AkkomaGang/akkoma
AkkomaGang
/
akkoma
12
63
Fork 83
Code Issues 167 Pull Requests 14 Packages Projects 2 Releases 13 Wiki Activity

Improper use of regex inside MRF Simple #235

New Issue
Closed
opened 2022-10-22 22:18:24 +00:00 by MaeIsBad · 2 comments
MaeIsBad commented 2022-10-22 22:18:24 +00:00
Contributor
Copy Link

The function at https://akkoma.dev/AkkomaGang/akkoma/src/branch/develop/lib/pleroma/web/activity_pub/mrf.ex#L153 tries to compile a user provided domain glob into a regex. This leads to a few bugs:

  • The . character in domains is interpreted as a wildcard character. This leads to blocking of is.rab.dev resulting in iscrab.dev being blocked. A more extreme example of this would be an attacker buying a domain such as soc.al or onl.ne and creating instances on subdomains, leading to admins blocking the entire social/online tlds or not being able to block the malicious instances.
    Workaround in case this is an issue for you: It's possible to escape the dot char using backslashes.

  • An admin can unintentionally break akkoma by inserting a domain that can't be interpreted as a regex(eg. a+b.com, ex[ample].com, *badword*). This doesn't cause any error inside adminfe, and instead causes akkoma to throw an error whenever it executes the MRF, breaking inbound and outbound federation.

The function at https://akkoma.dev/AkkomaGang/akkoma/src/branch/develop/lib/pleroma/web/activity_pub/mrf.ex#L153 tries to compile a user provided domain glob into a regex. This leads to a few bugs: - The `.` character in domains is interpreted as a wildcard character. This leads to blocking of `is.rab.dev` resulting in `iscrab.dev` being blocked. A more extreme example of this would be an attacker buying a domain such as `soc.al` or `onl.ne` and creating instances on subdomains, leading to admins blocking the entire social/online tlds or not being able to block the malicious instances. Workaround in case this is an issue for you: It's possible to escape the dot char using backslashes. - An admin can unintentionally break akkoma by inserting a domain that can't be interpreted as a regex(eg. a+b.com, ex\[ample\].com, \*badword\*). This doesn't cause any error inside adminfe, and instead causes akkoma to throw an error whenever it executes the MRF, breaking inbound and outbound federation.
nbsp commented 2022-10-23 00:23:55 +00:00
Contributor
Copy Link

for the second point, we'd need to have a list of disallowed characters, but the only source i can find on that is RFC 1034, which predates Punycode. or wait actually nvm this is a regex error not a domain error

~~for the second point, we'd need to have a list of disallowed characters, but the only source i can find on that is [RFC 1034](https://www.rfc-editor.org/rfc/rfc1034#section-3.5), which predates Punycode.~~ or wait actually nvm this is a regex error not a domain error
floatingghost commented 2022-11-06 22:59:00 +00:00
Owner
Copy Link

going to solve two birds with one stone here

the only real use for regex here is to match subdomains

i'm going to group this with #228 and automatically match subdomains, thus eliminating the need for regex here

going to solve two birds with one stone here the only real use for regex here is to match subdomains i'm going to group this with #228 and automatically match subdomains, thus eliminating the need for regex here
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
develop
stable
translations
backoff-http
bad-uploader-config-warning
docker
user-expiry-backfill
config-db-keys
ensure-scrubbers-loaded
otp26
code-shaking-does-not-go-brr
elixir1.15
circleci
backup-fixes
mod-task
policy
mrf-coolness
frontend-switcher-9000
contentMap
language-on-posts
rabbit
credo-on-pr
unify-http
normalise-markup-by-default
buildx
v3.13.1
v3.13.0
snac-3.12.1.2
v3.12.2
snac-3.12.1.1
v3.12.1
v3.12.0
v3.11.0
v2.6.2
v2.6.1
v2.6.0
v2.5.5
v3.10.4
v3.10.3
v3.10.2
v3.10.1
v3.10.0
v2.5.4
v2.5.3
v3.9.3
v3.9.2
v3.9.1
V3.9.0
2023.05
v3.8.0
v3.7.1
v3.7.0
v3.6.0
v3.5.0
v2.4.5
v3.4.0
v3.3.1
v2.4.4
v3.3.0
v3.2.3
v3.2.2
v3.2.1
stable-202209
v3.2.0
v3.1.0
stable-2022.07
v3.0.0
v0.0.1
v2.5.2-6
v2.5.2-5
v2.5.2-4
v2.5.2-3
v2.5.2-2
v2.5.2-1
v2.5.2
v2.5.1
v2.5.0-8
v2.5.0-7
v2.5.0-6
v2.5.0-5
v2.5.0-4
v2.5.0-3
v2.5.0-2
v2.5.0-1
v2.5.0
v2.4.3
pre-rebase
v2.4.2
v2.4.1
v2.4.0
soapbox-v1.1.1
soapbox-v1.1.0
soapbox-v1.0.0
v2.3.0
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.1.9
v1.1.8
v1.1.7
v1.1.6
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.91
v1.0.90
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v0.9.0
Labels
Clear labels   
approved, awaiting change

   
bug

Something is not working

  
configuration

This requires config changes

  
documentation

This is about human-readable docs

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
extremely low priority

   
feature request

Something new?

  
Fix it yourself

Support has been attempted

  
help wanted

Need some help

  
invalid

Something is wrong

  
mastodon_api

   
needs docs

   
needs tests

   
not a bug

   
planned

   
pleroma_api

   
privacy

   
question

More information is needed

  
static_fe

   
triage

   
wontfix

This won't be fixed

No Label
approved, awaiting change
bug
configuration
documentation
duplicate
enhancement
extremely low priority
feature request
Fix it yourself
help wanted
invalid
mastodon_api
needs docs
needs tests
not a bug
planned
pleroma_api
privacy
question
static_fe
triage
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#235
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?