AkkomaGang/akkoma
AkkomaGang/akkoma
15
66
Fork 94
Code Issues 180 Pull requests 27 Projects 2 Releases 14 Packages Wiki Activity

[bug] Javascript insertion via media Vulnerability #547

New issue
Closed
opened 2023-05-26 05:04:23 +00:00 by Twizzay · 8 comments
Twizzay commented 2023-05-26 05:04:23 +00:00
Copy link

This vulnerability was discovered today.

05-25-2023_09:59%:29PM

  • I have double-checked and have not found this issue mentioned anywhere.
This vulnerability was discovered today. ![05-25-2023_09:59%:29PM](https://github.com/YunoHost-Apps/akkoma_ynh/assets/88040412/98977adf-1605-491c-aeea-1dddfc5ea05b) - [x] I have double-checked and have not found this issue mentioned anywhere.
Twizzay added the
bug
 label 2023-05-26 05:04:23 +00:00
Twizzay commented 2023-05-26 05:05:13 +00:00
Author
Copy link

Sorry this may not be the right place to put this.

This is my first created issue around here.

Sorry this may not be the right place to put this. This is my first created issue around here.
Twizzay changed title from [bug] to [bug] Javascript Vulnerability 2023-05-26 05:05:44 +00:00
floatingghost commented 2023-05-26 11:35:31 +00:00
Owner
Copy link

fix applied and released

fix applied and released
Seirdy commented 2023-05-26 18:13:34 +00:00
Contributor
Copy link

My understanding is that the sandbox directive should have been fine, since it forbids JS execution. It's actually a bit stronger than script-src, as it forbids scripts from running even if they bypass CSP fetch directives (e.g. scripts injected by the user-agent).

The most bulletproof CSP for media would be this:

default-src 'none'; upgrade-insecure-requests; sandbox

(if you wanna go overkill, use base-uri 'none'; form-action 'none'. Shouldn't be necessary for static media and SVGs with the secure static processing mode enforced by the img element).

This would prevent anything from loading except the single media resource.

Other instances that load something more advanced (e.g. ruffle.rs flash animations) or support hotlinking could also request browsers to use strict origin isolation:

cross-origin-resource-policy: cross-origin
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
origin-agent-cluster: ?1

I don't know Elixir but this doesn't seem too hard; I could draft a PR if you're interested.

My understanding is that the `sandbox` directive should have been fine, since it forbids JS execution. It's actually a bit stronger than `script-src`, as it forbids scripts from running even if they bypass CSP fetch directives (e.g. scripts injected by the user-agent). The most bulletproof CSP for media would be this: ``` default-src 'none'; upgrade-insecure-requests; sandbox ``` (if you wanna go overkill, use `base-uri 'none'; form-action 'none'`. Shouldn't be necessary for static media and SVGs with the secure static processing mode enforced by the `img` element). This would prevent anything from loading except the single media resource. Other instances that load something more advanced (e.g. ruffle.rs flash animations) or support hotlinking could also request browsers to use strict origin isolation: ``` cross-origin-resource-policy: cross-origin cross-origin-embedder-policy: require-corp cross-origin-opener-policy: same-origin origin-agent-cluster: ?1 ``` I don't know Elixir but this doesn't seem too hard; I could draft a PR if you're interested.
Twizzay commented 2023-05-26 19:03:56 +00:00
Author
Copy link

Some new information...

Might need to reopen.

Some new information... Might need to reopen.
05-26-2023_12:02%:57PM.png
100 KiB
05-26-2023_12:02%:57PM.png
floatingghost commented 2023-05-26 19:34:23 +00:00
Owner
Copy link

luckily we don't rely on a one-line nginx modification

we tightened csp way back in 336d06b2a8, which pleroma (and soapbox by extension) never got around to doing afaik

luckily we don't rely on a one-line nginx modification we tightened csp way back in https://akkoma.dev/AkkomaGang/akkoma/commit/336d06b2a8ca75362578b1d67ea1f32a45c8edd3, which pleroma (and soapbox by extension) never got around to doing afaik
floatingghost commented 2023-05-26 19:38:06 +00:00
Owner
Copy link

(also, for the love of christ do not link gleasonator here, this entire place pretty much exists to get away from that idiot)

(also, for the love of christ do not link gleasonator here, this entire place pretty much exists to get away from that idiot)
Twizzay changed title from [bug] Javascript Vulnerability to [bug] Javascript insertion via media Vulnerability 2023-05-26 20:13:17 +00:00
Twizzay commented 2023-05-26 20:15:53 +00:00
Author
Copy link

luckily we don't rely on a one-line nginx modification

we tightened csp way back in 336d06b2a8, which pleroma (and soapbox by extension) never got around to doing afaik

hek ya, sun. I am going to trust that this vulnerability does not affect Akkoma users anymore, then.

