Merge branch 'mergeback/2.5.3' into 'develop'

Mergeback: 2.5.3 Closes #3135 See merge request pleroma/pleroma!3927
2023-08-04 09:38:01 +00:00 · 2023-08-04 09:38:01 +00:00 · 1062185ba0
parent 819fccb7d1 6a0fd77c48
commit 1062185ba0
9 changed files with 45 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -18,6 +18,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Removed
 - BREAKING: Support for passwords generated with `crypt(3)` (Gnu Social migration artifact)

+## 2.5.3
+
+### Security
+- Emoji pack loader sanitizes pack names
+- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
+
 ## 2.5.2

 ### Security
--- a/changelog.d/emoji-pack-sanitization.security
+++ b/changelog.d/emoji-pack-sanitization.security
@ -0,0 +1 @@
+Emoji pack loader sanitizes pack names
--- a/changelog.d/otp_perms.security
+++ b/changelog.d/otp_perms.security
@ -0,0 +1 @@
+- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
--- a/lib/mix/tasks/pleroma/instance.ex
+++ b/lib/mix/tasks/pleroma/instance.ex
@ -266,12 +266,20 @@ defmodule Mix.Tasks.Pleroma.Instance do
      config_dir = Path.dirname(config_path)
      psql_dir = Path.dirname(psql_path)

+      # Note: Distros requiring group read (0o750) on those directories should
+      # pre-create the directories.
      [config_dir, psql_dir, static_dir, uploads_dir]
      |> Enum.reject(&File.exists?/1)
-      |> Enum.map(&File.mkdir_p!/1)
+      |> Enum.each(fn dir ->
+        File.mkdir_p!(dir)
+        File.chmod!(dir, 0o700)
+      end)

      shell_info("Writing config to #{config_path}.")

+      # Sadly no fchmod(2) equivalent in Elixir…
+      File.touch!(config_path)
+      File.chmod!(config_path, 0o640)
      File.write(config_path, result_config)
      shell_info("Writing the postgres script to #{psql_path}.")
      File.write(psql_path, result_psql)
@ -290,8 +298,7 @@ defmodule Mix.Tasks.Pleroma.Instance do
    else
      shell_error(
        "The task would have overwritten the following files:\n" <>
-          (Enum.map(will_overwrite, &"- #{&1}\n") |> Enum.join("")) <>
-          "Rerun with `--force` to overwrite them."
+          Enum.map_join(will_overwrite, &"- #{&1}\n") <> "Rerun with `--force` to overwrite them."
      )
    end
  end
--- a/lib/pleroma/config/release_runtime_provider.ex
+++ b/lib/pleroma/config/release_runtime_provider.ex
@ -20,6 +20,20 @@ defmodule Pleroma.Config.ReleaseRuntimeProvider do

    with_runtime_config =
      if File.exists?(config_path) do
+        # <https://git.pleroma.social/pleroma/pleroma/-/issues/3135>
+        %File.Stat{mode: mode} = File.lstat!(config_path)
+
+        if Bitwise.band(mode, 0o007) > 0 do
+          raise "Configuration at #{config_path} has world-permissions, execute the following: chmod o= #{config_path}"
+        end
+
+        if Bitwise.band(mode, 0o020) > 0 do
+          raise "Configuration at #{config_path} has group-wise write permissions, execute the following: chmod g-w #{config_path}"
+        end
+
+        # Note: Elixir doesn't provides a getuid(2)
+        # so cannot forbid group-read only when config is owned by us
+
        runtime_config = Config.Reader.read!(config_path)

        with_defaults
--- a/lib/pleroma/emoji/pack.ex
+++ b/lib/pleroma/emoji/pack.ex
@ -285,6 +285,7 @@ defmodule Pleroma.Emoji.Pack do

  @spec load_pack(String.t()) :: {:ok, t()} | {:error, :file.posix()}
  def load_pack(name) do
+    name = Path.basename(name)
    pack_file = Path.join([emoji_path(), name, "pack.json"])

    with {:ok, _} <- File.stat(pack_file),
--- a/mix.exs
+++ b/mix.exs
@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
  def project do
    [
      app: :pleroma,
-      version: version("2.5.52"),
+      version: version("2.5.53"),
      elixir: "~> 1.11",
      elixirc_paths: elixirc_paths(Mix.env()),
      compilers: [:phoenix] ++ Mix.compilers(),
--- a/test/pleroma/config/release_runtime_provider_test.exs
+++ b/test/pleroma/config/release_runtime_provider_test.exs
@ -17,6 +17,8 @@ defmodule Pleroma.Config.ReleaseRuntimeProviderTest do
    end

    test "merged runtime config" do
+      assert :ok == File.chmod!("test/fixtures/config/temp.secret.exs", 0o640)
+
      merged =
        ReleaseRuntimeProvider.load([], config_path: "test/fixtures/config/temp.secret.exs")

@ -25,6 +27,8 @@ defmodule Pleroma.Config.ReleaseRuntimeProviderTest do
    end

    test "merged exported config" do
+      assert :ok == File.chmod!("test/fixtures/config/temp.exported_from_db.secret.exs", 0o640)
+
      ExUnit.CaptureIO.capture_io(fn ->
        merged =
          ReleaseRuntimeProvider.load([],
@ -37,6 +41,9 @@ defmodule Pleroma.Config.ReleaseRuntimeProviderTest do
    end

    test "runtime config is merged with exported config" do
+      assert :ok == File.chmod!("test/fixtures/config/temp.secret.exs", 0o640)
+      assert :ok == File.chmod!("test/fixtures/config/temp.exported_from_db.secret.exs", 0o640)
+
      merged =
        ReleaseRuntimeProvider.load([],
          config_path: "test/fixtures/config/temp.secret.exs",
--- a/test/pleroma/emoji/pack_test.exs
+++ b/test/pleroma/emoji/pack_test.exs
@ -90,4 +90,8 @@ defmodule Pleroma.Emoji.PackTest do

    assert updated_pack.files_count == 1
  end
+
+  test "load_pack/1 ignores path traversal in a forged pack name", %{pack: pack} do
+    assert {:ok, ^pack} = Pack.load_pack("../../../../../dump_pack")
+  end
 end
				`@ -0,0 +1 @@`
				`- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories`