Commit Graph

399 Commits

Author SHA1 Message Date
FloatingGhost 61621ebdbc Add tests for extra warnings about media subdomains 2024-04-02 10:54:53 +01:00
Oneric f7c9793542 Sanitise Content-Type of uploads
The lack thereof enables spoofing ActivityPub objects.

A malicious user could upload fake activities as attachments
and (if having access to remote search) trick local and remote
fedi instances into fetching and processing it as a valid object.

If uploads are hosted on the same domain as the instance itself,
it is possible for anyone with upload access to impersonate(!)
other users of the same instance.
If uploads are exclusively hosted on a different domain, even the most
basic check of domain of the object id and fetch url matching should
prevent impersonation. However, it may still be possible to trick
servers into accepting bogus users on the upload (sub)domain and bogus
notes attributed to such users.
Instances which later migrated to a different domain and have a
permissive redirect rule in place can still be vulnerable.
If — like Akkoma — the fetching server is overly permissive with
redirects, impersonation still works.

This was possible because Plug.Static also uses our custom
MIME type mappings used for actually authentic AP objects.

Provided external storage providers don’t somehow return ActivityStream
Content-Types on their own, instances using those are also safe against
their users being spoofed via uploads.

Akkoma instances using the OnlyMedia upload filter
cannot be exploited as a vector in this way — IF the
fetching server validates the Content-Type of
fetched objects (Akkoma itself does this already).

However, restricting uploads to only multimedia files may be a bit too
heavy-handed. Instead this commit will restrict the returned
Content-Type headers for user uploaded files to a safe subset, falling
back to generic 'application/octet-stream' for anything else.
This will also protect against non-AP payloads as e.g. used in
past frontend code injection attacks.

It’s a slight regression in user comfort, if say PDFs are uploaded,
but this trade-off seems fairly acceptable.

(Note, just excluding our own custom types would offer no protection
 against non-AP payloads and bear a (perhaps small) risk of a silent
 regression should MIME ever decide to add a canonical extension for
 ActivityPub objects)

Now, one might expect there to be other defence mechanisms
besides Content-Type preventing counterfeits from being accepted,
like e.g. validation of the queried URL and AP ID matching.
Inserting a self-reference into our uploads is hard, but unfortunately
*oma does not verify the id in such a way and happily accepts _anything_
from the same domain (without even considering redirects).
E.g. Sharkey (and possibly other *keys) seem to attempt to guard
against this by immediately refetching the object from its ID, but
this is easily circumvented by just uploading two payloads with the
ID of one linking to the other.

Unfortunately *oma is thus _both_ a vector for spoofing and
vulnerable to those spoof payloads, resulting in an easy way
to impersonate our users.

Similar flaws exists for emoji and media proxy.

Subsequent commits will fix this by rigorously sanitising
content types in more areas, hardening our checks, improving
the default config and discouraging insecure config options.
2024-03-18 22:33:10 -01:00
FloatingGhost 98cb255d12 Support elixir1.15
ci/woodpecker/push/build-amd64 Pipeline is pending Details
ci/woodpecker/push/build-arm64 Pipeline is pending Details
ci/woodpecker/push/docs Pipeline is pending Details
ci/woodpecker/push/test Pipeline is pending Details
ci/woodpecker/pr/test Pipeline failed Details
ci/woodpecker/pr/build-amd64 unknown status Details
ci/woodpecker/pr/build-arm64 unknown status Details
ci/woodpecker/pr/docs unknown status Details
OTP builds to 1.15

Changelog entry

Ensure policies are fully loaded

Fix :warn

use main branch for linkify

Fix warn in tests

Migrations for phoenix 1.17

Revert "Migrations for phoenix 1.17"

This reverts commit 6a3b2f15b7.

Oban upgrade

Add default empty whitelist

mix format

limit test to amd64

OTP 26 tests for 1.15

use OTP_VERSION tag

baka

just 1.15

Massive deps update

Update locale, deps

Mix format

shell????

multiline???

