FoundKeyGang/FoundKey
FoundKeyGang/FoundKey
7
19
Fork 22
Code Issues 37 Pull requests 4 Releases Activity

fixup! BREAKING: activitypub: validate fetch signatures
All checks were successful
ci/woodpecker/pr/lint-backend Pipeline was successful
Details
ci/woodpecker/pr/lint-foundkey-js Pipeline was successful
Details
ci/woodpecker/pr/build Pipeline was successful
Details
ci/woodpecker/pr/lint-client Pipeline was successful
Details
ci/woodpecker/pr/lint-sw Pipeline was successful
Details
ci/woodpecker/pr/test Pipeline was successful
Details

Browse source
This commit is contained in:
Hélène 2023-06-23 19:53:47 +02:00
parent f89a374e5f
commit fe0dde38c3
6 changed files with 21 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
packages/backend/migration/1687460719276-allow-unsigned-fetches.js
View file

@ -1,11 +0,0 @@
export class allowUnsignedFetches1687460719276 {
name = 'allowUnsignedFetches1687460719276'
async up(queryRunner) {
await queryRunner.query(`ALTER TABLE "meta" ADD "allowUnsignedFetches" bool default false`);
}
async down(queryRunner) {
await queryRunner.query(`ALTER TABLE "meta" DROP COLUMN "allowUnsignedFetches"`);
}
}

1
packages/backend/src/config/load.ts
View file

@ -61,6 +61,7 @@ export function loadConfig(): Config {
proxyRemoteFiles: false, proxyRemoteFiles: false,
maxFileSize: 262144000, // 250 MiB maxFileSize: 262144000, // 250 MiB
maxNoteTextLength: 3000, maxNoteTextLength: 3000,
allowUnsignedFetches: false,
}, config); }, config);
mixin.version = meta.version; mixin.version = meta.version;

2
packages/backend/src/config/types.ts
View file

@ -68,6 +68,8 @@ export type Source = {
notFound?: string; notFound?: string;
error?: string; error?: string;
}; };
allowUnsignedFetches?: boolean;
}; };
/** /**

5
packages/backend/src/models/entities/meta.ts
View file

@ -82,11 +82,6 @@ export class Meta {
}) })
public blockedHosts: string[]; public blockedHosts: string[];
@Column('boolean', {
default: false
})
public allowUnsignedFetches: boolean;
@Column('varchar', { @Column('varchar', {
length: 512, length: 512,
nullable: true, nullable: true,

