akkoma/test/fixtures
Oneric 8684964c5d Only allow exact id matches
This protects us from falling for obvious spoofs as from the current
upload exploit (unfortunately we can’t reasonably do anything about
spoofs with exact matches as was possible via emoji and proxy).

Such objects being invalid is supported by the spec, sepcifically
sections 3.1 and 3.2: https://www.w3.org/TR/activitypub/#obj-id

Anonymous objects are not relevant here (they can only exists within
parent objects iiuc) and neither is client-to-server or transient objects
(as those cannot be fetched in the first place).
This leaves us with the requirement for `id` to (a) exist and
(b) be a publicly dereferencable URI from the originating server.
This alone does not yet demand strict equivalence, but the spec then
further explains objects ought to be fetchable _via their ID_.
Meaning an object not retrievable via its ID, is invalid.

This reading is supported by the fact, e.g. GoToSocial (recently) and
Mastodon (for 6+ years) do already implement such strict ID checks,
additionally proving this doesn’t cause federation issues in practice.

However, apart from canonical IDs there can also be additional display
URLs. *omas first redirect those to their canonical location, but *keys
and Mastodon directly serve the AP representation without redirects.

Mastodon and GTS deal with this in two different ways,
but both constitute an effective countermeasure:
 - Mastodon:
   Unless it already is a known AP id, two fetches occur.
   The first fetch just reads the `id` property and then refetches from
   the id. The last fetch requires the returned id to exactly match the
   URL the content was fetched from. (This can be optimised by skipping
   the second fetch if it already matches)
   05eda8d193/app/helpers/jsonld_helper.rb (L168)
   63f0979799

 - GTS:
   Only does a single fetch and then checks if _either_ the id
   _or_ url property (which can be an object) match the original fetch
   URL. This relies on implementations always including their display URL
   as "url" if differing from the id. For actors this is true for all
   investigated implementations, for posts only Mastodon includes an
   "url", but it is also the only one with a differing display URL.
   2bafd7daf5 (diff-943bbb02c8ac74ac5dc5d20807e561dcdfaebdc3b62b10730f643a20ac23c24fR222)

