Merge pull request #231 from pfefferle/security_privacy

Security & privacy related fixes

Dockerfile

@@ -0,0 +1,27 @@
+FROM php:7.4-alpine3.13
+
+RUN mkdir /app
+
+WORKDIR /app
+
+# Install Git, NPM & needed libraries
+RUN apk update \
+    && apk add bash git nodejs npm gettext subversion mysql mysql-client zip \
+    && rm -f /var/cache/apk/*
+
+RUN docker-php-ext-install mysqli
+
+#  Install Composer
+RUN EXPECTED_CHECKSUM=$(curl -s https://composer.github.io/installer.sig) \
+    && curl https://getcomposer.org/installer -o composer-setup.php \
+    && ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")" \
+    && if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]; then >&2 echo 'ERROR: Invalid installer checksum'; rm composer-setup.php; exit 1; fi \
+    && php composer-setup.php --quiet \
+    && php -r "unlink('composer-setup.php');" \
+    && mv composer.phar /usr/local/bin/composer
+
+RUN curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && \
+    chmod +x wp-cli.phar && \
+    mv wp-cli.phar /usr/local/bin/wp
+
+RUN chmod +x -R ./

README.md

@@ -4,7 +4,7 @@
 **Tags:** OStatus, fediverse, activitypub, activitystream  
 **Requires at least:** 4.7  
 **Tested up to:** 6.1  
-**Stable tag:** 0.14.3  
+**Stable tag:** 0.15.0  
 **Requires PHP:** 5.6  
 **License:** MIT  
 **License URI:** http://opensource.org/licenses/MIT  
@@ -88,6 +88,12 @@ Where 'blog' is the path to the subdirectory at which your blog resides.
 
 Project maintained on GitHub at [pfefferle/wordpress-activitypub](https://github.com/pfefferle/wordpress-activitypub).
 
+### 0.15.0 ###
+
+* Enable ActivityPub only for users that can `publish_posts`
+* Persist only public Activities
+* Fix remote-delete
+
 ### 0.14.3 ###
 
 * Better error handling. props [@akirk](https://github.com/akirk)

activitypub.php

@@ -3,7 +3,7 @@
  * Plugin Name: ActivityPub
  * Plugin URI: https://github.com/pfefferle/wordpress-activitypub/
  * Description: The ActivityPub protocol is a decentralized social networking protocol based upon the ActivityStreams 2.0 data format.
- * Version: 0.14.3
+ * Version: 0.15.0
  * Author: Matthias Pfefferle
  * Author URI: https://notiz.blog/
  * License: MIT

composer.json

@@ -34,7 +34,7 @@
     "scripts": {
         "test": [
             "composer install",
-            "bin/install-wp-tests.sh wordpress wordpress wordpress",
+            "bin/install-wp-tests.sh activitypub-test root activitypub-test test-db latest true",
             "vendor/bin/phpunit"
         ]
     }

docker-compose-test.yml

@@ -0,0 +1,17 @@
+version: '2'
+services:
+  test-db:
+    image: mysql:5.7
+    environment:
+      MYSQL_DATABASE: activitypub-test
+      MYSQL_ROOT_PASSWORD: activitypub-test
+
+  test-php:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    links:
+      - test-db
+    volumes:
+      - .:/app
+    command: ["composer", "run-script", "test"]

includes/class-activitypub.php

@@ -24,6 +24,8 @@ class Activitypub {
 		}
 
 		\add_action( 'transition_post_status', array( '\Activitypub\Activitypub', 'schedule_post_activity' ), 10, 3 );
+		\add_action( 'wp_trash_post', array( '\Activitypub\Activitypub', 'trash_post' ), 1 );
+		\add_action( 'untrash_post', array( '\Activitypub\Activitypub', 'untrash_post' ), 1 );
 	}
 
 	/**
@@ -38,6 +40,11 @@ class Activitypub {
 			return $template;
 		}
 
+		// check if user can publish posts
+		if ( \is_author() && ! user_can( \get_the_author_meta( 'ID' ), 'publish_posts' ) ) {
+			return $template;
+		}
+
 		if ( \is_author() ) {
 			$json_template = \dirname( __FILE__ ) . '/../templates/author-json.php';
 		} elseif ( \is_singular() ) {
@@ -180,4 +187,26 @@ class Activitypub {
 		}
 		return \get_comment_meta( $comment->comment_ID, 'avatar_url', true );
 	}
+
+	/**
+	 * Store permalink in meta, to send delete Activity
+	 *
+	 * @param string $post_id The Post ID
+	 *
+	 * @return void
+	 */
+	public static function trash_post( $post_id ) {
+		\add_post_meta( $post_id, 'activitypub_canonical_url', \get_permalink( $post_id ), true );
+	}
+
+	/**
+	 * Delete permalink from meta
+	 *
+	 * @param string $post_id The Post ID
+	 *
+	 * @return void
+	 */
+	public static function untrash_post( $post_id ) {
+		\delete_post_meta( $post_id, 'activitypub_canonical_url' );
+	}
 }

includes/model/class-post.php

@@ -68,11 +68,15 @@ class Post {
 	}
 
 	public function generate_id() {
-		$post      = $this->post;
+		$post = $this->post;
-		$permalink = \get_permalink( $post );
 
