Add explicit configDB whitelist

This commit is contained in:
FloatingGhost 2023-08-15 12:39:28 +01:00
parent 6fb47b2806
commit ccaff7104d
5 changed files with 102 additions and 91 deletions

View file

@ -49,7 +49,9 @@
config :pleroma, Pleroma.Repo,
telemetry_event: [Pleroma.Repo.Instrumenter],
queue_target: 20_000,
migration_lock: nil
migration_lock: nil,
parameters: [gin_fuzzy_search_limit: "500"],
prepare: :unnamed
config :pleroma, Pleroma.Captcha,
enabled: true,
@ -75,6 +77,7 @@
truncated_namespace: nil,
streaming_enabled: true
# This cannot be configured in the database!
config :ex_aws, :s3,
# host: "s3.wasabisys.com", # required if not Amazon AWS
access_key_id: nil,
@ -792,17 +795,6 @@
config :pleroma, :modules, runtime_dir: "instance/modules"
config :pleroma, configurable_from_database: false
# Don't allow arbitrary module config here, you can only
# adjust our own config.
config :pleroma,
database_config_whitelist: [
{:pleroma},
{:logger}
]
config :pleroma, Pleroma.Repo,
parameters: [gin_fuzzy_search_limit: "500"],
prepare: :unnamed
config :pleroma, :majic_pool, size: 2

View file

@ -1,16 +1,5 @@
import Config
websocket_config = [
path: "/websocket",
serializer: [
{Phoenix.Socket.V1.JSONSerializer, "~> 1.0.0"},
{Phoenix.Socket.V2.JSONSerializer, "~> 2.0.0"}
],
timeout: 60_000,
transport_log: false,
compress: false
]
installed_frontend_options = [
%{
key: "name",

View file

@ -0,0 +1,78 @@
defmodule Pleroma.Config.ConfigurableFromDatabase do
# Basically it's silly to let this be configurable
# set a list of things that we can set in the database
# this is mostly our stuff, with some extra in there
@allowed_groups [
{:logger},
{:pleroma, Pleroma.Captcha},
{:pleroma, Pleroma.Captcha.Kocaptcha},
{:pleroma, Pleroma.Upload},
{:pleroma, Pleroma.Uploaders.Local},
{:pleroma, Pleroma.Uploaders.S3},
{:pleroma, :emoji},
{:pleroma, :http},
{:pleroma, :instance},
{:pleroma, :welcome},
{:pleroma, :feed},
{:pleroma, :markup},
{:pleroma, :frontend_configurations},
{:pleroma, :assets},
{:pleroma, :manifest},
{:pleroma, :activitypub},
{:pleroma, :streamer},
{:pleroma, :user},
{:pleroma, :mrf_normalize_markup},
{:pleroma, :mrf_rejectnonpublic},
{:pleroma, :mrf_hellthread},
{:pleroma, :mrf_simple},
{:pleroma, :mrf_keyword},
{:pleroma, :mrf_hashtag},
{:pleroma, :mrf_subchain},
{:pleroma, :mrf_activity_expiration},
{:pleroma, :mrf_vocabulary},
{:pleroma, :mrf_inline_quote},
{:pleroma, :mrf_object_age},
{:pleroma, :mrf_follow_bot},
{:pleroma, :mrf_reject_newly_created_account_notes},
{:pleroma, :rich_media},
{:pleroma, :media_proxy},
{:pleroma, Pleroma.Web.MediaProxy.Invalidation.Http},
{:pleroma, :media_preview_proxy},
{:pleroma, Pleroma.Web.Metadata},
{:pleroma, Pleroma.Web.Metadata.Providers.Theme},
{:pleroma, Pleroma.Web.Preload},
{:pleroma, :http_security},
{:pleroma, Pleroma.User},
{:pleroma, Oban},
{:pleroma, :workers},
{:pleroma, Pleroma.Formatter},
{:pleroma, Pleroma.Emails.Mailer},
{:pleroma, Pleroma.Emails.UserEmail},
{:pleroma, Pleroma.Emails.NewUsersDigestEmail},
{:pleroma, Pleroma.ScheduledActivity},
{:pleroma, :email_notifications},
{:pleroma, :oauth2},
{:pleroma, Pleroma.Web.Plugs.RemoteIp},
{:pleroma, :static_fe},
{:pleroma, :frontends},
{:pleroma, :web_cache_ttl},
{:pleroma, :majic_pool},
{:pleroma, :restrict_unauthenticated},
{:pleroma, Pleroma.Web.ApiSpec.CastAndValidate},
{:pleroma, :mrf},
{:pleroma, :instances_favicons},
{:pleroma, :instances_nodeinfo},
{:pleroma, Pleroma.User.Backup},
{:pleroma, ConcurrentLimiter},
{:pleroma, Pleroma.Web.WebFinger},
{:pleroma, Pleroma.Search},
{:pleroma, Pleroma.Search.Meilisearch},
{:pleroma, Pleroma.Search.Elasticsearch.Cluster},
{:pleroma, :translator},
{:pleroma, :deepl},
{:pleroma, :libre_translate}
# But not argostranslate, because executables!
]
def allowed_groups, do: @allowed_groups
end

