Verify that Converse is not susceptible to CVE-2015-8688
https://gultsch.de/gajim_roster_push_and_message_interception.html
This commit is contained in:
parent
c6f3da5887
commit
37d052ad9e
@ -29,6 +29,47 @@
|
|||||||
|
|
||||||
describe("The Contacts Roster", function () {
|
describe("The Contacts Roster", function () {
|
||||||
|
|
||||||
|
it("verifies the origin of roster pushes",
|
||||||
|
mock.initConverse(
|
||||||
|
null, ['rosterGroupsFetched', 'chatBoxesFetched'], {},
|
||||||
|
async function (done, _converse) {
|
||||||
|
|
||||||
|
// See: https://gultsch.de/gajim_roster_push_and_message_interception.html
|
||||||
|
const contact_jid = mock.cur_names[0].replace(/ /g,'.').toLowerCase() + '@montague.lit';
|
||||||
|
await test_utils.waitForRoster(_converse, 'current', 1);
|
||||||
|
expect(_converse.roster.models.length).toBe(1);
|
||||||
|
expect(_converse.roster.at(0).get('jid')).toBe(contact_jid);
|
||||||
|
|
||||||
|
spyOn(_converse, 'log');
|
||||||
|
let roster_push = u.toStanza(`
|
||||||
|
<iq type="set" to="${_converse.jid}" from="eve@siacs.eu">
|
||||||
|
<query xmlns='jabber:iq:roster'>
|
||||||
|
<item subscription="remove" jid="${contact_jid}"/>
|
||||||
|
</query>
|
||||||
|
</iq>`);
|
||||||
|
_converse.connection._dataRecv(test_utils.createRequest(roster_push));
|
||||||
|
expect(_converse.log.calls.count()).toBe(2);
|
||||||
|
expect(_converse.log).toHaveBeenCalledWith(
|
||||||
|
`Ignoring roster illegitimate roster push message from ${roster_push.getAttribute('from')}`,
|
||||||
|
Strophe.LogLevel.WARN
|
||||||
|
);
|
||||||
|
roster_push = u.toStanza(`
|
||||||
|
<iq type="set" to="${_converse.jid}" from="eve@siacs.eu">
|
||||||
|
<query xmlns='jabber:iq:roster'>
|
||||||
|
<item subscription="both" jid="eve@siacs.eu" name="${mock.cur_names[0]}" />
|
||||||
|
</query>
|
||||||
|
</iq>`);
|
||||||
|
_converse.connection._dataRecv(test_utils.createRequest(roster_push));
|
||||||
|
expect(_converse.log.calls.count()).toBe(4);
|
||||||
|
expect(_converse.log).toHaveBeenCalledWith(
|
||||||
|
`Ignoring roster illegitimate roster push message from ${roster_push.getAttribute('from')}`,
|
||||||
|
Strophe.LogLevel.WARN
|
||||||
|
);
|
||||||
|
expect(_converse.roster.models.length).toBe(1);
|
||||||
|
expect(_converse.roster.at(0).get('jid')).toBe(contact_jid);
|
||||||
|
done();
|
||||||
|
}));
|
||||||
|
|
||||||
it("is populated once we have registered a presence handler",
|
it("is populated once we have registered a presence handler",
|
||||||
mock.initConverse(
|
mock.initConverse(
|
||||||
null, ['rosterGroupsFetched'], {},
|
null, ['rosterGroupsFetched'], {},
|
||||||
|
@ -594,6 +594,10 @@ converse.plugins.add('converse-roster', {
|
|||||||
// attribute (i.e., implicitly from the bare JID of the user's
|
// attribute (i.e., implicitly from the bare JID of the user's
|
||||||
// account) or it has a 'from' attribute whose value matches the
|
// account) or it has a 'from' attribute whose value matches the
|
||||||
// user's bare JID <user@domainpart>.
|
// user's bare JID <user@domainpart>.
|
||||||
|
_converse.log(
|
||||||
|
`Ignoring roster illegitimate roster push message from ${iq.getAttribute('from')}`,
|
||||||
|
Strophe.LogLevel.WARN
|
||||||
|
);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
_converse.api.send($iq({type: 'result', id, from: _converse.connection.jid}));
|
_converse.api.send($iq({type: 'result', id, from: _converse.connection.jid}));
|
||||||
|
@ -263,7 +263,7 @@
|
|||||||
_converse.api.user.logout();
|
_converse.api.user.logout();
|
||||||
done();
|
done();
|
||||||
}
|
}
|
||||||
await Promise.all(promise_names.map(_converse.api.waitUntil));
|
await Promise.all((promise_names || []).map(_converse.api.waitUntil));
|
||||||
func(_done, _converse).catch(e => { fail(e); _done(); });
|
func(_done, _converse).catch(e => { fail(e); _done(); });
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user