Add default config whitelist

This commit is contained in:
FloatingGhost 2023-08-14 20:26:14 +01:00
parent 6cb40bee26
commit 6fb47b2806
4 changed files with 136 additions and 9 deletions

View file

@ -453,10 +453,6 @@
image_quality: 85,
min_content_length: 100 * 1024
config :pleroma, :shout,
enabled: true,
limit: 5_000
config :phoenix, :format_encoders, json: Jason, "activity+json": Jason
config :phoenix, :json_library, Jason
@ -796,6 +792,13 @@
config :pleroma, :modules, runtime_dir: "instance/modules"
config :pleroma, configurable_from_database: false
# Don't allow arbitrary module config here, you can only
# adjust our own config.
config :pleroma,
database_config_whitelist: [
{:pleroma},
{:logger}
]
config :pleroma, Pleroma.Repo,
parameters: [gin_fuzzy_search_limit: "500"],

View file

@ -375,6 +375,11 @@ This section describe PWA manifest instance-specific values. Currently this opti
#### Pleroma.Web.MediaProxy.Invalidation.Script
!!! warning
Invalidation script options cannot be set in the database due to the ability to
set the command options to arbitrary paths. The following options **MUST** be
set in your `.exs` file instead.
This strategy allow perform external shell script to purge cache.
Urls of attachments are passed to the script as arguments.
@ -1148,6 +1153,11 @@ Translations are available at `/api/v1/statuses/:id/translations/:language`, whe
### `:argos_translate`
!!! warning
Argos Translate options cannot be set in the database due to the ability to
set the command options to arbitrary paths. The following options **MUST** be
set in your `.exs` file instead.
- `:command_argos_translate` - command for `argos-translate`. Can be the command if it's in your PATH, or the full path to the file (default: `argos-translate`).
- `:command_argospm` - command for `argospm`. Can be the command if it's in your PATH, or the full path to the file (default: `argospm`).
- `:strip_html` - Strip html from the post before translating it (default: `true`).

View file

@ -9,6 +9,14 @@ defmodule Pleroma.Web.AdminAPI.ConfigController do
alias Pleroma.ConfigDB
alias Pleroma.Web.Plugs.OAuthScopesPlug
@banned_in_db [
# this would make no sense if you could change it in the db
{:pleroma, :database_config_whitelist},
# called with System.cmd
{:pleroma, Pleroma.Web.MediaProxy.Invalidation.Script},
{:pleroma, :argos_translate}
]
plug(Pleroma.Web.ApiSpec.CastAndValidate)
plug(OAuthScopesPlug, %{scopes: ["admin:write"]} when action == :update)
@ -175,17 +183,18 @@ defp configurable_from_database do
end
defp whitelisted_config?(group, key) do
if whitelisted_configs = Config.get(:database_config_whitelist) do
Enum.any?(whitelisted_configs, fn
whitelisted =
:database_config_whitelist
|> Config.get([{:pleroma}])
|> Enum.any?(fn
{whitelisted_group} ->
group == inspect(whitelisted_group)
{whitelisted_group, whitelisted_key} ->
group == inspect(whitelisted_group) && key == inspect(whitelisted_key)
end)
else
true
end
whitelisted && !disallowed_config?(group, key)
end
defp whitelisted_config?(%{group: group, key: key}) do
@ -195,4 +204,14 @@ defp whitelisted_config?(%{group: group, key: key}) do
defp whitelisted_config?(%{group: group} = config) do
whitelisted_config?(group, config[:key])
end
defp disallowed_config?(group, key) do
Enum.any?(@banned_in_db, fn
{disallowed_group} ->
group == inspect(disallowed_group)
{disallowed_group, disallowed_key} ->
group == inspect(disallowed_group) && key == inspect(disallowed_key)
end)
end
end

View file

@ -0,0 +1,95 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.AdminAPI.ConfigControllerTest do
use Pleroma.Web.ConnCase, async: false
import Pleroma.Factory
setup_all do
Tesla.Mock.mock_global(fn env -> apply(HttpRequestMock, :request, [env]) end)
:ok
end
setup do
clear_config(:configurable_from_database, true)
admin = insert(:user, is_admin: true)
token = insert(:oauth_admin_token, user: admin)
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, token)
|> put_req_header("content-type", "application/json")
{:ok, %{admin: admin, token: token, conn: conn}}
end
describe "POST /api/v1/pleroma/admin/config" do
test "Refuses to update non-whitelisted config options", %{conn: conn} do
banned_config = %{
configs: [
%{
group: ":mogrify",
key: ":mogrify_command",
value: [
%{tuple: [":path", "sh"]},
%{tuple: [":args", ["-c", "echo pwnd > /tmp/a"]]}
]
}
]
}
clear_config([:database_config_whitelist], [{:pleroma}])
resp_that_should_not_work =
conn
|> post(~p"/api/v1/pleroma/admin/config", banned_config)
|> json_response_and_validate_schema(200)
assert Enum.empty?(resp_that_should_not_work["configs"])
clear_config([:database_config_whitelist], [{:mogrify}])
resp_that_should_work =
conn
|> post(~p"/api/v1/pleroma/admin/config", banned_config)
|> json_response_and_validate_schema(200)
refute Enum.empty?(resp_that_should_work["configs"])
end
test "Refuses to update strictly disallowed options", %{conn: conn} do
banned_config = %{
configs: [
%{
group: ":pleroma",
key: ":database_config_whitelist",
value: [":pleroma"]
},
%{
group: ":pleroma",
key: ":argos_translate",
value: [
%{tuple: [":command_argospm", "/opt/oepsiewoepsie"]}
]
},
%{
group: ":pleroma",
key: "Pleroma.Web.MediaProxy.Invalidation.Script",
value: "wowee"
}
]
}
resp_that_should_not_work =
conn
|> post(~p"/api/v1/pleroma/admin/config", banned_config)
|> json_response_and_validate_schema(200)
assert Enum.empty?(resp_that_should_not_work["configs"])
end
end
end