?

max cases 1

use assert_recieve

don't put_env in async tests

don't async conn/fs tests

mix format

FIx some uploader issues

Fix tests
2023-08-03 17:44:09 +01:00
XxXCertifiedForkliftDriverXxX 07b478dc49 Implement blocklists for MediaProxy
ci/woodpecker/pr/woodpecker Pipeline is pending Details
2023-06-26 15:18:31 +02:00
FloatingGhost 522221f7fb Mix format 2023-04-14 17:56:34 +01:00
FloatingGhost 4c9c959bb3 Merge branch 'develop' into frontend-switcher-9000 2023-04-14 16:56:10 +01:00
FloatingGhost de64c6c54a add selection UI 2023-03-28 12:44:52 +01:00
FloatingGhost f94e8a3713 add bubble visibility to description
ci/woodpecker/push/woodpecker Pipeline failed Details
2023-03-18 20:49:43 +00:00
FloatingGhost dd44387f1a Add timeline visibility options 2023-03-17 15:33:28 +00:00
flisk 292f0444d0 update healthcheck route in locale string
ci/woodpecker/pr/woodpecker Pipeline is pending Details
2023-02-18 14:59:46 +01:00
FloatingGhost 07ccfafd92 Mix format
ci/woodpecker/push/woodpecker Pipeline was successful Details
2022-12-19 13:07:29 +00:00
ilja c092fc9fd6 Add translation module for Argos Translate (#351)
ci/woodpecker/push/woodpecker Pipeline is pending Details
Argos Translate is a Python module for translation and can be used as a command line tool.

This is also the engine for LibreTranslate, for which we already have a module.
Here we can use the engine directly from our server without doing requests to a third party or having to install our own LibreTranslate webservice (obviously you do have to install Argos Translate).

One thing that's currently still missing from Argos Translate is auto-detection of languages (see <https://github.com/argosopentech/argos-translate/issues/9>). For now, when no source language is provided, we just return the text unchanged, supposedly translated from the target language. That way you get a near immediate response in pleroma-fe when clicking Translate, after which you can select the source language from a dropdown.

Argos Translate also doesn't seem to handle html very well. Therefore we give admins the option to strip the html before translating. I made this an option because I'm unsure if/how this will change in the future.

Co-authored-by: ilja <git@ilja.space>
Reviewed-on: #351
Co-authored-by: ilja <akkoma.dev@ilja.space>
Co-committed-by: ilja <akkoma.dev@ilja.space>
2022-12-19 13:06:39 +00:00
FloatingGhost 52d8183787 drop admin scopes on create app instead of rejecting 2022-12-17 23:14:49 +00:00
FloatingGhost dcac8adb3d Add option to modify HTTP pool size
ci/woodpecker/push/woodpecker Pipeline was successful Details
2022-12-16 18:33:00 +00:00
FloatingGhost 48d302a60f allow disabling prometheus entirely
ci/woodpecker/push/woodpecker Pipeline is pending Details
2022-12-16 11:17:04 +00:00
FloatingGhost f752126427 Remove quack, ensure adapter is finch
ci/woodpecker/push/woodpecker Pipeline is pending Details
2022-12-11 23:22:35 +00:00
FloatingGhost 0eaec57d3f mix format
ci/woodpecker/push/woodpecker Pipeline is pending Details
2022-12-09 10:24:38 +00:00
FloatingGhost 4e4bd24813 Add misskey markdown to format suggestions
ci/woodpecker/push/woodpecker Pipeline is pending Details
Fixes #345
2022-12-07 15:39:19 +00:00
floatingghost 6b882a2c0b Purge Rejected Follow requests in daily task (#334)
ci/woodpecker/push/woodpecker Pipeline was successful Details
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #334
2022-12-03 23:17:43 +00:00
floatingghost 2fe1484ed3 http timeout config (#307)
ci/woodpecker/push/woodpecker Pipeline was successful Details
Ref https://meta.akkoma.dev/t/increase-timeout-on-libretranslate-request-how/156/2

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #307
2022-11-24 12:27:16 +00:00
FloatingGhost de1bbc0281 Add conversationDisplay to settings
ci/woodpecker/push/woodpecker Pipeline was successful Details
2022-11-20 22:21:56 +00:00
@r3g_5z@plem.sapphic.site 0e4c201f8d HTTP header improvements (#294)
ci/woodpecker/push/woodpecker Pipeline is pending Details
- Drop Expect-CT

Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

- Raise HSTS to 2 years and explicitly preload

The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt.
For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain.

