Commit graph

398 commits

Author SHA1 Message Date
f7c9793542 Sanitise Content-Type of uploads
The lack thereof enables spoofing ActivityPub objects.

A malicious user could upload fake activities as attachments
and (if having access to remote search) trick local and remote
fedi instances into fetching and processing it as a valid object.

If uploads are hosted on the same domain as the instance itself,
it is possible for anyone with upload access to impersonate(!)
other users of the same instance.
If uploads are exclusively hosted on a different domain, even the most
basic check of domain of the object id and fetch url matching should
prevent impersonation. However, it may still be possible to trick
servers into accepting bogus users on the upload (sub)domain and bogus
notes attributed to such users.
Instances which later migrated to a different domain and have a
permissive redirect rule in place can still be vulnerable.
If — like Akkoma — the fetching server is overly permissive with
redirects, impersonation still works.

This was possible because Plug.Static also uses our custom
MIME type mappings used for actually authentic AP objects.

Provided external storage providers don’t somehow return ActivityStream
Content-Types on their own, instances using those are also safe against
their users being spoofed via uploads.

Akkoma instances using the OnlyMedia upload filter
cannot be exploited as a vector in this way — IF the
fetching server validates the Content-Type of
fetched objects (Akkoma itself does this already).

However, restricting uploads to only multimedia files may be a bit too
heavy-handed. Instead this commit will restrict the returned
Content-Type headers for user uploaded files to a safe subset, falling
back to generic 'application/octet-stream' for anything else.
This will also protect against non-AP payloads as e.g. used in
past frontend code injection attacks.

It’s a slight regression in user comfort, if say PDFs are uploaded,
but this trade-off seems fairly acceptable.

(Note, just excluding our own custom types would offer no protection
 against non-AP payloads and bear a (perhaps small) risk of a silent
 regression should MIME ever decide to add a canonical extension for
 ActivityPub objects)

Now, one might expect there to be other defence mechanisms
besides Content-Type preventing counterfeits from being accepted,
like e.g. validation of the queried URL and AP ID matching.
Inserting a self-reference into our uploads is hard, but unfortunately
*oma does not verify the id in such a way and happily accepts _anything_
from the same domain (without even considering redirects).
E.g. Sharkey (and possibly other *keys) seem to attempt to guard
against this by immediately refetching the object from its ID, but
this is easily circumvented by just uploading two payloads with the
ID of one linking to the other.

Unfortunately *oma is thus _both_ a vector for spoofing and
vulnerable to those spoof payloads, resulting in an easy way
to impersonate our users.

Similar flaws exists for emoji and media proxy.

Subsequent commits will fix this by rigorously sanitising
content types in more areas, hardening our checks, improving
the default config and discouraging insecure config options.
2024-03-18 22:33:10 -01:00
98cb255d12 Support elixir1.15
OTP builds to 1.15

Changelog entry

Ensure policies are fully loaded

Fix :warn

use main branch for linkify

Fix warn in tests

Migrations for phoenix 1.17

Revert "Migrations for phoenix 1.17"

This reverts commit 6a3b2f15b74ea5e33150529385215b7a531f3999.

Oban upgrade

Add default empty whitelist

mix format

limit test to amd64

OTP 26 tests for 1.15

use OTP_VERSION tag

baka

just 1.15

Massive deps update

Update locale, deps

Mix format

shell????

multiline???

?

max cases 1

use assert_recieve

don't put_env in async tests

don't async conn/fs tests

mix format

FIx some uploader issues

Fix tests
2023-08-03 17:44:09 +01:00
XxXCertifiedForkliftDriverXxX
07b478dc49 Implement blocklists for MediaProxy 2023-06-26 15:18:31 +02:00
522221f7fb Mix format 2023-04-14 17:56:34 +01:00
4c9c959bb3 Merge branch 'develop' into frontend-switcher-9000 2023-04-14 16:56:10 +01:00
de64c6c54a add selection UI 2023-03-28 12:44:52 +01:00
f94e8a3713 add bubble visibility to description 2023-03-18 20:49:43 +00:00
dd44387f1a Add timeline visibility options 2023-03-17 15:33:28 +00:00
292f0444d0 update healthcheck route in locale string 2023-02-18 14:59:46 +01:00
07ccfafd92 Mix format 2022-12-19 13:07:29 +00:00
c092fc9fd6 Add translation module for Argos Translate (#351)
Argos Translate is a Python module for translation and can be used as a command line tool.

This is also the engine for LibreTranslate, for which we already have a module.
Here we can use the engine directly from our server without doing requests to a third party or having to install our own LibreTranslate webservice (obviously you do have to install Argos Translate).

One thing that's currently still missing from Argos Translate is auto-detection of languages (see <https://github.com/argosopentech/argos-translate/issues/9>). For now, when no source language is provided, we just return the text unchanged, supposedly translated from the target language. That way you get a near immediate response in pleroma-fe when clicking Translate, after which you can select the source language from a dropdown.

Argos Translate also doesn't seem to handle html very well. Therefore we give admins the option to strip the html before translating. I made this an option because I'm unsure if/how this will change in the future.