-		// replace 'trashed' for delete activity
+		if ( 'trash' === get_post_status( $post ) ) {
-		return \str_replace( '__trashed', '', $permalink );
+			$permalink = \get_post_meta( $post->ID, 'activitypub_canonical_url', true );
+		} else {
+			$permalink = \get_permalink( $post );
+		}
+
+		return $permalink;
 	}
 
 	public function generate_attachments() {

includes/rest/class-followers.php

@@ -101,6 +101,9 @@ class Followers {
 		$params['user_id'] = array(
 			'required' => true,
 			'type' => 'integer',
+			'validate_callback' => function( $param, $request, $key ) {
+				return user_can( $param, 'publish_posts' );
+			},
 		);
 
 		return $params;

includes/rest/class-following.php

@@ -99,6 +99,9 @@ class Following {
 		$params['user_id'] = array(
 			'required' => true,
 			'type' => 'integer',
+			'validate_callback' => function( $param, $request, $key ) {
+				return user_can( $param, 'publish_posts' );
+			},
 		);
 
 		return $params;

includes/rest/class-inbox.php

@@ -33,7 +33,7 @@ class Inbox {
 				array(
 					'methods'             => \WP_REST_Server::EDITABLE,
 					'callback'            => array( '\Activitypub\Rest\Inbox', 'shared_inbox_post' ),
-					'args'                => self::shared_inbox_request_parameters(),
+					'args'                => self::shared_inbox_post_parameters(),
 					'permission_callback' => '__return_true',
 				),
 			)
@@ -46,12 +46,13 @@ class Inbox {
 				array(
 					'methods'             => \WP_REST_Server::EDITABLE,
 					'callback'            => array( '\Activitypub\Rest\Inbox', 'user_inbox_post' ),
-					'args'                => self::user_inbox_request_parameters(),
+					'args'                => self::user_inbox_post_parameters(),
 					'permission_callback' => '__return_true',
 				),
 				array(
 					'methods'             => \WP_REST_Server::READABLE,
 					'callback'            => array( '\Activitypub\Rest\Inbox', 'user_inbox_get' ),
+					'args'                => self::user_inbox_get_parameters(),
 					'permission_callback' => '__return_true',
 				),
 			)
@@ -195,7 +196,7 @@ class Inbox {
 	 *
 	 * @return array list of parameters
 	 */
-	public static function user_inbox_request_parameters() {
+	public static function user_inbox_get_parameters() {
 		$params = array();
 
 		$params['page'] = array(
@@ -205,6 +206,32 @@ class Inbox {
 		$params['user_id'] = array(
 			'required' => true,
 			'type' => 'integer',
+			'validate_callback' => function( $param, $request, $key ) {
+				return user_can( $param, 'publish_posts' );
+			},
+		);
+
+		return $params;
+	}
+
+	/**
+	 * The supported parameters
+	 *
+	 * @return array list of parameters
+	 */
+	public static function user_inbox_post_parameters() {
+		$params = array();
+
+		$params['page'] = array(
+			'type' => 'integer',
+		);
+
+		$params['user_id'] = array(
+			'required' => true,
+			'type' => 'integer',
+			'validate_callback' => function( $param, $request, $key ) {
+				return user_can( $param, 'publish_posts' );
+			},
 		);
 
 		$params['id'] = array(
@@ -243,7 +270,7 @@ class Inbox {
 	 *
 	 * @return array list of parameters
 	 */
-	public static function shared_inbox_request_parameters() {
+	public static function shared_inbox_post_parameters() {
 		$params = array();
 
 		$params['page'] = array(
@@ -410,6 +437,12 @@ class Inbox {
 			return;
 		}
 
+		// check if Activity is public or not
+		if ( ! self::is_activity_public( $object ) ) {
+			// @todo maybe send email
+			return;
+		}
+
 		$comment_post_id = \url_to_postid( $object['object']['inReplyTo'] );
 
 		// save only replys and reactions
@@ -446,21 +479,53 @@ class Inbox {
 		\add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
 	}
 