- Drop X-Download-Options

This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this.

- Set base-uri to 'none'

This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag.

I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed.

I have not compiled my Elixr changes, but I don't see why they'd break.

Co-authored-by: r3g_5z <june@terezi.dev>
Reviewed-on: #294
Co-authored-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
Co-committed-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
2022-11-20 21:20:06 +00:00
floatingghost c1127e321b Add configurable timeline per oban job (#273)
ci/woodpecker/push/woodpecker Pipeline is pending Details
Heavily inspired by https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3777

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #273
2022-11-13 23:55:51 +00:00
floatingghost b7e8ce2350 Scrape instance nodeinfo (#251)
ci/woodpecker/push/woodpecker Pipeline is pending Details
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #251
2022-11-06 22:49:39 +00:00
FloatingGhost d782140e2b Reword stop gifs
ci/woodpecker/push/woodpecker Pipeline was successful Details
2022-10-29 22:08:18 +01:00
FloatingGhost 4d9ca8909d Add StopGifs to description 2022-10-29 21:57:50 +01:00
floatingghost df39cab9c1 Automatic status translation (#187)
ci/woodpecker/push/woodpecker Pipeline was successful Details
Fixes #115

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #187
2022-08-29 19:42:22 +00:00
floatingghost e4f2251e0f Add support for setting language in instance metadata (#183)
ci/woodpecker/push/woodpecker Pipeline was successful Details
Reviewed-on: #183
2022-08-25 16:11:21 +00:00
floatingghost aaf78e2b52 only put linked mfm in source (#171)
ci/woodpecker/push/woodpecker Pipeline was successful Details
Reviewed-on: #171
2022-08-17 09:35:11 +00:00
floatingghost 37a1001b97 add finch outbound proxy support (#158)
ci/woodpecker/push/woodpecker Pipeline failed Details
Reviewed-on: #158
2022-08-14 23:13:49 +00:00
FloatingGhost 19ccdc8762 mix format
ci/woodpecker/push/woodpecker Pipeline is pending Details
ci/woodpecker/pr/woodpecker Pipeline is pending Details
2022-08-11 19:21:50 +01:00
FloatingGhost d16eff1c0f describe color keys
ci/woodpecker/push/woodpecker Pipeline is pending Details
fixes #126
2022-08-11 10:28:59 +01:00
floatingghost ca000f8301 Merge mrf_simple-reject with quarantine (#137)
ci/woodpecker/push/woodpecker Pipeline was successful Details
Reviewed-on: #137
2022-08-02 14:19:24 +00:00
floatingghost 645f0390bc Prepare for ubuntu22 murdering openssl (#120)
ci/woodpecker/push/woodpecker Pipeline failed Details
Reviewed-on: #120
2022-07-27 21:48:13 +00:00
floatingghost 90c4785b89 remove public post quarantine exception (#114)
ci/woodpecker/push/test Pipeline was successful Details
ci/woodpecker/push/docs Pipeline was successful Details
ci/woodpecker/push/release Pipeline was successful Details
Reviewed-on: #114
2022-07-26 11:09:13 +00:00
FloatingGhost 36eec89946 add authorized_fetch_mode to description.exs
ci/woodpecker/push/release Pipeline was successful Details
ci/woodpecker/push/test Pipeline was successful Details
ci/woodpecker/push/docs Pipeline was successful Details
ci/woodpecker/pr/release Pipeline was successful Details
ci/woodpecker/pr/docs Pipeline was successful Details
ci/woodpecker/pr/test Pipeline failed Details
2022-07-26 10:51:40 +01:00
floatingghost cb6e7359af add bubble timeline (#100)
ci/woodpecker/push/test Pipeline was successful Details
ci/woodpecker/push/docs Pipeline was successful Details
ci/woodpecker/push/release Pipeline was successful Details
Reviewed-on: #100
2022-07-22 14:55:38 +00:00
floatingghost 0c542e58aa Remove instrumentors (#98)
