Add mix task to detect uploaded spoof payloads
This commit is contained in:
parent
31f90bbb52
commit
d441101200
2 changed files with 241 additions and 0 deletions
32
docs/docs/administration/CLI_tasks/security.md
Normal file
32
docs/docs/administration/CLI_tasks/security.md
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
# Security-related tasks
|
||||||
|
|
||||||
|
{! administration/CLI_tasks/general_cli_task_info.include !}
|
||||||
|
|
||||||
|
!!! danger
|
||||||
|
Many of these tasks were written in response to a patched exploit.
|
||||||
|
It is recommended to run those very soon after installing its respective security update.
|
||||||
|
Over time with db migrations they might become less accurate or be removed altogether.
|
||||||
|
If you never ran an affected version, there’s no point in running them.
|
||||||
|
|
||||||
|
## Spoofed AcitivityPub objects exploit (2024-03, fixed in 3.11.1)
|
||||||
|
|
||||||
|
### Search for uploaded spoofing payloads
|
||||||
|
|
||||||
|
Scans local uploads for spoofing payloads.
|
||||||
|
If the instance is not using the local uploader it was not affected.
|
||||||
|
Attachments wil be scanned anyway in case local uploader was used in the past.
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
This cannot reliably detect payloads attached to deleted posts.
|
||||||
|
|
||||||
|
=== "OTP"
|
||||||
|
|
||||||
|
```sh
|
||||||
|
./bin/pleroma_ctl security spoof-uploaded
|
||||||
|
```
|
||||||
|
|
||||||
|
=== "From Source"
|
||||||
|
|
||||||
|
```sh
|
||||||
|
mix pleroma.security spoof-uploaded
|
||||||
|
```
|
209
lib/mix/tasks/pleroma/security.ex
Normal file
209
lib/mix/tasks/pleroma/security.ex
Normal file
|
@ -0,0 +1,209 @@
|
||||||
|
# Akkoma: Magically expressive social media
|
||||||
|
# Copyright © 2024 Akkoma Authors <https://akkoma.dev/>
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
|
||||||
|
defmodule Mix.Tasks.Pleroma.Security do
|
||||||
|
use Mix.Task
|
||||||
|
import Mix.Pleroma
|
||||||
|
|
||||||
|
alias Pleroma.Config
|
||||||
|
|
||||||
|
require Logger
|
||||||
|
|
||||||
|
@shortdoc """
|
||||||
|
Security-related tasks, like e.g. checking for signs past exploits were abused.
|
||||||
|
"""
|
||||||
|
|
||||||
|
# Constants etc
|
||||||
|
defp local_id_prefix(), do: Pleroma.Web.Endpoint.url() <> "/"
|
||||||
|
|
||||||
|
defp local_id_pattern(), do: local_id_prefix() <> "%"
|
||||||
|
|
||||||
|
@activity_exts ["activity+json", "activity%2Bjson"]
|
||||||
|
|
||||||
|
defp activity_ext_url_patterns() do
|
||||||
|
for e <- @activity_exts do
|
||||||
|
for suf <- ["", "?%"] do
|
||||||
|
# Escape literal % for use in SQL patterns
|
||||||
|
ee = String.replace(e, "%", "\\%")
|
||||||
|
"%.#{ee}#{suf}"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|> List.flatten()
|
||||||
|
end
|
||||||
|
|
||||||
|
# Search for malicious uploads exploiting the lack of Content-Type sanitisation from before 2024-03
|
||||||
|
def run(["spoof-uploaded"]) do
|
||||||
|
Logger.put_process_level(self(), :notice)
|
||||||
|
start_pleroma()
|
||||||
|
|
||||||
|
IO.puts("""
|
||||||
|
+------------------------+
|
||||||
|
| SPOOF SEARCH UPLOADS |
|
||||||
|
+------------------------+
|
||||||
|
Checking if any uploads are using privileged types.
|
||||||
|
NOTE if attachment deletion is enabled, payloads used
|
||||||
|
in the past may no longer exist.