(also, for the love of christ do not link gleasonator here, this entire place pretty much exists to get away from that idiot)

My mistake. I edited my reply.

> luckily we don't rely on a one-line nginx modification > > we tightened csp way back in https://akkoma.dev/AkkomaGang/akkoma/commit/336d06b2a8ca75362578b1d67ea1f32a45c8edd3, which pleroma (and soapbox by extension) never got around to doing afaik > > hek ya, sun. I am going to trust that this vulnerability does not affect Akkoma users anymore, then. > (also, for the love of christ do not link gleasonator here, this entire place pretty much exists to get away from that idiot) My mistake. I edited my reply.
floatingghost commented 2023-05-26 20:16:41 +00:00
Owner
Copy link

the HTML sanitisation issue from pleroma has been pulled in though - that is in release v3.9.3 (just out)

i think that's everything

the HTML sanitisation issue from pleroma has been pulled in though - that is in release v3.9.3 (just out) i _think_ that's everything
👍 1
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
better-stats
stable
translations
customizable-docker-db
static-adminfe
bad-uploader-config-warning
docker
user-expiry-backfill
config-db-keys
ensure-scrubbers-loaded
otp26
code-shaking-does-not-go-brr
elixir1.15
circleci
backup-fixes
mod-task
policy
mrf-coolness
frontend-switcher-9000
contentMap
language-on-posts
rabbit
credo-on-pr
unify-http
normalise-markup-by-default
buildx
v3.13.3
v3.13.2
v2.6.3
v3.13.1
v3.13.0
snac-3.12.1.2
v3.12.2
snac-3.12.1.1
v3.12.1
v3.12.0
v3.11.0
v2.6.2
v2.6.1
2.6.1
v2.6.0
v2.5.5
v3.10.4
v3.10.3
v3.10.2
v3.10.1
v3.10.0
v2.5.4
v2.5.3
v3.9.3
v3.9.2
v3.9.1
V3.9.0
2023.05
v3.8.0
v3.7.1
v3.7.0
v3.6.0
v3.5.0
v2.4.5
v3.4.0
v3.3.1
v2.4.4
v3.3.0
v3.2.3
v3.2.2
v3.2.1
stable-202209
v3.2.0
v3.1.0
stable-2022.07
v3.0.0
v0.0.1
v2.5.2-6
v2.5.2-5
v2.5.2-4
v2.5.2-3
v2.5.2-2
v2.5.2-1
v2.5.2
v2.5.1
v2.5.0-8
v2.5.0-7
v2.5.0-6
v2.5.0-5
v2.5.0-4
v2.5.0-3
v2.5.0-2
v2.5.0-1
v2.5.0
v2.4.3
pre-rebase
v2.4.2
v2.4.1
v2.4.0
soapbox-v1.1.1
soapbox-v1.1.0
soapbox-v1.0.0
v2.3.0
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.1.9
v1.1.8
v1.1.7
v1.1.6
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.91
v1.0.90
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v0.9.0
Labels
Clear labels   
approved, awaiting change

   
bug

Something is not working

  
configuration

This requires config changes

  
documentation

This is about human-readable docs

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
extremely low priority

   
feature request

Something new?

  
Fix it yourself

Support has been attempted

  
help wanted

Need some help

  
invalid

Something is wrong

  
mastodon_api

   
needs docs

   
needs tests

   
not a bug

   
planned

   
pleroma_api

   
privacy

   
question

More information is needed

  
static_fe

   
triage

   
wontfix

This won't be fixed

No labels
approved, awaiting change
bug
configuration
documentation
duplicate
enhancement
extremely low priority
feature request
Fix it yourself
help wanted
invalid
mastodon_api
needs docs
needs tests
not a bug
planned
pleroma_api
privacy
question
static_fe
triage
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#547
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?