diff options
| author | dakkar <dakkar@thenautilus.net> | 2024-05-18 16:36:06 +0100 |
|---|---|---|
| committer | dakkar <dakkar@thenautilus.net> | 2024-05-18 16:48:10 +0100 |
| commit | c05cc63e24c654e5e5d2d098e00a2aa669b61adf (patch) | |
| tree | e56d3eda18886e93a54e93aec12e8076944ecc2e /packages/backend/test | |
| parent | merge: allow overriding all string config values via env - fixes #465 (!476) (diff) | |
| download | sharkey-c05cc63e24c654e5e5d2d098e00a2aa669b61adf.tar.gz sharkey-c05cc63e24c654e5e5d2d098e00a2aa669b61adf.tar.bz2 sharkey-c05cc63e24c654e5e5d2d098e00a2aa669b61adf.zip | |
look inside `url` when checking activity origin - #512
The previous assertion that:
> if it's a complicated thing and the `activity.id` doesn't match, I
> think we're fine rejecting the activity
was wrong: at least peertube sends activities that have `url` as an
array of objects.
Notice that this does *not*, in fact, fix #512: the peertube activity
does not contain its short URL (`https://example.com/w/someid`), so
there's no way to confirm that it is the activity we requested.
Diffstat (limited to 'packages/backend/test')
| -rw-r--r-- | packages/backend/test/unit/misc/check-against-url.ts | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/packages/backend/test/unit/misc/check-against-url.ts b/packages/backend/test/unit/misc/check-against-url.ts new file mode 100644 index 0000000000..1cc12cbea2 --- /dev/null +++ b/packages/backend/test/unit/misc/check-against-url.ts @@ -0,0 +1,51 @@ +/* + * SPDX-FileCopyrightText: dakkar and sharkey-project + * SPDX-License-Identifier: AGPL-3.0-only + */ + +import type { IObject } from '@/core/activitypub/type.js'; +import { describe, expect, test } from '@jest/globals'; +import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js'; + +function assertOne(activity: IObject) { + // return a function so we can use `.toThrow` + return () => assertActivityMatchesUrls(activity, ['good']); +} + +describe('assertActivityMatchesUrls', () => { + test('id', () => { + expect(assertOne({ id: 'bad' })).toThrow(/bad Activity/); + expect(assertOne({ id: 'good' })).not.toThrow(); + }); + + test('simple url', () => { + expect(assertOne({ url: 'bad' })).toThrow(/bad Activity/); + expect(assertOne({ url: 'good' })).not.toThrow(); + }); + + test('array of urls', () => { + expect(assertOne({ url: ['bad'] })).toThrow(/bad Activity/); + expect(assertOne({ url: ['bad', 'other'] })).toThrow(/bad Activity/); + expect(assertOne({ url: ['good'] })).not.toThrow(); + expect(assertOne({ url: ['bad', 'good'] })).not.toThrow(); + }); + + test('array of objects', () => { + expect(assertOne({ url: [{ href: 'bad' }] })).toThrow(/bad Activity/); + expect(assertOne({ url: [{ href: 'bad' }, { href: 'other' }] })).toThrow(/bad Activity/); + expect(assertOne({ url: [{ href: 'good' }] })).not.toThrow(); + expect(assertOne({ url: [{ href: 'bad' }, { href: 'good' }] })).not.toThrow(); + }); + + test('mixed array', () => { + expect(assertOne({ url: [{ href: 'bad' }, 'other'] })).toThrow(/bad Activity/); + expect(assertOne({ url: [{ href: 'bad' }, 'good'] })).not.toThrow(); + expect(assertOne({ url: ['bad', { href: 'good' }] })).not.toThrow(); + }); + + test('id and url', () => { + expect(assertOne({ id: 'other', url: 'bad' })).toThrow(/bad Activity/); + expect(assertOne({ id: 'bad', url: 'good' })).not.toThrow(); + expect(assertOne({ id: 'good', url: 'bad' })).not.toThrow(); + }); +}); |