+	/**
+	 * Extract recipient URLs from Activity object
+	 *
+	 * @param  array $data
+	 *
+	 * @return array The list of user URLs
+	 */
 	public static function extract_recipients( $data ) {
-		$recipients = array();
+		$recipient_items = array();
-		$users = array();
 
 		foreach ( array( 'to', 'bto', 'cc', 'bcc', 'audience' ) as $i ) {
 			if ( array_key_exists( $i, $data ) ) {
-				$recipients = array_merge( $recipients, $data[ $i ] );
+				$recipient_items = array_merge( $recipient_items, $data[ $i ] );
 			}
 
 			if ( array_key_exists( $i, $data['object'] ) ) {
-				$recipients = array_merge( $recipients, $data[ $i ] );
+				$recipient_items = array_merge( $recipient_items, $data[ $i ] );
 			}
 		}
 
-		$recipients = array_unique( $recipients );
+		$recipients = array();
+
+		// flatten array
+		foreach ( $recipient_items as $recipient ) {
+			if ( is_array( $recipient ) ) {
+				// check if recipient is an object
+				if ( array_key_exists( 'id', $recipient ) ) {
+					$recipients[] = $recipient['id'];
+				}
+			} else {
+				$recipients[] = $recipient;
+			}
+		}
+
+		return array_unique( $recipients );
+	}
+
+	/**
+	 * Get local user recipients
+	 *
+	 * @param  array $data
+	 *
+	 * @return array The list of local users
+	 */
+	public static function get_recipients( $data ) {
+		$recipients = self::extract_recipients( $data );
+		$users = array();
 
 		foreach ( $recipients as $recipient ) {
 			$user_id = \Activitypub\url_to_authorid( $recipient );
@@ -474,4 +539,16 @@ class Inbox {
 
 		return $users;
 	}
+
+	/**
+	 * Check if passed Activity is Public
+	 *
+	 * @param array $data
+	 * @return boolean
+	 */
+	public static function is_activity_public( $data ) {
+		$recipients = self::extract_recipients( $data );
+
+		return in_array( 'https://www.w3.org/ns/activitystreams#Public', $recipients, true );
+	}
 }

includes/rest/class-outbox.php

@@ -138,6 +138,9 @@ class Outbox {
 		$params['user_id'] = array(
 			'required' => true,
 			'type' => 'integer',
+			'validate_callback' => function( $param, $request, $key ) {
+				return user_can( $param, 'publish_posts' );
+			},
 		);
 
 		return $params;

includes/rest/class-webfinger.php

@@ -59,7 +59,7 @@ class Webfinger {
 
 		$user = \get_user_by( 'login', \esc_sql( $resource_identifier ) );
 
-		if ( ! $user ) {
+		if ( ! $user || ! user_can( $user, 'publish_posts' ) ) {
 			return new \WP_Error( 'activitypub_user_not_found', \__( 'User not found', 'activitypub' ), array( 'status' => 404 ) );
 		}
 

phpunit.xml.dist

@@ -7,7 +7,7 @@
 	convertWarningsToExceptions="true"
 	>
 	<testsuites>
-		<testsuite>
+		<testsuite name="ActivityPub">
 			<directory prefix="test-" suffix=".php">./tests/</directory>
 		</testsuite>
 	</testsuites>

readme.txt

@@ -4,7 +4,7 @@ Donate link: https://notiz.blog/donate/
 Tags: OStatus, fediverse, activitypub, activitystream
 Requires at least: 4.7
 Tested up to: 6.1
-Stable tag: 0.14.3
+Stable tag: 0.15.0
 Requires PHP: 5.6
 License: MIT
 License URI: http://opensource.org/licenses/MIT
@@ -88,6 +88,12 @@ Where 'blog' is the path to the subdirectory at which your blog resides.
 
 Project maintained on GitHub at [pfefferle/wordpress-activitypub](https://github.com/pfefferle/wordpress-activitypub).
 
+= 0.15.0 =
+
+* Enable ActivityPub only for users that can `publish_posts`
+* Persist only public Activities
+* Fix remote-delete
+
 = 0.14.3 =
 
 * Better error handling. props [@akirk](https://github.com/akirk)

templates/blog-json.php

@@ -38,7 +38,7 @@ $json->manuallyApprovesFollowers = \apply_filters( 'activitypub_json_manually_ap
 $json->publicKey = array(
 	'id' => \get_home_url( '/' ) . '#main-key',
 	'owner' => \get_home_url( '/' ),
-	'publicKeyPem' => \trim(),
+	'publicKeyPem' => '',
 );
 
 $json->tag = array();