From deb6f1153f2d4312485b5ffaf392949bc6e6c866 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Fri, 12 Feb 2021 21:44:06 -0700 Subject: [PATCH 1/5] Update FederationController, return 404 for invalid webfinger addresses. Fixes #2647 --- app/Http/Controllers/FederationController.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/Http/Controllers/FederationController.php b/app/Http/Controllers/FederationController.php index f6d3df31f..3c5b93950 100644 --- a/app/Http/Controllers/FederationController.php +++ b/app/Http/Controllers/FederationController.php @@ -53,8 +53,8 @@ class FederationController extends Controller $resource = $request->input('resource'); $parsed = Nickname::normalizeProfileUrl($resource); - if($parsed['domain'] !== config('pixelfed.domain.app')) { - abort(400); + if(empty($parsed) || $parsed['domain'] !== config('pixelfed.domain.app')) { + abort(404); } $username = $parsed['username']; $profile = Profile::whereNull('domain')->whereUsername($username)->firstOrFail(); From 40db9a129656dbac9f7173934de784a21861e338 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Fri, 12 Feb 2021 21:44:46 -0700 Subject: [PATCH 2/5] Update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26b867507..b107f124f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,6 +41,7 @@ - Updated Hashtag component, fix null infinite loading bug. Fixes #2637. ([55136518](https://github.com/pixelfed/pixelfed/commit/55136518)) - Updated filesystems config, add backup driver to store backups on other filesystems. ([ae90eef9](https://github.com/pixelfed/pixelfed/commit/ae90eef9)) - Updated Embeds. Fix Profile + Status embeds, remove following count and improve cache invalidation and hidden follower counts. ([5ac9d0e8](https://github.com/pixelfed/pixelfed/commit/5ac9d0e8)) +- Updated FederationController, return 404 for invalid webfinger addresses. Fixes #2647. ([deb6f115](https://github.com/pixelfed/pixelfed/commit/deb6f115)) - ([](https://github.com/pixelfed/pixelfed/commit/)) ## [v0.10.10 (2021-01-28)](https://github.com/pixelfed/pixelfed/compare/v0.10.9...v0.10.10) From d1c5e9b8670af4dfcf69ef56ab4358c3db8d04f0 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Fri, 12 Feb 2021 22:25:34 -0700 Subject: [PATCH 3/5] Update InboxPipeline, fail earlier for invalid public keys. Fixes #2648 --- app/Jobs/InboxPipeline/InboxValidator.php | 3 +++ app/Jobs/InboxPipeline/InboxWorker.php | 3 +++ 2 files changed, 6 insertions(+) diff --git a/app/Jobs/InboxPipeline/InboxValidator.php b/app/Jobs/InboxPipeline/InboxValidator.php index ab153e384..bfcb4d6d0 100644 --- a/app/Jobs/InboxPipeline/InboxValidator.php +++ b/app/Jobs/InboxPipeline/InboxValidator.php @@ -173,6 +173,9 @@ class InboxValidator implements ShouldQueue return; } $pkey = openssl_pkey_get_public($actor->public_key); + if(!$pkey) { + return 0; + } $inboxPath = "/users/{$profile->username}/inbox"; list($verified, $headers) = HttpSignature::verify($pkey, $signatureData, $headers, $inboxPath, $body); if($verified == 1) { diff --git a/app/Jobs/InboxPipeline/InboxWorker.php b/app/Jobs/InboxPipeline/InboxWorker.php index ab1683e58..acc72f16f 100644 --- a/app/Jobs/InboxPipeline/InboxWorker.php +++ b/app/Jobs/InboxPipeline/InboxWorker.php @@ -161,6 +161,9 @@ class InboxWorker implements ShouldQueue return; } $pkey = openssl_pkey_get_public($actor->public_key); + if(!