25
packages/backend/src/server/activitypub.ts
View file

@ -61,11 +61,14 @@ export function setResponseType(ctx: Router.RouterContext): void {
} }
} }
export function handleSignatureResult(ctx: Router.RouterContext, result: SignatureValidationResult): boolean { async function handleSignature(ctx: Router.RouterContext): Promise<boolean> {
const result = await validateFetchSignature(ctx.req);
switch (result) { switch (result) {
// Fetch signature verification is disabled.
case 'always': case 'always':
ctx.set('Cache-Control', 'public, max-age=180'); ctx.set('Cache-Control', 'public, max-age=180');
return true; return true;
// Fetch signature verification succeeded.
case 'valid': case 'valid':
ctx.set('Cache-Control', 'no-store'); ctx.set('Cache-Control', 'no-store');
return true; return true;
@ -92,7 +95,7 @@ router.post('/users/:user/inbox', json(), inbox);
// note // note
router.get('/notes/:note', async (ctx, next) => { router.get('/notes/:note', async (ctx, next) => {
if (!isActivityPubReq(ctx)) return await next(); if (!isActivityPubReq(ctx)) return await next();
if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return; if (!(await handleSignature(ctx))) return;
const note = await Notes.findOneBy({ const note = await Notes.findOneBy({
id: ctx.params.note, id: ctx.params.note,
@ -129,7 +132,7 @@ router.get('/notes/:note/activity', async ctx => {
ctx.redirect(`/notes/${ctx.params.note}`); ctx.redirect(`/notes/${ctx.params.note}`);
return; return;
} }
if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return; if (!(await handleSignature(ctx))) return;
const note = await Notes.findOneBy({ const note = await Notes.findOneBy({
id: ctx.params.note, id: ctx.params.note,
@ -149,25 +152,25 @@ router.get('/notes/:note/activity', async ctx => {
// outbox // outbox
router.get('/users/:user/outbox', async ctx => { router.get('/users/:user/outbox', async ctx => {
if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return; if (!(await handleSignature(ctx))) return;
return await Outbox(ctx); return await Outbox(ctx);
}); });
// followers // followers
router.get('/users/:user/followers', async ctx => { router.get('/users/:user/followers', async ctx => {
if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return; if (!(await handleSignature(ctx))) return;
return await Followers(ctx); return await Followers(ctx);
}); });
// following // following
router.get('/users/:user/following', async ctx => { router.get('/users/:user/following', async ctx => {
if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return; if (!(await handleSignature(ctx))) return;
return await Following(ctx); return await Following(ctx);
}); });
// featured // featured
router.get('/users/:user/collections/featured', async ctx => { router.get('/users/:user/collections/featured', async ctx => {
if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return; if (!(await handleSignature(ctx))) return;
return await Featured(ctx); return await Featured(ctx);
}); });
@ -224,7 +227,7 @@ router.get('/users/:user', async (ctx, next) => {
// validate and enforce signatures. // validate and enforce signatures.
if (user == null || !isInstanceActor(user)) if (user == null || !isInstanceActor(user))
{ {
if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return; if (!(await handleSignature(ctx))) return;
} }
else if (isInstanceActor(user)) else if (isInstanceActor(user))
{ {
@ -237,7 +240,7 @@ router.get('/users/:user', async (ctx, next) => {
router.get('/@:user', async (ctx, next) => { router.get('/@:user', async (ctx, next) => {
if (!isActivityPubReq(ctx)) return await next(); if (!isActivityPubReq(ctx)) return await next();
if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return; if (!(await handleSignature(ctx))) return;
const user = await Users.findOneBy({ const user = await Users.findOneBy({
usernameLower: ctx.params.user.toLowerCase(), usernameLower: ctx.params.user.toLowerCase(),
@ -270,7 +273,7 @@ router.get('/emojis/:emoji', async ctx => {
// like // like
router.get('/likes/:like', async ctx => { router.get('/likes/:like', async ctx => {
if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return; if (!(await handleSignature(ctx))) return;
const reaction = await NoteReactions.findOneBy({ id: ctx.params.like }); const reaction = await NoteReactions.findOneBy({ id: ctx.params.like });
if (reaction == null) { if (reaction == null) {
@ -294,7 +297,7 @@ router.get('/likes/:like', async ctx => {
// follow // follow
router.get('/follows/:follower/:followee', async ctx => { router.get('/follows/:follower/:followee', async ctx => {
if (!handleSignatureResult(ctx, await validateFetchSignature(ctx.req))) return; if (!(await handleSignature(ctx))) return;
// This may be used before the follow is completed, so we do not // This may be used before the follow is completed, so we do not
// check if the following exists. // check if the following exists.

9
packages/backend/src/server/activitypub/fetch-signature.ts
View file

@ -1,12 +1,12 @@
import httpSignature from '@peertube/http-signature'; import httpSignature from '@peertube/http-signature';
import { toPuny } from '@/misc/convert-host.js'; import { extractDbHost } from '@/misc/convert-host.js';
import { fetchMeta } from '@/misc/fetch-meta.js';
import { shouldBlockInstance } from '@/misc/should-block-instance.js'; import { shouldBlockInstance } from '@/misc/should-block-instance.js';
import { authUserFromKeyId, getAuthUser } from '@/remote/activitypub/misc/auth-user.js'; import { authUserFromKeyId, getAuthUser } from '@/remote/activitypub/misc/auth-user.js';
import { getApId, isActor } from '@/remote/activitypub/type.js'; import { getApId, isActor } from '@/remote/activitypub/type.js';
import { StatusError } from '@/misc/fetch.js'; import { StatusError } from '@/misc/fetch.js';
import { Resolver } from '@/remote/activitypub/resolver.js'; import { Resolver } from '@/remote/activitypub/resolver.js';
import { createPerson } from '@/remote/activitypub/models/person.js'; import { createPerson } from '@/remote/activitypub/models/person.js';
import config from '@/config/index.js';
export type SignatureValidationResult = 'missing' | 'invalid' | 'rejected' | 'valid' | 'always'; export type SignatureValidationResult = 'missing' | 'invalid' | 'rejected' | 'valid' | 'always';
@ -39,10 +39,9 @@ async function resolveKeyId(keyId: string, resolver: Resolver): Promise<AuthUser
} }
export async function validateFetchSignature(req: IncomingMessage): Promise<SignatureValidationResult> { export async function validateFetchSignature(req: IncomingMessage): Promise<SignatureValidationResult> {
const meta = await fetchMeta();
let signature; let signature;
if (meta.allowUnsignedFetches === true) if (config.allowUnsignedFetches === true)
return 'always'; return 'always';
try { try {
@ -60,7 +59,7 @@ export async function validateFetchSignature(req: IncomingMessage): Promise<Sign
if (keyIdLower.startsWith('acct:')) if (keyIdLower.startsWith('acct:'))
return 'invalid'; return 'invalid';
const host = toPuny(new URL(keyIdLower).hostname); const host = extractDbHost(keyIdLower);
// Reject if the host is blocked. // Reject if the host is blocked.
if (await shouldBlockInstance(host)) if (await shouldBlockInstance(host))