Improper use of regex inside MRF Simple #235

New issue

Closed

opened 2022-10-22 22:18:24 +00:00 by MaeIsBad · 2 comments

MaeIsBad commented

2022-10-22 22:18:24 +00:00

Contributor

The function at https://akkoma.dev/AkkomaGang/akkoma/src/branch/develop/lib/pleroma/web/activity_pub/mrf.ex#L153 tries to compile a user provided domain glob into a regex. This leads to a few bugs:

The . character in domains is interpreted as a wildcard character. This leads to blocking of is.rab.dev resulting in iscrab.dev being blocked. A more extreme example of this would be an attacker buying a domain such as soc.al or onl.ne and creating instances on subdomains, leading to admins blocking the entire social/online tlds or not being able to block the malicious instances.
Workaround in case this is an issue for you: It's possible to escape the dot char using backslashes.
An admin can unintentionally break akkoma by inserting a domain that can't be interpreted as a regex(eg. a+b.com, ex[ample].com, *badword*). This doesn't cause any error inside adminfe, and instead causes akkoma to throw an error whenever it executes the MRF, breaking inbound and outbound federation.

The function at https://akkoma.dev/AkkomaGang/akkoma/src/branch/develop/lib/pleroma/web/activity_pub/mrf.ex#L153 tries to compile a user provided domain glob into a regex. This leads to a few bugs: - The `.` character in domains is interpreted as a wildcard character. This leads to blocking of `is.rab.dev` resulting in `iscrab.dev` being blocked. A more extreme example of this would be an attacker buying a domain such as `soc.al` or `onl.ne` and creating instances on subdomains, leading to admins blocking the entire social/online tlds or not being able to block the malicious instances. Workaround in case this is an issue for you: It's possible to escape the dot char using backslashes. - An admin can unintentionally break akkoma by inserting a domain that can't be interpreted as a regex(eg. a+b.com, ex\[ample\].com, \*badword\*). This doesn't cause any error inside adminfe, and instead causes akkoma to throw an error whenever it executes the MRF, breaking inbound and outbound federation.

Ghost commented

2022-10-23 00:23:55 +00:00

~~for the second point, we'd need to have a list of disallowed characters, but the only source i can find on that is RFC 1034, which predates Punycode.~~ or wait actually nvm this is a regex error not a domain error

~~for the second point, we'd need to have a list of disallowed characters, but the only source i can find on that is [RFC 1034](https://www.rfc-editor.org/rfc/rfc1034#section-3.5), which predates Punycode.~~ or wait actually nvm this is a regex error not a domain error

floatingghost commented

2022-11-06 22:59:00 +00:00

Owner

going to solve two birds with one stone here

the only real use for regex here is to match subdomains

i'm going to group this with #228 and automatically match subdomains, thus eliminating the need for regex here

going to solve two birds with one stone here the only real use for regex here is to match subdomains i'm going to group this with #228 and automatically match subdomains, thus eliminating the need for regex here