nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

slight refactor of receiving spec, wrote a spec that exposed malicious friend attack

Browse source 
vector
This commit is contained in:
ilya 2010-10-09 21:34:30 -07:00
parent c646db956e
commit 3887712115
3 changed files with 141 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
spec/models/user/attack_vectors_spec.rb Normal file
View file

@ -0,0 +1,64 @@
# Copyright (c) 2010, Diaspora Inc. This file is
# licensed under the Affero General Public License version 3 or later. See
# the COPYRIGHT file.
require 'spec_helper'
describe User do
let(:user) { Factory(:user) }
let(:aspect) { user.aspect(:name => 'heroes') }
let(:user2) { Factory(:user) }
let(:aspect2) { user2.aspect(:name => 'losers') }
let(:user3) { Factory(:user) }
let(:aspect3) { user3.aspect(:name => 'heroes') }
before do
friend_users(user, aspect, user2, aspect2)
friend_users(user, aspect, user3, aspect3)
end
context 'malicious friend attack vector' do
it 'ovewrites messages with a different user' do
original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id
user.receive_salmon(user2.salmon(original_message).xml_for(user.person))
user.raw_visible_posts.count.should be 1
malicious_message = Factory.build( :status_message, :id => original_message.id, :message => 'BAD!!!', :person => user3.person)
user.receive_salmon(user3.salmon(malicious_message).xml_for(user.person))
user.raw_visible_posts.count.should be 1
user.raw_visible_posts.first.message.should == "store this!"
end
it 'ovewrites messages which apear to ' do
original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id
user.receive_salmon(user2.salmon(original_message).xml_for(user.person))
user.raw_visible_posts.count.should be 1
malicious_message = Factory.build( :status_message, :id => original_message.id, :message => 'BAD!!!', :person => user2.person)
user.receive_salmon(user3.salmon(malicious_message).xml_for(user.person))
user.raw_visible_posts.count.should be 1
user.raw_visible_posts.first.message.should == "store this!"
end
it 'overites another persons profile' do
profile = user2.profile.clone
profile.first_name = "Not BOB"
user2.reload
user2.profile.first_name.should == "Robert"
user.receive_salmon(user3.salmon(profile).xml_for(user.person))
user2.reload
user2.profile.first_name.should == "Robert"
end
it 'overwrites requests' do
pending
end
end
end