$pkey) { + return 0; + } $inboxPath = "/f/inbox"; list($verified, $headers) = HttpSignature::verify($pkey, $signatureData, $headers, $inboxPath, $body); if($verified == 1) { From f63f48beb6e94996f6e3c7dc5c8d3463950ef67b Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Fri, 12 Feb 2021 22:27:45 -0700 Subject: [PATCH 4/5] Update changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b107f124f..5c3432a71 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,7 +41,8 @@ - Updated Hashtag component, fix null infinite loading bug. Fixes #2637. ([55136518](https://github.com/pixelfed/pixelfed/commit/55136518)) - Updated filesystems config, add backup driver to store backups on other filesystems. ([ae90eef9](https://github.com/pixelfed/pixelfed/commit/ae90eef9)) - Updated Embeds. Fix Profile + Status embeds, remove following count and improve cache invalidation and hidden follower counts. ([5ac9d0e8](https://github.com/pixelfed/pixelfed/commit/5ac9d0e8)) -- Updated FederationController, return 404 for invalid webfinger addresses. Fixes #2647. ([deb6f115](https://github.com/pixelfed/pixelfed/commit/deb6f115)) +- Updated FederationController, return 404 for invalid webfinger addresses. Fixes ([#2647](https://github.com/pixelfed/pixelfed/issues/2647)). ([deb6f115](https://github.com/pixelfed/pixelfed/commit/deb6f115)) +- Updated InboxPipeline, fail earlier for invalid public keys. Fixes ([#2648](https://github.com/pixelfed/pixelfed/issues/2648)). ([d1c5e9b8](https://github.com/pixelfed/pixelfed/commit/d1c5e9b8)) - ([](https://github.com/pixelfed/pixelfed/commit/)) ## [v0.10.10 (2021-01-28)](https://github.com/pixelfed/pixelfed/compare/v0.10.9...v0.10.10) From 2598520bbe941c6449bcba25d8b925cf0b953b0e Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Fri, 12 Feb 2021 22:50:46 -0700 Subject: [PATCH 5/5] Update tests --- tests/Feature/InstalledTest.php | 19 +++++----- tests/Feature/LoginTest.php | 13 ++++--- tests/Unit/DateTimeTest.php | 33 +++++++++++++++++ tests/Unit/ExampleTest.php | 18 +++++----- tests/Unit/Lexer/RestrictedNameTest.php | 17 ++++----- tests/Unit/SnowflakeTest.php | 17 +++++++++ tests/Unit/WebfingerTest.php | 48 +++++++++++++++++++++++++ 7 files changed, 132 insertions(+), 33 deletions(-) create mode 100644 tests/Unit/DateTimeTest.php create mode 100644 tests/Unit/SnowflakeTest.php create mode 100644 tests/Unit/WebfingerTest.php diff --git a/tests/Feature/InstalledTest.php b/tests/Feature/InstalledTest.php index 2627a7f2a..0a80ede22 100644 --- a/tests/Feature/InstalledTest.php +++ b/tests/Feature/InstalledTest.php @@ -8,13 +8,14 @@ use Illuminate\Foundation\Testing\WithoutMiddleware; class InstalledTest extends TestCase { - /** @test */ - public function nodeinfo_api() - { - $response = $this->get('/.well-known/nodeinfo'); - $response->assertJson([ - 'links' => [ - ['rel' => 'http://nodeinfo.diaspora.software/ns/schema/2.0'], - ], ]); - } + + /** @test */ + public function nodeinfo_api() + { + $response = $this->get('/.well-known/nodeinfo'); + $response->assertJson([ + 'links' => [ + ['rel' => 'http://nodeinfo.diaspora.software/ns/schema/2.0'], + ], ]); + } } diff --git a/tests/Feature/LoginTest.php b/tests/Feature/LoginTest.php index b3f042b7e..c39a070e9 100644 --- a/tests/Feature/LoginTest.php +++ b/tests/Feature/LoginTest.php @@ -9,12 +9,11 @@ use App\User; class LoginTest extends TestCase { + /** @test */ + public function view_login_page() + { + $response = $this->get('login'); - /** @test */ - public function view_login_page() - { - $response = $this->get('login'); - - $response->assertSee('Forgot Password'); - } + $response->assertSee('Forgot Password'); + } } \ No newline