|
||||||
|
""")
|
||||||
|
|
||||||
|
do_spoof_uploaded()
|
||||||
|
end
|
||||||
|
|
||||||
|
# +-----------------------------+
|
||||||
|
# | S P O O F - U P L O A D E D |
|
||||||
|
# +-----------------------------+
|
||||||
|
defp do_spoof_uploaded() do
|
||||||
|
files =
|
||||||
|
case Config.get!([Pleroma.Upload, :uploader]) do
|
||||||
|
Pleroma.Uploaders.Local ->
|
||||||
|
uploads_search_spoofs_local_dir(Config.get!([Pleroma.Uploaders.Local, :uploads]))
|
||||||
|
|
||||||
|
_ ->
|
||||||
|
IO.puts("""
|
||||||
|
NOTE:
|
||||||
|
Not using local uploader; thus not affected by this exploit.
|
||||||
|
It's impossible to check for files, but in case local uploader was used before
|
||||||
|
or to check if anyone futilely attempted a spoof, notes will still be scanned.
|
||||||
|
""")
|
||||||
|
|
||||||
|
[]
|
||||||
|
end
|
||||||
|
|
||||||
|
emoji = uploads_search_spoofs_local_dir(Config.get!([:instance, :static_dir]))
|
||||||
|
|
||||||
|
post_attachs = uploads_search_spoofs_notes()
|
||||||
|
|
||||||
|
not_orphaned_urls =
|
||||||
|
post_attachs
|
||||||
|
|> Enum.map(fn {_u, _a, url} -> url end)
|
||||||
|
|> MapSet.new()
|
||||||
|
|
||||||
|
orphaned_attachs = upload_search_orphaned_attachments(not_orphaned_urls)
|
||||||
|
|
||||||
|
IO.puts("\nSearch concluded; here are the results:")
|
||||||
|
pretty_print_list_with_title(emoji, "Emoji")
|
||||||
|
pretty_print_list_with_title(files, "Uploaded Files")
|
||||||
|
pretty_print_list_with_title(post_attachs, "(Not Deleted) Post Attachments")
|
||||||
|
pretty_print_list_with_title(orphaned_attachs, "Orphaned Uploads")
|
||||||
|
|
||||||
|
IO.puts("""
|
||||||
|
In total found
|
||||||
|
#{length(emoji)} emoji
|
||||||
|
#{length(files)} uploads
|
||||||
|
#{length(post_attachs)} not deleted posts
|
||||||
|
#{length(orphaned_attachs)} orphaned attachments
|
||||||
|
""")
|
||||||
|
end
|
||||||
|
|
||||||
|
defp uploads_search_spoofs_local_dir(dir) do
|
||||||
|
local_dir = String.replace_suffix(dir, "/", "")
|
||||||
|
|
||||||
|
IO.puts("Searching for suspicious files in #{local_dir}...")
|
||||||
|
|
||||||
|
glob_ext = "{" <> Enum.join(@activity_exts, ",") <> "}"
|
||||||
|
|
||||||
|
Path.wildcard(local_dir <> "/**/*." <> glob_ext, match_dot: true)
|
||||||
|
|> Enum.map(fn path ->
|
||||||
|
String.replace_prefix(path, local_dir <> "/", "")
|
||||||
|
end)
|
||||||
|
|> Enum.sort()
|
||||||
|
end
|
||||||
|
|
||||||
|
defp uploads_search_spoofs_notes() do
|
||||||
|
IO.puts("Now querying DB for posts with spoofing attachments. This might take a while...")
|
||||||
|
|
||||||
|
patterns = [local_id_pattern() | activity_ext_url_patterns()]
|
||||||
|
|
||||||
|
# if jsonb_array_elemsts in FROM can be used with normal Ecto functions, idk how
|
||||||
|
"""
|
||||||
|
SELECT DISTINCT a.data->>'actor', a.id, url->>'href'
|
||||||
|
FROM public.objects AS o JOIN public.activities AS a
|
||||||
|
ON o.data->>'id' = a.data->>'object',
|
||||||
|
jsonb_array_elements(o.data->'attachment') AS attachs,
|
||||||
|
jsonb_array_elements(attachs->'url') AS url
|
||||||
|
WHERE o.data->>'type' = 'Note' AND
|
||||||
|
o.data->>'id' LIKE $1::text AND (
|
||||||
|
url->>'href' LIKE $2::text OR
|
||||||
|
url->>'href' LIKE $3::text OR
|
||||||
|
url->>'href' LIKE $4::text OR
|
||||||
|
url->>'href' LIKE $5::text
|
||||||
|
)
|
||||||
|
ORDER BY a.data->>'actor', a.id, url->>'href';
|
||||||
|
"""
|
||||||
|
|> Pleroma.Repo.query!(patterns, timeout: :infinity)
|
||||||
|
|> map_raw_id_apid_tuple()
|
||||||
|
end
|
||||||
|
|
||||||
|
defp upload_search_orphaned_attachments(not_orphaned_urls) do
|
||||||
|
IO.puts("""
|
||||||
|
Now querying DB for orphaned spoofing attachment (i.e. their post was deleted,
|
||||||
|
but if :cleanup_attachments was not enabled traces remain in the database)
|
||||||
|
This might take a bit...
