Change signature verification to ignore signatures with invalid host (#13033)

author Eugen Rochko <eugen@zeonfederated.com>

Mon, 3 Feb 2020 16:48:23 +0000 (17:48 +0100)

committer GitHub <noreply@github.com>

Mon, 3 Feb 2020 16:48:23 +0000 (17:48 +0100)
author Eugen Rochko <eugen@zeonfederated.com>
Mon, 3 Feb 2020 16:48:23 +0000 (17:48 +0100)
committer GitHub <noreply@github.com>
Mon, 3 Feb 2020 16:48:23 +0000 (17:48 +0100)
diff --git a/app/controllers/concerns/signature_verification.rb b/app/controllers/concerns/signature_verification.rb

index ce353f1deefcccaf4df775ef3c52a56ab3e0b77f..10efbf2e0b8befbc997294d4076c06c8732338ed 100644 (file)
--- a/app/controllers/concerns/signature_verification.rb
+++ b/app/controllers/concerns/signature_verification.rb
@@ -160,6 +160,8 @@ module SignatureVerification
        account ||= stoplight_wrap_request { ActivityPub::FetchRemoteKeyService.new.call(key_id, id: false) }
        account
      end
+  rescue Mastodon::HostValidationError
+    nil
    end
  
    def stoplight_wrap_request(&block)
diff --git a/spec/controllers/concerns/signature_verification_spec.rb b/spec/controllers/concerns/signature_verification_spec.rb

index 1fa19f54d78df7d69b5d0b71268e1a3e492d30b5..05fb1445b1a6fbf3eb73a8a2d7ad20261ca8e8ca 100644 (file)
--- a/spec/controllers/concerns/signature_verification_spec.rb
+++ b/spec/controllers/concerns/signature_verification_spec.rb
@@ -97,6 +97,33 @@ describe ApplicationController, type: :controller do
        end
      end
  
+    context 'with inaccessible key' do
+      before do
+        get :success
+
+        author = Fabricate(:account, domain: 'localhost:5000', uri: 'http://localhost:5000/actor')
+        fake_request = Request.new(:get, request.url)
+        fake_request.on_behalf_of(author)
+        author.destroy
+
+        request.headers.merge!(fake_request.headers)
+
+        stub_request(:get, 'http://localhost:5000/actor#main-key').to_raise(Mastodon::HostValidationError)
+      end
+
+      describe '#signed_request?' do
+        it 'returns true' do
+          expect(controller.signed_request?).to be true
+        end
+      end
+
+      describe '#signed_request_account' do
+        it 'returns nil' do
+          expect(controller.signed_request_account).to be_nil
+        end
+      end
+    end
+
      context 'with body' do
        before do
          post :success, body: 'Hello world'
author	Eugen Rochko <eugen@zeonfederated.com>
	Mon, 3 Feb 2020 16:48:23 +0000 (17:48 +0100)
committer	GitHub <noreply@github.com>
	Mon, 3 Feb 2020 16:48:23 +0000 (17:48 +0100)
app/controllers/concerns/signature_verification.rb		patch \| blob \| history
spec/controllers/concerns/signature_verification_spec.rb		patch \| blob \| history