).to eq %w(Foo Bar Baz)
       end
     end
 
@@ -239,10 +239,5 @@ RSpec.describe ActivityPub::ProcessStatusUpdateService, type: :service do
       subject.call(status, json)
       expect(status.reload.edited_at.to_s).to eq '2021-09-08 22:39:25 UTC'
     end
-
-    it 'records that no media has been changed in edit' do
-      subject.call(status, json)
-      expect(status.edits.reload.last.media_attachments_changed).to be false
-    end
   end
 end