View file

@ -9,14 +9,6 @@ defmodule Pleroma.Web.AdminAPI.ConfigController do
alias Pleroma.ConfigDB
alias Pleroma.Web.Plugs.OAuthScopesPlug
@banned_in_db [
# this would make no sense if you could change it in the db
{:pleroma, :database_config_whitelist},
# called with System.cmd
{:pleroma, Pleroma.Web.MediaProxy.Invalidation.Script},
{:pleroma, :argos_translate}
]
plug(Pleroma.Web.ApiSpec.CastAndValidate)
plug(OAuthScopesPlug, %{scopes: ["admin:write"]} when action == :update)
@ -183,18 +175,14 @@ defp configurable_from_database do
end
defp whitelisted_config?(group, key) do
whitelisted =
:database_config_whitelist
|> Config.get([{:pleroma}])
|> Enum.any?(fn
{whitelisted_group} ->
group == inspect(whitelisted_group)
Pleroma.Config.ConfigurableFromDatabase.allowed_groups()
|> Enum.any?(fn
{whitelisted_group} ->
group == inspect(whitelisted_group)
{whitelisted_group, whitelisted_key} ->
group == inspect(whitelisted_group) && key == inspect(whitelisted_key)
end)
whitelisted && !disallowed_config?(group, key)
{whitelisted_group, whitelisted_key} ->
group == inspect(whitelisted_group) && key == inspect(whitelisted_key)
end)
end
defp whitelisted_config?(%{group: group, key: key}) do
@ -204,14 +192,4 @@ defp whitelisted_config?(%{group: group, key: key}) do
defp whitelisted_config?(%{group: group} = config) do
whitelisted_config?(group, config[:key])
end
defp disallowed_config?(group, key) do
Enum.any?(@banned_in_db, fn
{disallowed_group} ->
group == inspect(disallowed_group)
{disallowed_group, disallowed_key} ->
group == inspect(disallowed_group) && key == inspect(disallowed_key)
end)
end
end

View file

@ -38,58 +38,32 @@ test "Refuses to update non-whitelisted config options", %{conn: conn} do
%{tuple: [":path", "sh"]},
%{tuple: [":args", ["-c", "echo pwnd > /tmp/a"]]}
]
}
]
}
clear_config([:database_config_whitelist], [{:pleroma}])
resp_that_should_not_work =
conn
|> post(~p"/api/v1/pleroma/admin/config", banned_config)
|> json_response_and_validate_schema(200)
assert Enum.empty?(resp_that_should_not_work["configs"])
clear_config([:database_config_whitelist], [{:mogrify}])
resp_that_should_work =
conn
|> post(~p"/api/v1/pleroma/admin/config", banned_config)
|> json_response_and_validate_schema(200)
refute Enum.empty?(resp_that_should_work["configs"])
end
test "Refuses to update strictly disallowed options", %{conn: conn} do
banned_config = %{
configs: [
%{
group: ":pleroma",
key: ":database_config_whitelist",
value: [":pleroma"]
},
%{
group: ":pleroma",
key: ":argos_translate",
key: ":http",
value: [
%{tuple: [":command_argospm", "/opt/oepsiewoepsie"]}
%{tuple: ["wow", "nice"]}
]
},
%{
group: ":pleroma",
key: "Pleroma.Web.MediaProxy.Invalidation.Script",
value: "wowee"
}
]
}
resp_that_should_not_work =
resp =
conn
|> post(~p"/api/v1/pleroma/admin/config", banned_config)
|> json_response_and_validate_schema(200)
assert Enum.empty?(resp_that_should_not_work["configs"])
# It should basically just throw out the mogrify option
assert Enum.count(resp["configs"]) == 1
assert %{
"configs" => [
%{
"group" => ":pleroma"
}
]
} = resp
end
end
end