Merge pull request from GHSA-3fjr-858r-92rw

* Fix insufficient origin validation * Bump version to 4.3.0-alpha.1
2024-02-01 15:56:46 +01:00 · 2024-02-01 15:56:46 +01:00 · 1726085db5
commit 1726085db5
parent 9cdc60ecc6
17 changed files with 37 additions and 41 deletions
--- a/spec/lib/activitypub/linked_data_signature_spec.rb
+++ b/spec/lib/activitypub/linked_data_signature_spec.rb
@ -56,7 +56,7 @@ RSpec.describe ActivityPub::LinkedDataSignature do

        allow(ActivityPub::FetchRemoteKeyService).to receive(:new).and_return(service_stub)

-        allow(service_stub).to receive(:call).with('http://example.com/alice', id: false) do
+        allow(service_stub).to receive(:call).with('http://example.com/alice') do
          sender.update!(public_key: old_key)
          sender
        end
@ -64,7 +64,7 @@ RSpec.describe ActivityPub::LinkedDataSignature do

      it 'fetches key and returns creator' do
        expect(subject.verify_actor!).to eq sender
-        expect(service_stub).to have_received(:call).with('http://example.com/alice', id: false).once
+        expect(service_stub).to have_received(:call).with('http://example.com/alice').once
      end
    end

--- a/spec/services/activitypub/fetch_remote_account_service_spec.rb
+++ b/spec/services/activitypub/fetch_remote_account_service_spec.rb
@ -18,7 +18,7 @@ RSpec.describe ActivityPub::FetchRemoteAccountService, type: :service do
  end

  describe '#call' do
-    let(:account) { subject.call('https://example.com/alice', id: true) }
+    let(:account) { subject.call('https://example.com/alice') }

    shared_examples 'sets profile data' do
      it 'returns an account with expected details' do
--- a/spec/services/activitypub/fetch_remote_actor_service_spec.rb
+++ b/spec/services/activitypub/fetch_remote_actor_service_spec.rb
@ -18,7 +18,7 @@ RSpec.describe ActivityPub::FetchRemoteActorService, type: :service do
  end

  describe '#call' do
-    let(:account) { subject.call('https://example.com/alice', id: true) }
+    let(:account) { subject.call('https://example.com/alice') }

    shared_examples 'sets profile data' do
      it 'returns an account and sets attributes' do
--- a/spec/services/activitypub/fetch_remote_key_service_spec.rb
+++ b/spec/services/activitypub/fetch_remote_key_service_spec.rb
@ -55,7 +55,7 @@ RSpec.describe ActivityPub::FetchRemoteKeyService, type: :service do
  end

  describe '#call' do
-    let(:account) { subject.call(public_key_id, id: false) }
+    let(:account) { subject.call(public_key_id) }

    context 'when the key is a sub-object from the actor' do
      before do
--- a/spec/services/fetch_resource_service_spec.rb
+++ b/spec/services/fetch_resource_service_spec.rb
@ -57,7 +57,7 @@ RSpec.describe FetchResourceService, type: :service do

      let(:json) do
        {
-          id: 1,
+          id: 'http://example.com/foo',
          '@context': ActivityPub::TagManager::CONTEXT,
          type: 'Note',
        }.to_json
@ -83,27 +83,27 @@ RSpec.describe FetchResourceService, type: :service do
        let(:content_type) { 'application/activity+json; charset=utf-8' }
        let(:body) { json }

-        it { is_expected.to eq [1, { prefetched_body: body, id: true }] }
+        it { is_expected.to eq ['http://example.com/foo', { prefetched_body: body }] }
      end

      context 'when content type is ld+json with profile' do
        let(:content_type) { 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' }
        let(:body) { json }

-        it { is_expected.to eq [1, { prefetched_body: body, id: true }] }
+        it { is_expected.to eq ['http://example.com/foo', { prefetched_body: body }] }
      end

      context 'when link header is present' do
        let(:headers) { { 'Link' => '<http://example.com/foo>; rel="alternate"; type="application/activity+json"' } }

-        it { is_expected.to eq [1, { prefetched_body: json, id: true }] }
+        it { is_expected.to eq ['http://example.com/foo', { prefetched_body: json }] }
      end

      context 'when content type is text/html' do
        let(:content_type) { 'text/html' }
        let(:body) { '<html><head><link rel="alternate" href="http://example.com/foo" type="application/activity+json"/></head></html>' }

-        it { is_expected.to eq [1, { prefetched_body: json, id: true }] }
+        it { is_expected.to eq ['http://example.com/foo', { prefetched_body: json }] }
      end
    end
  end
--- a/spec/services/resolve_url_service_spec.rb
+++ b/spec/services/resolve_url_service_spec.rb
@ -139,6 +139,7 @@ describe ResolveURLService, type: :service do
        stub_request(:get, url).to_return(status: 302, headers: { 'Location' => status_url })
        body = ActiveModelSerializers::SerializableResource.new(status, serializer: ActivityPub::NoteSerializer, adapter: ActivityPub::Adapter).to_json
        stub_request(:get, status_url).to_return(body: body, headers: { 'Content-Type' => 'application/activity+json' })
+        stub_request(:get, uri).to_return(body: body, headers: { 'Content-Type' => 'application/activity+json' })
      end

      it 'returns status by url' do