Co-authored-by: ilja <git@ilja.space>
Reviewed-on: AkkomaGang/akkoma#351
Co-authored-by: ilja <akkoma.dev@ilja.space>
Co-committed-by: ilja <akkoma.dev@ilja.space>
2022-12-19 13:06:39 +00:00
52d8183787 drop admin scopes on create app instead of rejecting 2022-12-17 23:14:49 +00:00
dcac8adb3d Add option to modify HTTP pool size 2022-12-16 18:33:00 +00:00
48d302a60f allow disabling prometheus entirely 2022-12-16 11:17:04 +00:00
f752126427 Remove quack, ensure adapter is finch 2022-12-11 23:22:35 +00:00
0eaec57d3f mix format 2022-12-09 10:24:38 +00:00
4e4bd24813 Add misskey markdown to format suggestions
Fixes #345
2022-12-07 15:39:19 +00:00
6b882a2c0b Purge Rejected Follow requests in daily task (#334)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#334
2022-12-03 23:17:43 +00:00
2fe1484ed3 http timeout config (#307)
Ref https://meta.akkoma.dev/t/increase-timeout-on-libretranslate-request-how/156/2

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#307
2022-11-24 12:27:16 +00:00
de1bbc0281 Add conversationDisplay to settings 2022-11-20 22:21:56 +00:00
@r3g_5z@plem.sapphic.site
0e4c201f8d HTTP header improvements (#294)
- Drop Expect-CT

Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

- Raise HSTS to 2 years and explicitly preload

The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt.
For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain.

- Drop X-Download-Options

This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this.

- Set base-uri to 'none'

This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag.

I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed.

I have not compiled my Elixr changes, but I don't see why they'd break.

Co-authored-by: r3g_5z <june@terezi.dev>
Reviewed-on: AkkomaGang/akkoma#294
Co-authored-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
Co-committed-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
2022-11-20 21:20:06 +00:00
c1127e321b Add configurable timeline per oban job (#273)
Heavily inspired by https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3777

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#273
2022-11-13 23:55:51 +00:00
b7e8ce2350 Scrape instance nodeinfo (#251)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#251
2022-11-06 22:49:39 +00:00
d782140e2b Reword stop gifs 2022-10-29 22:08:18 +01:00
4d9ca8909d Add StopGifs to description 2022-10-29 21:57:50 +01:00
df39cab9c1 Automatic status translation (#187)
Fixes #115

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#187
2022-08-29 19:42:22 +00:00
e4f2251e0f Add support for setting language in instance metadata (#183)
Reviewed-on: AkkomaGang/akkoma#183
2022-08-25 16:11:21 +00:00
aaf78e2b52 only put linked mfm in source (#171)
Reviewed-on: AkkomaGang/akkoma#171
2022-08-17 09:35:11 +00:00
37a1001b97 add finch outbound proxy support (#158)
Reviewed-on: AkkomaGang/akkoma#158
2022-08-14 23:13:49 +00:00
19ccdc8762 mix format 2022-08-11 19:21:50 +01:00
d16eff1c0f describe color keys
fixes #126
2022-08-11 10:28:59 +01:00
ca000f8301 Merge mrf_simple-reject with quarantine (#137)
Reviewed-on: AkkomaGang/akkoma#137
2022-08-02 14:19:24 +00:00
645f0390bc Prepare for ubuntu22 murdering openssl (#120)
Reviewed-on: AkkomaGang/akkoma#120
2022-07-27 21:48:13 +00:00
90c4785b89 remove public post quarantine exception (#114)
Reviewed-on: AkkomaGang/akkoma#114
2022-07-26 11:09:13 +00:00
36eec89946 add authorized_fetch_mode to description.exs 2022-07-26 10:51:40 +01:00
cb6e7359af add bubble timeline (#100)
Reviewed-on: AkkomaGang/akkoma#100
2022-07-22 14:55:38 +00:00
0c542e58aa Remove instrumentors (#98)
Reviewed-on: AkkomaGang/akkoma#98
2022-07-21 11:32:17 +00:00
0f132b802d purge chat and shout endpoints 2022-07-21 11:29:28 +01:00
07ea4d73e1 update mastofe paths (#95)
Reviewed-on: AkkomaGang/akkoma#95
2022-07-20 20:13:50 +00:00
729f45ccd2 purge ldap authenticator (#92)
Reviewed-on: AkkomaGang/akkoma#92
2022-07-20 12:49:13 +00:00
37ae047e16 Add swaggerUI options (#66)
Reviewed-on: AkkomaGang/akkoma#66
2022-07-13 15:09:35 +00:00
bc6bfe383f Add configurable theme color (#53)
Reviewed-on: AkkomaGang/akkoma#53
2022-07-06 20:00:43 +00:00
364b6969eb Use finch everywhere (#33)
Reviewed-on: AkkomaGang/akkoma#33
2022-07-04 16:30:38 +00:00
95ef3a8b1e Use Akkoma modification for collections 2022-07-03 19:36:30 +01:00
7989b84d01 Merge branch 'develop' into documentation-migration 2022-07-01 12:12:24 +00:00
bc9e76cce7 Add documentation for ES search 2022-06-30 17:36:57 +01:00
Ekaterina Vaartis
80e52f4d86 Add description for initial_indexing_chunk_size 2022-06-29 20:49:45 +01:00
Ekaterina Vaartis
58cc5d13a2 Add config description for meilisearch 2022-06-29 20:49:45 +01:00
1c8a2cf901 Update README, add migration docs 2022-06-29 12:05:59 +01:00
0d012ebea1 Revert "Merge branch 'remove/mastofe' into 'develop'"
This reverts commit 6b3842cf50, reversing
changes made to 6b1282a829.
2022-01-08 21:44:37 +00:00