MS IZ fixed a hole where another user could update another friends post

2010-11-02 13:58:27 -07:00 · 2010-11-02 13:58:27 -07:00 · 3251b8ba2e
commit 3251b8ba2e
parent c27cc719a2
2 changed files with 33 additions and 7 deletions
--- a/lib/diaspora/user/receiving.rb
+++ b/lib/diaspora/user/receiving.rb
@ -118,7 +118,7 @@ module Diaspora
          #you know about it, and it is not mutable
        #
        on_pod = exsists_on_pod?(post)
-        if on_pod 
+        if on_pod && on_pod.diaspora_handle == post.diaspora_handle 
          known_post = find_visible_post_by_id(post.id)
          if known_post 
            if known_post.mutable?
@ -129,8 +129,10 @@ module Diaspora
          elsif on_pod == post 
            update_user_refs_and_add_to_aspects(on_pod)
          end
-        else
+        elsif !on_pod 
          update_user_refs_and_add_to_aspects(post)
+        else
+          Rails.logger.info("#{post.diaspora_handle} is trying to update an exsisting object they do not own #{on_pod.inspect}")
        end
      end

--- a/spec/models/user/attack_vectors_spec.rb
+++ b/spec/models/user/attack_vectors_spec.rb
@ -17,11 +17,6 @@ describe "attack vectors" do
  let(:user3) { make_user }
  let(:aspect3) { user3.aspects.create(:name => 'heroes') }

-  before do
-    friend_users(user, aspect, user2, aspect2)
-    friend_users(user, aspect, user3, aspect3)
-  end
-
  context 'non-friend valid user' do
    
    it 'raises if receives post by non-friend' do
@ -41,7 +36,23 @@ describe "attack vectors" do

  end

+  it 'does not let a user attach to posts previously in the db unless its received from the author' do
+    friend_users(user, aspect, user3, aspect3)
+
+    original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id
+
+    original_message.diaspora_handle = user.diaspora_handle
+    user3.receive_salmon(user.salmon(original_message).xml_for(user3.person))
+    user3.reload.visible_posts.should_not include(original_message)
+  end
+
  context 'malicious friend attack vector' do
+    before do
+      friend_users(user, aspect, user2, aspect2)
+      friend_users(user, aspect, user3, aspect3)
+    end
+
+
    it 'overwrites messages with a different user' do 
      original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id

@ -135,5 +146,18 @@ describe "attack vectors" do
    
      user.reload.friends.count.should == 2
    end
+
+    it 'does not let me update other persons post' do
+      original_message = user2.post :album, :name => 'store this!', :to => aspect2.id
+      user.receive_salmon(user2.salmon(original_message).xml_for(user.person))
+
+      original_message.diaspora_handle = user3.diaspora_handle
+      original_message.name = "bad bad bad"
+      xml = user3.salmon(original_message).xml_for(user.person)
+      user.receive_salmon(xml)
+
+      original_message.reload.name.should == "store this!"
+
+    end
  end
 end