diff options
author | ThibG <thib@sitedethib.com> | 2017-05-02 23:37:26 +0200 |
---|---|---|
committer | Eugen Rochko <eugen@zeonfederated.com> | 2017-05-02 23:37:26 +0200 |
commit | bea97ea76638552e437a3b6d6f48040449849448 (patch) | |
tree | 27a328bd75ef87dce3a99ef44752397b7fb11d7f /spec | |
parent | 03f3223d72aeba7a58cdcd5f07dfe33559f5b8ec (diff) |
Add rspec to further specify FollowRemoteAccountService (#2414)
Diffstat (limited to 'spec')
-rw-r--r-- | spec/fixtures/requests/redirected.host-meta.txt | 15 | ||||
-rw-r--r-- | spec/fixtures/requests/webfinger-hacker1.txt | 11 | ||||
-rw-r--r-- | spec/fixtures/requests/webfinger-hacker2.txt | 11 | ||||
-rw-r--r-- | spec/services/follow_remote_account_service_spec.rb | 21 |
4 files changed, 58 insertions, 0 deletions
diff --git a/spec/fixtures/requests/redirected.host-meta.txt b/spec/fixtures/requests/redirected.host-meta.txt new file mode 100644 index 000000000..a4f731b0b --- /dev/null +++ b/spec/fixtures/requests/redirected.host-meta.txt @@ -0,0 +1,15 @@ +HTTP/1.1 200 OK +Server: nginx/1.6.2 +Date: Sun, 20 Mar 2016 11:11:00 GMT +Content-Type: application/xrd+xml +Transfer-Encoding: chunked +Connection: keep-alive +Access-Control-Allow-Origin: * +Vary: Accept-Encoding,Cookie +Strict-Transport-Security: max-age=31536000; includeSubdomains; + +<?xml version="1.0" encoding="UTF-8"?> +<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"> + <Link rel="lrdd" type="application/jrd+json" template="https://redirected.com/.well-known/webfinger?resource={uri}"/> + <Link rel="lrdd" type="application/json" template="https://redirected.com/.well-known/webfinger?resource={uri}"/> +</XRD> diff --git a/spec/fixtures/requests/webfinger-hacker1.txt b/spec/fixtures/requests/webfinger-hacker1.txt new file mode 100644 index 000000000..9567d4537 --- /dev/null +++ b/spec/fixtures/requests/webfinger-hacker1.txt @@ -0,0 +1,11 @@ +HTTP/1.1 200 OK +Server: nginx/1.6.2 +Date: Sun, 20 Mar 2016 11:13:16 GMT +Content-Type: application/jrd+json +Transfer-Encoding: chunked +Connection: keep-alive +Access-Control-Allow-Origin: * +Vary: Accept-Encoding,Cookie +Strict-Transport-Security: max-age=31536000; includeSubdomains; + +{"subject":"acct:gargron@quitter.no","aliases":["https:\/\/quitter.no\/user\/7477","https:\/\/quitter.no\/gargron","https:\/\/quitter.no\/index.php\/user\/7477","https:\/\/quitter.no\/index.php\/gargron"],"links":[{"rel":"http:\/\/webfinger.net\/rel\/profile-page","type":"text\/html","href":"https:\/\/quitter.no\/gargron"},{"rel":"http:\/\/gmpg.org\/xfn\/11","type":"text\/html","href":"https:\/\/quitter.no\/gargron"},{"rel":"describedby","type":"application\/rdf+xml","href":"https:\/\/quitter.no\/gargron\/foaf"},{"rel":"http:\/\/apinamespace.org\/atom","type":"application\/atomsvc+xml","href":"https:\/\/quitter.no\/api\/statusnet\/app\/service\/gargron.xml"},{"rel":"http:\/\/apinamespace.org\/twitter","href":"https:\/\/quitter.no\/api\/"},{"rel":"http:\/\/specs.openid.net\/auth\/2.0\/provider","href":"https:\/\/quitter.no\/gargron"},{"rel":"http:\/\/schemas.google.com\/g\/2010#updates-from","type":"application\/atom+xml","href":"https:\/\/quitter.no\/api\/statuses\/user_timeline\/7477.atom"},{"rel":"magic-public-key","href":"data:application\/magic-public-key,RSA.1ZBkHTavLvxH3FzlKv4O6WtlILKRFfNami3_Rcu8EuogtXSYiS-bB6hElZfUCSHbC4uLemOA34PEhz__CDMozax1iI_t8dzjDnh1x0iFSup7pSfW9iXk_WU3Dm74yWWW2jildY41vWgrEstuQ1dJ8vVFfSJ9T_tO4c-T9y8vDI8=.AQAB"},{"rel":"salmon","href":"https:\/\/hacker.com\/main\/salmon\/user\/7477"},{"rel":"http:\/\/salmon-protocol.org\/ns\/salmon-replies","href":"https:\/\/quitter.no\/main\/salmon\/user\/7477"},{"rel":"http:\/\/salmon-protocol.org\/ns\/salmon-mention","href":"https:\/\/quitter.no\/main\/salmon\/user\/7477"},{"rel":"http:\/\/ostatus.org\/schema\/1.0\/subscribe","template":"https:\/\/quitter.no\/main\/ostatussub?profile={uri}"}]} diff --git a/spec/fixtures/requests/webfinger-hacker2.txt b/spec/fixtures/requests/webfinger-hacker2.txt new file mode 100644 index 000000000..27efaa99e --- /dev/null +++ b/spec/fixtures/requests/webfinger-hacker2.txt @@ -0,0 +1,11 @@ +HTTP/1.1 200 OK +Server: nginx/1.6.2 +Date: Sun, 20 Mar 2016 11:13:16 GMT +Content-Type: application/jrd+json +Transfer-Encoding: chunked +Connection: keep-alive +Access-Control-Allow-Origin: * +Vary: Accept-Encoding,Cookie +Strict-Transport-Security: max-age=31536000; includeSubdomains; + +{"subject":"acct:catsrgr8@quitter.no","aliases":["https:\/\/quitter.no\/user\/7477","https:\/\/quitter.no\/gargron","https:\/\/quitter.no\/index.php\/user\/7477","https:\/\/quitter.no\/index.php\/gargron"],"links":[{"rel":"http:\/\/webfinger.net\/rel\/profile-page","type":"text\/html","href":"https:\/\/quitter.no\/gargron"},{"rel":"http:\/\/gmpg.org\/xfn\/11","type":"text\/html","href":"https:\/\/quitter.no\/gargron"},{"rel":"describedby","type":"application\/rdf+xml","href":"https:\/\/quitter.no\/gargron\/foaf"},{"rel":"http:\/\/apinamespace.org\/atom","type":"application\/atomsvc+xml","href":"https:\/\/quitter.no\/api\/statusnet\/app\/service\/gargron.xml"},{"rel":"http:\/\/apinamespace.org\/twitter","href":"https:\/\/quitter.no\/api\/"},{"rel":"http:\/\/specs.openid.net\/auth\/2.0\/provider","href":"https:\/\/quitter.no\/gargron"},{"rel":"http:\/\/schemas.google.com\/g\/2010#updates-from","type":"application\/atom+xml","href":"https:\/\/quitter.no\/api\/statuses\/user_timeline\/7477.atom"},{"rel":"magic-public-key","href":"data:application\/magic-public-key,RSA.1ZBkHTavLvxH3FzlKv4O6WtlILKRFfNami3_Rcu8EuogtXSYiS-bB6hElZfUCSHbC4uLemOA34PEhz__CDMozax1iI_t8dzjDnh1x0iFSup7pSfW9iXk_WU3Dm74yWWW2jildY41vWgrEstuQ1dJ8vVFfSJ9T_tO4c-T9y8vDI8=.AQAB"},{"rel":"salmon","href":"https:\/\/quitter.no\/main\/salmon\/user\/7477"},{"rel":"http:\/\/salmon-protocol.org\/ns\/salmon-replies","href":"https:\/\/quitter.no\/main\/salmon\/user\/7477"},{"rel":"http:\/\/salmon-protocol.org\/ns\/salmon-mention","href":"https:\/\/quitter.no\/main\/salmon\/user\/7477"},{"rel":"http:\/\/ostatus.org\/schema\/1.0\/subscribe","template":"https:\/\/quitter.no\/main\/ostatussub?profile={uri}"}]} diff --git a/spec/services/follow_remote_account_service_spec.rb b/spec/services/follow_remote_account_service_spec.rb index 66e9eb6c9..f087bc4bc 100644 --- a/spec/services/follow_remote_account_service_spec.rb +++ b/spec/services/follow_remote_account_service_spec.rb @@ -6,8 +6,12 @@ RSpec.describe FollowRemoteAccountService do before do stub_request(:get, "https://quitter.no/.well-known/host-meta").to_return(request_fixture('.host-meta.txt')) stub_request(:get, "https://example.com/.well-known/webfinger?resource=acct:catsrgr8@example.com").to_return(status: 404) + stub_request(:get, "https://redirected.com/.well-known/host-meta").to_return(request_fixture('redirected.host-meta.txt')) stub_request(:get, "https://example.com/.well-known/host-meta").to_return(status: 404) stub_request(:get, "https://quitter.no/.well-known/webfinger?resource=acct:gargron@quitter.no").to_return(request_fixture('webfinger.txt')) + stub_request(:get, "https://redirected.com/.well-known/webfinger?resource=acct:gargron@redirected.com").to_return(request_fixture('webfinger.txt')) + stub_request(:get, "https://redirected.com/.well-known/webfinger?resource=acct:hacker1@redirected.com").to_return(request_fixture('webfinger-hacker1.txt')) + stub_request(:get, "https://redirected.com/.well-known/webfinger?resource=acct:hacker2@redirected.com").to_return(request_fixture('webfinger-hacker2.txt')) stub_request(:get, "https://quitter.no/.well-known/webfinger?resource=acct:catsrgr8@quitter.no").to_return(status: 404) stub_request(:get, "https://quitter.no/api/statuses/user_timeline/7477.atom").to_return(request_fixture('feed.txt')) stub_request(:get, "https://quitter.no/avatar/7477-300-20160211190340.png").to_return(request_fixture('avatar.txt')) @@ -35,4 +39,21 @@ RSpec.describe FollowRemoteAccountService do expect(account.domain).to eq 'quitter.no' expect(account.remote_url).to eq 'https://quitter.no/api/statuses/user_timeline/7477.atom' end + + it 'follows a legitimate account redirection' do + account = subject.call('gargron@redirected.com') + + expect(account.username).to eq 'gargron' + expect(account.domain).to eq 'quitter.no' + expect(account.remote_url).to eq 'https://quitter.no/api/statuses/user_timeline/7477.atom' + end + + it 'prevents hijacking existing accounts' do + account = subject.call('hacker1@redirected.com') + expect(account.salmon_url).to_not eq 'https://hacker.com/main/salmon/user/7477' + end + + it 'prevents hijacking inexisting accounts' do + expect { subject.call('hacker2@redirected.com') }.to raise_error Goldfinger::Error + end end |