at end of file diff --git a/tests/Unit/DateTimeTest.php b/tests/Unit/DateTimeTest.php new file mode 100644 index 000000000..f5b989b5e --- /dev/null +++ b/tests/Unit/DateTimeTest.php @@ -0,0 +1,33 @@ +assertEquals(9, $ts->month); + $this->assertEquals(16, $ts->day); + $this->assertEquals(2019, $ts->year); + $this->assertEquals(2, $ts->hour); + $this->assertEquals(41, $ts->minute); + } + + /** @test */ + public function p3kTimestamp() + { + $ts = Carbon::createFromFormat(\DateTime::ISO8601, '2019-09-16T08:40:55+10:00'); + $this->assertEquals(9, $ts->month); + $this->assertEquals(16, $ts->day); + $this->assertEquals(2019, $ts->year); + $this->assertEquals(8, $ts->hour); + $this->assertEquals(40, $ts->minute); + } +} diff --git a/tests/Unit/ExampleTest.php b/tests/Unit/ExampleTest.php index 06ece2c2c..26465f22b 100644 --- a/tests/Unit/ExampleTest.php +++ b/tests/Unit/ExampleTest.php @@ -6,13 +6,13 @@ use Tests\TestCase; class ExampleTest extends TestCase { - /** - * A basic test example. - * - * @return void - */ - public function testBasicTest() - { - $this->assertTrue(true); - } + /** + * A basic test example. + * + * @return void + */ + public function testBasicTest() + { + $this->assertTrue(true); + } } diff --git a/tests/Unit/Lexer/RestrictedNameTest.php b/tests/Unit/Lexer/RestrictedNameTest.php index 2fb000746..ef5aec06f 100644 --- a/tests/Unit/Lexer/RestrictedNameTest.php +++ b/tests/Unit/Lexer/RestrictedNameTest.php @@ -9,12 +9,13 @@ use App\Util\Lexer\RestrictedNames; class RestrictedNameTest extends TestCase { - /** @test */ - public function restrictedUsername() - { - $this->assertContains('p', RestrictedNames::get()); - $this->assertContains('admin', RestrictedNames::get()); - $this->assertNotContains('dansup', RestrictedNames::get()); - $this->assertNotContains('lain', RestrictedNames::get()); - } + /** @test */ + public function restrictedUsername() + { + $names = RestrictedNames::get(); + $this->assertContains('p', $names); + $this->assertContains('admin', $names); + $this->assertNotContains('dansup', $names); + $this->assertNotContains('earth', $names); + } } diff --git a/tests/Unit/SnowflakeTest.php b/tests/Unit/SnowflakeTest.php new file mode 100644 index 000000000..1a3ff8d2f --- /dev/null +++ b/tests/Unit/SnowflakeTest.php @@ -0,0 +1,17 @@ +parse('2021-02-13T05:36:35+00:00')); + $this->assertEquals($expected, $actual); + } +} diff --git a/tests/Unit/WebfingerTest.php b/tests/Unit/WebfingerTest.php new file mode 100644 index 000000000..0a5101b43 --- /dev/null +++ b/tests/Unit/WebfingerTest.php @@ -0,0 +1,48 @@ + "pixelfed.org", + "username" => "dansup", + ]; + $actual = Nickname::normalizeProfileUrl('acct:dansup@pixelfed.org'); + $this->assertEquals($expected, $actual); + + $expected = [ + "domain" => "pixelfed.org", + "username" => "dansup_", + ]; + $actual = Nickname::normalizeProfileUrl('acct:dansup@pixelfed.org'); + $this->assertNotEquals($expected, $actual); + + $expected = [ + "domain" => "pixelfed.org", + "username" => "dansup", + ]; + $actual = Nickname::normalizeProfileUrl('acct:@dansup@pixelfed.org'); + $this->assertEquals($expected, $actual); + + $expected = [ + "domain" => "pixelfed.org", + "username" => "dansup", + ]; + $actual = Nickname::normalizeProfileUrl('dansup@pixelfed.org'); + $this->assertEquals($expected, $actual); + + $expected = [ + "domain" => "pixelfed.org", + "username" => "dansup", + ]; + $actual = Nickname::normalizeProfileUrl('@dansup@pixelfed.org'); + $this->assertEquals($expected, $actual); + } +}