158
spec/models/user/receive_spec.rb
View file

@ -6,108 +6,105 @@ require 'spec_helper'
describe User do describe User do
let(:user) { Factory(:user) }
let(:aspect) { user.aspect(:name => 'heroes') }
let(:user2) { Factory(:user) }
let(:aspect2) { user2.aspect(:name => 'losers') }
let(:user3) { Factory(:user) }
let(:aspect3) { user3.aspect(:name => 'heroes') }
before do before do
@user = Factory.create :user friend_users(user, aspect, user2, aspect2)
@aspect = @user.aspect(:name => 'heroes') friend_users(user, aspect, user3, aspect3)
@user2 = Factory.create(:user)
@aspect2 = @user2.aspect(:name => 'losers')
@user3 = Factory.create(:user)
@aspect3 = @user3.aspect(:name => 'heroes')
friend_users(@user, @aspect, @user2, @aspect2)
end end
it 'should be able to parse and store a status message from xml' do it 'should be able to parse and store a status message from xml' do
status_message = @user2.post :status_message, :message => 'store this!', :to => @aspect2.id status_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id
person = @user2.person person = user2.person
xml = status_message.to_diaspora_xml xml = status_message.to_diaspora_xml
@user2.destroy user2.destroy
status_message.destroy status_message.destroy
StatusMessage.all.size.should == 0 StatusMessage.all.size.should == 0
@user.receive( xml ) user.receive( xml )
Post.all(:person_id => person.id).first.message.should == 'store this!' Post.all(:person_id => person.id).first.message.should == 'store this!'
StatusMessage.all.size.should == 1 StatusMessage.all.size.should == 1
end end
it 'should not create new aspects on message receive' do it 'should not create new aspects on message receive' do
num_aspects = @user.aspects.size num_aspects = user.aspects.size
(0..5).each{ |n| (0..5).each{ |n|
status_message = @user2.post :status_message, :message => "store this #{n}!", :to => @aspect2.id status_message = user2.post :status_message, :message => "store this #{n}!", :to => aspect2.id
xml = status_message.to_diaspora_xml xml = status_message.to_diaspora_xml
@user.receive( xml ) user.receive( xml )
} }
@user.aspects.size.should == num_aspects user.aspects.size.should == num_aspects
end end
describe 'post refs' do describe 'post refs' do
before do
end
it "should add a received post to the aspect and visible_posts array" do it "should add a received post to the aspect and visible_posts array" do
status_message = @user.post :status_message, :message => "hi", :to => @aspect.id status_message = user.post :status_message, :message => "hi", :to =>aspect.id
@user.reload user.reload
salmon = @user.salmon(status_message).xml_for @user2.person salmon = user.salmon(status_message).xml_for user2.person
@user2.receive_salmon salmon user2.receive_salmon salmon
@user2.reload user2.reload
@user2.raw_visible_posts.include?(status_message).should be true user2.raw_visible_posts.include?(status_message).should be true
@aspect2.reload aspect2.reload
@aspect2.posts.include?(status_message).should be_true aspect2.posts.include?(status_message).should be_true
end end
it 'should be removed on unfriending' do it 'should be removed on unfriending' do
status_message = @user2.post :status_message, :message => "hi", :to => @aspect2.id status_message = user2.post :status_message, :message => "hi", :to => aspect2.id
@user.receive status_message.to_diaspora_xml user.receive status_message.to_diaspora_xml
@user.reload user.reload
@user.raw_visible_posts.count.should == 1 user.raw_visible_posts.count.should == 1
@user.unfriend(@user2.person) user.unfriend(user2.person)
@user.reload user.reload
@user.raw_visible_posts.count.should == 0 user.raw_visible_posts.count.should == 0
Post.count.should be 1 Post.count.should be 1
end end
it 'should be remove a post if the noone links to it' do it 'should be remove a post if the noone links to it' do
status_message = @user2.post :status_message, :message => "hi", :to => @aspect2.id status_message = user2.post :status_message, :message => "hi", :to => aspect2.id
@user.receive status_message.to_diaspora_xml user.receive status_message.to_diaspora_xml
@user.reload user.reload
@user.raw_visible_posts.count.should == 1 user.raw_visible_posts.count.should == 1
person = @user2.person person = user2.person
@user2.destroy user2.destroy
@user.unfriend(person) user.unfriend(person)
@user.reload user.reload
@user.raw_visible_posts.count.should == 0 user.raw_visible_posts.count.should == 0
Post.count.should be 0 Post.count.should be 0
end end
it 'should keep track of user references for one person ' do it 'should keep track of user references for one person ' do
status_message = @user2.post :status_message, :message => "hi", :to => @aspect2.id status_message = user2.post :status_message, :message => "hi", :to => aspect2.id
@user.receive status_message.to_diaspora_xml user.receive status_message.to_diaspora_xml
@user.reload user.reload
@user.raw_visible_posts.count.should == 1 user.raw_visible_posts.count.should == 1
status_message.reload status_message.reload
status_message.user_refs.should == 1 status_message.user_refs.should == 1
@user.unfriend(@user2.person) user.unfriend(user2.person)
status_message.reload status_message.reload
@user.reload user.reload
@user.raw_visible_posts.count.should == 0 user.raw_visible_posts.count.should == 0
status_message.reload status_message.reload
status_message.user_refs.should == 0 status_message.user_refs.should == 0
@ -116,25 +113,25 @@ describe User do
end end
it 'should not override userrefs on receive by another person' do it 'should not override userrefs on receive by another person' do
@user3.activate_friend(@user2.person, @aspect3) user3.activate_friend(user2.person, aspect3)
status_message = @user2.post :status_message, :message => "hi", :to => @aspect2.id status_message = user2.post :status_message, :message => "hi", :to => aspect2.id
@user.receive status_message.to_diaspora_xml user.receive status_message.to_diaspora_xml
@user3.receive status_message.to_diaspora_xml user3.receive status_message.to_diaspora_xml
@user.reload user.reload
@user3.reload user3.reload
@user.raw_visible_posts.count.should == 1 user.raw_visible_posts.count.should == 1
status_message.reload status_message.reload
status_message.user_refs.should == 2 status_message.user_refs.should == 2
@user.unfriend(@user2.person) user.unfriend(user2.person)
status_message.reload status_message.reload
@user.reload user.reload
@user.raw_visible_posts.count.should == 0 user.raw_visible_posts.count.should == 0
status_message.reload status_message.reload
status_message.user_refs.should == 1 status_message.user_refs.should == 1
@ -146,44 +143,41 @@ describe User do
describe 'comments' do describe 'comments' do
it 'should correctly marshal a stranger for the downstream user' do it 'should correctly marshal a stranger for the downstream user' do
friend_users(@user, @aspect, @user3, @aspect3) post = user.post :status_message, :message => "hello", :to => aspect.id
post = @user.post :status_message, :message => "hello", :to => @aspect.id
@user2.receive post.to_diaspora_xml user2.receive post.to_diaspora_xml
@user3.receive post.to_diaspora_xml user3.receive post.to_diaspora_xml
comment = @user2.comment('tada',:on => post) comment = user2.comment('tada',:on => post)
@user.receive comment.to_diaspora_xml user.receive comment.to_diaspora_xml
@user.reload user.reload
commenter_id = @user2.person.id commenter_id = user2.person.id
@user2.person.delete user2.person.delete
@user2.delete user2.delete
comment_id = comment.id comment_id = comment.id
comment.delete comment.delete
@user3.receive comment.to_diaspora_xml user3.receive comment.to_diaspora_xml
@user3.reload user3.reload
new_comment = Comment.find_by_id(comment_id) new_comment = Comment.find_by_id(comment_id)
new_comment.should_not be_nil new_comment.should_not be_nil
new_comment.person.should_not be_nil new_comment.person.should_not be_nil
new_comment.person.profile.should_not be_nil new_comment.person.profile.should_not be_nil
@user3.visible_person_by_id(commenter_id).should_not be_nil user3.visible_person_by_id(commenter_id).should_not be_nil
end end
end end
describe 'salmon' do describe 'salmon' do
before do let(:post){user.post :status_message, :message => "hello", :to => aspect.id}
@post = @user.post :status_message, :message => "hello", :to => @aspect.id let(:salmon){user.salmon( post )}
@salmon = @user.salmon( @post )
end
it 'should receive a salmon for a post' do it 'should receive a salmon for a post' do
@user2.receive_salmon( @salmon.xml_for @user2.person ) user2.receive_salmon( salmon.xml_for user2.person )
@user2.visible_post_ids.include?(@post.id).should be true user2.visible_post_ids.include?(post.id).should be true
end end
end end
end end