Albeit Mastodon’s refetch offers higher compatibility with theoretical
implmentations using either multiple different display URL or not
denoting any of them as "url" at all, for now we chose to adopt a
GTS-like refetch-free approach to avoid additional implementation
concerns wrt to whether redirects should be allowed when fetching a
canonical AP id and potential for accidentally loosening some checks
(e.g. cross-domain refetches) for one of the fetches.
This may be reconsidered in the future.
2024-03-25 14:05:05 -01:00
..
bridgy Sanity check fetched user data 2024-03-25 14:05:05 -01:00
collections Add collection fetching module 2022-07-03 19:20:59 +01:00
config Remove quack, ensure adapter is finch 2022-12-11 23:22:35 +00:00
emoji/packs tests for emoji mix task 2020-04-06 11:13:59 +03:00
fedibird Quote posting (#113) 2022-07-25 16:30:06 +00:00
fetch_mocks Fetcher: Work when we can't get the OP. 2020-07-01 11:48:51 +02:00
friendica Add support for a first reference in pinned objects 2022-07-03 17:25:20 +01:00
mastodon add inbound language test 2023-01-11 15:42:13 +00:00
microblogpub microblogpub federation fixes (#288) 2022-11-18 11:14:35 +00:00
misskey Interpret \n as newline for MFM 2023-02-18 19:56:11 +01:00
modules MRF: create MRF.Policy behaviour separate from MRF module 2021-06-07 14:22:08 -05:00
peertube Video: Handle peertube videos only stashing attachments in x-mpegURL 2021-02-21 23:41:28 +01:00
preload_static/instance Preload: Load the correct instance panel 2020-06-30 11:35:54 +02:00
quote_post Quote posting (#113) 2022-07-25 16:30:06 +00:00
relay relay list shows hosts without accepted follow 2020-03-02 09:27:20 +03:00
rich_media
rsa_keys Use set of pregenerated RSA keys 2022-09-11 20:14:58 +01:00
runtime_modules extend custom runtime system (#108) 2022-07-24 16:42:43 +00:00
statuses mastodon pins 2021-03-25 13:03:40 +03:00
tesla_mock Only allow exact id matches 2024-03-25 14:05:05 -01:00
users_mock Never fetch resource from ourselves 2024-03-25 14:05:05 -01:00
warnings/otp_version otp_version refactor 2020-03-03 12:21:10 +03:00
webfinger Support reaching user@sub.domain.tld at user@domain.tld (#134) 2022-08-02 13:54:22 +00:00
activitypub-client-post-activity.json Pipeline Ingestion: Note 2021-04-05 19:19:11 +02:00
avatar_data_uri
bogus-mastodon-announce.json
bookwyrm-article.json just drop unknown tags 2022-01-07 20:14:04 +00:00
bookwyrm-replies-collection.json Add compatibility with bookwyrm's weird entities 2022-01-07 16:51:04 +00:00
create-chat-message.json ChatMessage: Correctly ingest emoji tags. 2020-04-23 16:19:49 +02:00
create-pleroma-reply-to-misskey-thread.json Transmogrifier: fix reply context fixing 2022-08-04 12:57:48 +01:00
custom-emoji-reaction.json fix emoji tests 2022-06-11 14:08:54 +01:00
custom_instance_panel.html AdminAPI: Allow to modify Terms of Service and Instance Panel via Admin API 2020-09-17 16:48:07 +03:00
DSCN0010.jpg Support Exiftool for stripping EXIF data 2020-07-10 16:46:26 -05:00
emoji-reaction-no-emoji.json EmojiReactions: Rename to EmojiReacts 2020-02-06 18:09:57 +01:00
emoji-reaction-too-long.json EmojiReactions: Rename to EmojiReacts 2020-02-06 18:09:57 +01:00
emoji-reaction.json EmojiReactions: Rename to EmojiReacts 2020-02-06 18:09:57 +01:00
emojis.zip finland-emojis.zip -> emojis.zip 2020-09-22 21:58:30 +03:00
empty.zip added tests 2020-08-24 15:01:45 +03:00
friendica_salmon.xml
guppe-actor.json ActivtityPub Test: Add example for guppe actor 2021-01-07 16:20:30 +01:00
host-meta-zetsubou.xn--q9jyb4c.xml
hubzilla-follow-activity.json
image.gif [#2497] Configurability of :min_content_length (preview proxy). Refactoring, documentation, tests. 2020-09-17 17:13:40 +03:00
image.jpg
image.png [#2497] Configurability of :min_content_length (preview proxy). Refactoring, documentation, tests. 2020-09-17 17:13:40 +03:00
kroeg-announce-with-inline-actor.json Transmogrifier Test: Extract Announce handling. 2020-05-18 14:48:37 +02:00
kroeg-array-less-emoji.json
kroeg-array-less-hashtag.json
kroeg-post-activity.json
lain.xml
lambadalambda.json
margaret-corbin-grave-west-point.html meta tag parser respect first title header 2020-01-28 19:29:27 +03:00
mastodon-accept-activity.json
mastodon-announce-private.json
mastodon-announce.json
mastodon-block-activity.json
mastodon-create-with-attachment.json
mastodon-delete-user.json
mastodon-delete.json Fix badly formatted JSON fixtures which causes Jason to erroneously detect control characters 2020-11-23 14:48:14 -06:00
mastodon-follow-activity.json
mastodon-like.json
mastodon-note-object.json Announcements: Handle through common pipeline. 2020-05-20 15:44:37 +02:00
mastodon-post-activity-contentmap.json
mastodon-post-activity-hashtag.json
mastodon-post-activity-nsfw.json Transmogrifier: Downcase incoming Hashtags 2020-10-19 15:40:50 +02:00
mastodon-post-activity.json [#1505] Improved replies-handling tests: updated Mastodon message fixture, used exact Pleroma federation message. 2020-02-10 11:46:16 +03:00
mastodon-question-activity.json question_validator: fix for mastodon poll expiration 2020-07-15 11:39:56 +02:00
mastodon-reject-activity.json
mastodon-unblock-activity.json
mastodon-undo-announce.json
mastodon-undo-like-compact-object.json
mastodon-undo-like.json
mastodon-unfollow-activity.json
mastodon-update.json
mastodon-vote.json
mewmew_no_name.json purge chat and shout endpoints 2022-07-21 11:29:28 +01:00
misskey-like.json fix emoji tests 2022-06-11 14:08:54 +01:00
nypd-facial-recognition-children-teenagers.html
nypd-facial-recognition-children-teenagers2.html
nypd-facial-recognition-children-teenagers3.html
nypd-facial-recognition-children-teenagers4.html title parse improvement 2020-01-29 11:13:34 +03:00
osada-follow-activity.json Fix badly formatted JSON fixtures which causes Jason to erroneously detect control characters 2020-11-23 14:48:14 -06:00
owncast-note-with-attachment.json Fix broken attachments from owncast (#31) 2022-07-01 11:14:55 +00:00
prismo-url-map.json
private_key.pem
quoted_status.json Quote posting (#113) 2022-07-25 16:30:06 +00:00
rel_me_anchor.html
rel_me_anchor_nofollow.html
rel_me_link.html
rel_me_null.html
salmon.xml
salmon2.xml
sound.mp3
spoofed-object.json Fix object spoofing vulnerability in attachments 2020-11-12 15:25:33 +03:00
test.txt Mix Task Frontend test: Expand. 2020-08-07 16:03:06 +02:00
user_full.xml
user_name_only.xml
video.mp4 Add test for AnalyzeMetadata upload filter fetching dimensions from a video 2021-06-08 14:02:56 -05:00
webfinger.xml
xml_billion_laughs.xml Completely disable xml entity resolution 2023-08-05 12:32:05 +00:00
xml_external_entities.xml Add unit test for external entity loading 2023-08-04 22:24:32 +01:00
xml_normal.xml Add XML matcher 2023-08-07 11:12:14 +01:00