|
||||||
|
""")
|
||||||
|
|
||||||
|
patterns = activity_ext_url_patterns()
|
||||||
|
|
||||||
|
"""
|
||||||
|
SELECT DISTINCT attach.id, url->>'href'
|
||||||
|
FROM public.objects AS attach,
|
||||||
|
jsonb_array_elements(attach.data->'url') AS url
|
||||||
|
WHERE (attach.data->>'type' = 'Image' OR
|
||||||
|
attach.data->>'type' = 'Document')
|
||||||
|
AND (
|
||||||
|
url->>'href' LIKE $1::text OR
|
||||||
|
url->>'href' LIKE $2::text OR
|
||||||
|
url->>'href' LIKE $3::text OR
|
||||||
|
url->>'href' LIKE $4::text
|
||||||
|
)
|
||||||
|
ORDER BY attach.id, url->>'href';
|
||||||
|
"""
|
||||||
|
|> Pleroma.Repo.query!(patterns, timeout: :infinity)
|
||||||
|
|> then(fn res -> Enum.map(res.rows, fn [id, url] -> {id, url} end) end)
|
||||||
|
|> Enum.filter(fn {_, url} -> !(url in not_orphaned_urls) end)
|
||||||
|
end
|
||||||
|
|
||||||
|
# +-----------------------------------+
|
||||||
|
# | module-specific utility functions |
|
||||||
|
# +-----------------------------------+
|
||||||
|
defp pretty_print_list_with_title(list, title) do
|
||||||
|
title_len = String.length(title)
|
||||||
|
title_underline = String.duplicate("=", title_len)
|
||||||
|
IO.puts(title)
|
||||||
|
IO.puts(title_underline)
|
||||||
|
pretty_print_list(list)
|
||||||
|
end
|
||||||
|
|
||||||
|
defp pretty_print_list([]), do: IO.puts("")
|
||||||
|
|
||||||
|
defp pretty_print_list([{a, o} | rest])
|
||||||
|
when (is_binary(a) or is_number(a)) and is_binary(o) do
|
||||||
|
IO.puts(" {#{a}, #{o}}")
|
||||||
|
pretty_print_list(rest)
|
||||||
|
end
|
||||||
|
|
||||||
|
defp pretty_print_list([{u, a, o} | rest])
|
||||||
|
when is_binary(a) and is_binary(u) and is_binary(o) do
|
||||||
|
IO.puts(" {#{u}, #{a}, #{o}}")
|
||||||
|
pretty_print_list(rest)
|
||||||
|
end
|
||||||
|
|
||||||
|
defp pretty_print_list([e | rest]) when is_binary(e) do
|
||||||
|
IO.puts(" #{e}")
|
||||||
|
pretty_print_list(rest)
|
||||||
|
end
|
||||||
|
|
||||||
|
defp pretty_print_list([e | rest]), do: pretty_print_list([inspect(e) | rest])
|
||||||
|
|
||||||
|
defp map_raw_id_apid_tuple(res) do
|
||||||
|
user_prefix = local_id_prefix() <> "users/"
|
||||||
|
|
||||||
|
Enum.map(res.rows, fn
|
||||||
|
[uid, aid, oid] ->
|
||||||
|
{
|
||||||
|
String.replace_prefix(uid, user_prefix, ""),
|
||||||
|
FlakeId.to_string(aid),
|
||||||
|
oid
|
||||||
|
}
|
||||||
|
end)
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in a new issue