ci/woodpecker/push/test Pipeline was successful Details
ci/woodpecker/push/docs Pipeline was successful Details
ci/woodpecker/push/release Pipeline was successful Details
Reviewed-on: #98
2022-07-21 11:32:17 +00:00
FloatingGhost 0f132b802d purge chat and shout endpoints
ci/woodpecker/push/docs Pipeline was successful Details
ci/woodpecker/push/release Pipeline was successful Details
ci/woodpecker/push/test Pipeline was successful Details
ci/woodpecker/pr/release Pipeline was successful Details
ci/woodpecker/pr/docs Pipeline was successful Details
ci/woodpecker/pr/test Pipeline was successful Details
2022-07-21 11:29:28 +01:00
floatingghost 07ea4d73e1 update mastofe paths (#95)
ci/woodpecker/push/test Pipeline was successful Details
ci/woodpecker/push/docs Pipeline was successful Details
ci/woodpecker/push/release Pipeline was successful Details
Reviewed-on: #95
2022-07-20 20:13:50 +00:00
floatingghost 729f45ccd2 purge ldap authenticator (#92)
ci/woodpecker/push/test Pipeline was successful Details
ci/woodpecker/push/docs Pipeline was successful Details
ci/woodpecker/push/release Pipeline was successful Details
Reviewed-on: #92
2022-07-20 12:49:13 +00:00
floatingghost 37ae047e16 Add swaggerUI options (#66)
ci/woodpecker/push/lint Pipeline was successful Details
ci/woodpecker/push/release Pipeline failed Details
ci/woodpecker/push/test Pipeline was successful Details
Reviewed-on: #66
2022-07-13 15:09:35 +00:00
floatingghost bc6bfe383f Add configurable theme color (#53)
ci/woodpecker/push/lint Pipeline was successful Details
ci/woodpecker/push/release Pipeline failed Details
ci/woodpecker/push/test Pipeline failed Details
Reviewed-on: #53
2022-07-06 20:00:43 +00:00
floatingghost 364b6969eb Use finch everywhere (#33)
ci/woodpecker/push/lint Pipeline failed Details
ci/woodpecker/push/test unknown status Details
ci/woodpecker/push/release Pipeline was successful Details
Reviewed-on: #33
2022-07-04 16:30:38 +00:00
FloatingGhost 95ef3a8b1e Use Akkoma modification for collections
ci/woodpecker/push/release Pipeline was successful Details
ci/woodpecker/push/lint Pipeline was successful Details
ci/woodpecker/push/test Pipeline was successful Details
ci/woodpecker/pr/lint Pipeline was successful Details
ci/woodpecker/pr/release Pipeline was successful Details
ci/woodpecker/pr/test Pipeline was successful Details
2022-07-03 19:36:30 +01:00
floatingghost 7989b84d01 Merge branch 'develop' into documentation-migration
ci/woodpecker/push/release Pipeline was successful Details
ci/woodpecker/pr/lint Pipeline was successful Details
ci/woodpecker/pr/release Pipeline was successful Details
ci/woodpecker/push/lint Pipeline was successful Details
ci/woodpecker/pr/test Pipeline failed Details
ci/woodpecker/push/test Pipeline failed Details
2022-07-01 12:12:24 +00:00
FloatingGhost bc9e76cce7 Add documentation for ES search
ci/woodpecker/push/release Pipeline was successful Details
ci/woodpecker/push/lint Pipeline was successful Details
ci/woodpecker/pr/release Pipeline was successful Details
ci/woodpecker/pr/lint Pipeline was successful Details
ci/woodpecker/pr/test Pipeline failed Details
ci/woodpecker/push/test Pipeline failed Details
2022-06-30 17:36:57 +01:00
Ekaterina Vaartis 80e52f4d86 Add description for initial_indexing_chunk_size 2022-06-29 20:49:45 +01:00
Ekaterina Vaartis 58cc5d13a2 Add config description for meilisearch 2022-06-29 20:49:45 +01:00
FloatingGhost 1c8a2cf901 Update README, add migration docs
ci/woodpecker/push/release Pipeline was successful Details
ci/woodpecker/push/lint Pipeline was successful Details
ci/woodpecker/push/test Pipeline failed Details
2022-06-29 12:05:59 +01:00