nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

MS IZ fixed a hole where another user could update another friends post

Browse source
This commit is contained in:
maxwell 2010-11-02 13:58:27 -07:00
parent c27cc719a2
commit 3251b8ba2e
2 changed files with 33 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/diaspora/user/receiving.rb
View file

@ -118,7 +118,7 @@ module Diaspora
#you know about it, and it is not mutable #you know about it, and it is not mutable
# #
on_pod = exsists_on_pod?(post) on_pod = exsists_on_pod?(post)
if on_pod if on_pod && on_pod.diaspora_handle == post.diaspora_handle
known_post = find_visible_post_by_id(post.id) known_post = find_visible_post_by_id(post.id)
if known_post if known_post
if known_post.mutable? if known_post.mutable?
@ -129,8 +129,10 @@ module Diaspora
elsif on_pod == post elsif on_pod == post
update_user_refs_and_add_to_aspects(on_pod) update_user_refs_and_add_to_aspects(on_pod)
end end
else elsif !on_pod
update_user_refs_and_add_to_aspects(post) update_user_refs_and_add_to_aspects(post)
else
Rails.logger.info("#{post.diaspora_handle} is trying to update an exsisting object they do not own #{on_pod.inspect}")
end end
end end

34
spec/models/user/attack_vectors_spec.rb
View file

@ -17,11 +17,6 @@ describe "attack vectors" do
let(:user3) { make_user } let(:user3) { make_user }
let(:aspect3) { user3.aspects.create(:name => 'heroes') } let(:aspect3) { user3.aspects.create(:name => 'heroes') }
before do
friend_users(user, aspect, user2, aspect2)
friend_users(user, aspect, user3, aspect3)
end
context 'non-friend valid user' do context 'non-friend valid user' do
it 'raises if receives post by non-friend' do it 'raises if receives post by non-friend' do
@ -41,7 +36,23 @@ describe "attack vectors" do
end end
it 'does not let a user attach to posts previously in the db unless its received from the author' do
friend_users(user, aspect, user3, aspect3)
original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id
original_message.diaspora_handle = user.diaspora_handle
user3.receive_salmon(user.salmon(original_message).xml_for(user3.person))
user3.reload.visible_posts.should_not include(original_message)
end
context 'malicious friend attack vector' do context 'malicious friend attack vector' do
before do
friend_users(user, aspect, user2, aspect2)
friend_users(user, aspect, user3, aspect3)
end
it 'overwrites messages with a different user' do it 'overwrites messages with a different user' do
original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id
@ -135,5 +146,18 @@ describe "attack vectors" do
user.reload.friends.count.should == 2 user.reload.friends.count.should == 2
end end
it 'does not let me update other persons post' do
original_message = user2.post :album, :name => 'store this!', :to => aspect2.id
user.receive_salmon(user2.salmon(original_message).xml_for(user.person))
original_message.diaspora_handle = user3.diaspora_handle
original_message.name = "bad bad bad"
xml = user3.salmon(original_message).xml_for(user.person)
user.receive_salmon(xml)
original_message.reload.name.should == "store this!"
end
end end
end end