Never automatically assign privileged content types

By mapping all extensions related to our custom privileged types back to innocuous text/plain, our custom types will never automatically be inserted which was one of the factors making impersonation possible. Note, this does not invalidate the upload and emoji Content-Type restrictions from previous commits. Apart from counterfeit AP objects there are other payloads with standard types this protects against, e.g. *.js Javascript payloads as used in prior frontend injections.
2024-03-07 01:02:32 -01:00 · 2024-03-07 01:02:32 -01:00 · bcc528b2e2
parent e88d0a2853
commit bcc528b2e2
1 changed files with 18 additions and 1 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -149,6 +149,19 @@ config :logger, :ex_syslogger,
  format: "$metadata[$level] $message",
  metadata: [:request_id]

+# ———————————————————————————————————————————————————————————————
+#                       W  A  R  N  I  N  G
+# ———————————————————————————————————————————————————————————————
+#
+#  Whenever adding a privileged new custom type for e.g.
+#  ActivityPub objects, ALWAYS map their extension back
+#  to "application/octet-stream".
+#  Else files served by us can automatically end up with
+#  those privileged types causing severe security hazards.
+#  (We need those mappings so Phoenix can assoiate its format
+#   (the "extension") to incoming requests of those MIME types)
+#
+# ———————————————————————————————————————————————————————————————
 config :mime, :types, %{
  "application/xml" => ["xml"],
  "application/xrd+xml" => ["xrd+xml"],
@ -158,9 +171,13 @@ config :mime, :types, %{
 }

 config :mime, :extensions, %{
-  "activity+json" => "application/activity+json"
+  "xrd+xml" => "text/plain",
+  "jrd+json" => "text/plain",
+  "activity+json" => "text/plain"
 }

+# ———————————————————————————————————————————————————————————————
+
 config :tesla, :adapter, {Tesla.Adapter.Finch, name: MyFinch}

 # Configures http settings, upstream proxy etc.