From c98e370326102dac0c7c16c9b556da018b41803b Mon Sep 17 00:00:00 2001 From: Vika Shleina Date: Wed, 21 Jul 2021 06:07:35 +0300 Subject: Fixed security hole where other people could delete YOUR posts. Yes, yours. You're welcome. --- src/lib.rs | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) (limited to 'src/lib.rs') diff --git a/src/lib.rs b/src/lib.rs index 0ea7860..d4a63d7 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -130,6 +130,48 @@ mod tests { return request.send().await.unwrap(); } + #[async_std::test] + async fn test_no_deletion_of_others_posts() { + let _m = mock("GET", "/") + .with_status(200) + .with_header("Content-Type", "application/json") + .with_body(r#"{"me": "https://fireburn.ru", "client_id": "https://quill.p3k.io/", "scope": "create update media"}"#) + .create(); + + let (db, app, _r) = create_app().await; + + let mut response = post_json( + &app, + json!({ + "type": ["h-entry"], + "properties": { + "content": ["This is content!"] + } + }), + ) + .await; + println!( + "{:#}", + response.body_json::().await.unwrap() + ); + assert!(response.status() == 201 || response.status() == 202); + let uid = response.header("Location").unwrap().last().to_string(); + drop(_m); + let _m = mock("GET", "/") + .with_status(200) + .with_header("Content-Type", "application/json") + .with_body(r#"{"me": "https://aaronparecki.com/", "client_id": "https://quill.p3k.io/", "scope": "create update delete media"}"#) + .create(); + + let mut response = app.post("/micropub") + .header("Authorization", "Bearer awoo") + .header("Content-Type", "application/json") + .body(json!({ "action": "delete", "url": uid })) + .send().await.unwrap(); + println!("{}", response.body_string().await.unwrap()); + assert_eq!(response.status(), 403); + } + #[async_std::test] async fn test_no_posting_to_others_websites() { let _m = mock("GET", "/") -- cgit 1.4.1