From 6302b407916fb75db3d728176eb5da605dfc8349 Mon Sep 17 00:00:00 2001 From: Egor Kislitsyn Date: Tue, 28 Jan 2020 18:04:13 +0400 Subject: [PATCH 1/4] Warn if HTTPSecurityPlug is disabled --- lib/pleroma/application.ex | 1 + lib/pleroma/plugs/http_security_plug.ex | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/lib/pleroma/application.ex b/lib/pleroma/application.ex index e17068876..2c8889ce5 100644 --- a/lib/pleroma/application.ex +++ b/lib/pleroma/application.ex @@ -33,6 +33,7 @@ defmodule Pleroma.Application do def start(_type, _args) do Pleroma.HTML.compile_scrubbers() Pleroma.Config.DeprecationWarnings.warn() + Pleroma.Plugs.HTTPSecurityPlug.warn_if_disabled() Pleroma.Repo.check_migrations_applied!() setup_instrumenters() load_custom_modules() diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index a7cc22831..8bc324f48 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -6,6 +6,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do alias Pleroma.Config import Plug.Conn + require Logger + def init(opts), do: opts def call(conn, _options) do @@ -90,6 +92,15 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do |> Enum.join("; ") end + def warn_if_disabled do + unless Config.get([:http_security, :enabled]) do + Logger.warn("HTTP Security is disabled. Add this line to you config to enable it: + + config :pleroma, :http_security, enabled: true + ") + end + end + defp maybe_send_sts_header(conn, true) do max_age_sts = Config.get([:http_security, :sts_max_age]) max_age_ct = Config.get([:http_security, :ct_max_age]) From 2bd4d6289bdc01dec69756c5e1ebca551fe3a6e7 Mon Sep 17 00:00:00 2001 From: Egor Kislitsyn Date: Wed, 29 Jan 2020 18:43:23 +0400 Subject: [PATCH 2/4] Make the warning more scarier --- lib/pleroma/plugs/http_security_plug.ex | 38 ++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index 8bc324f48..0ba412699 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -94,7 +94,43 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do def warn_if_disabled do unless Config.get([:http_security, :enabled]) do - Logger.warn("HTTP Security is disabled. Add this line to you config to enable it: + Logger.warn(" + .i;;;;i. + iYcviii;vXY: + .YXi .i1c. + .YC. . in7. + .vc. ...... ;1c. + i7, .. .;1; + i7, .. ... .Y1i + ,7v .6MMM@; .YX, + .7;. ..IMMMMMM1 :t7. + .;Y. ;$MMMMMM9. :tc. + vY. .. .nMMM@MMU. ;1v. + i7i ... .#MM@M@C. .....:71i + it: .... $MMM@9;.,i;;;i,;tti + :t7. ..... 0MMMWv.,iii:::,,;St. + .nC. ..... IMMMQ..,::::::,.,czX. + .ct: ....... .ZMMMI..,:::::::,,:76Y. + c2: ......,i..Y$M@t..:::::::,,..inZY + vov ......:ii..c$MBc..,,,,,,,,,,..iI9i + i9Y ......iii:..7@MA,..,,,,,,,,,....;AA: + iIS. ......:ii::..;@MI....,............;Ez. + .I9. ......:i::::...8M1..................C0z. + .z9; ......:i::::,.. .i:...................zWX. + vbv ......,i::::,,. ................. :AQY + c6Y. .,...,::::,,..:t0@@QY. ................ :8bi + :6S. ..,,...,:::,,,..EMMMMMMI. ............... .;bZ, + :6o, .,,,,..:::,,,..i#MMMMMM#v................. YW2. + .n8i ..,,,,,,,::,,,,.. tMMMMM@C:.................. .1Wn + 7Uc. .:::,,,,,::,,,,.. i1t;,..................... .UEi + 7C...::::::::::::,,,,.. .................... vSi. + ;1;...,,::::::,......... .................. Yz: + v97,......... .voC. + izAotX7777777777777777777777777777777777777777Y7n92: + .;CoIIIIIUAA666666699999ZZZZZZZZZZZZZZZZZZZZ6ov. + + +HTTP Security is disabled. Add this line to your config to enable it: config :pleroma, :http_security, enabled: true ") From e07e7888d7b15d79fad98037e9830a618b93ae9b Mon Sep 17 00:00:00 2001 From: Egor Kislitsyn Date: Wed, 29 Jan 2020 18:53:43 +0400 Subject: [PATCH 3/4] Fix credo warning --- lib/pleroma/plugs/http_security_plug.ex | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index 0ba412699..e4939efe5 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -129,7 +129,6 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do izAotX7777777777777777777777777777777777777777Y7n92: .;CoIIIIIUAA666666699999ZZZZZZZZZZZZZZZZZZZZ6ov. - HTTP Security is disabled. Add this line to your config to enable it: config :pleroma, :http_security, enabled: true From 36becd55733fa3fdf046e24d7bd7fdd516fdd4fc Mon Sep 17 00:00:00 2001 From: feld Date: Thu, 30 Jan 2020 14:07:41 +0000 Subject: [PATCH 4/4] Update http_security_plug.ex --- lib/pleroma/plugs/http_security_plug.ex | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index e4939efe5..b04273979 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -129,7 +129,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do izAotX7777777777777777777777777777777777777777Y7n92: .;CoIIIIIUAA666666699999ZZZZZZZZZZZZZZZZZZZZ6ov. -HTTP Security is disabled. Add this line to your config to enable it: +HTTP Security is disabled. Please re-enable it to prevent users from attacking +your instance and your users via malicious posts: config :pleroma, :http_security, enabled: true ")