Commit graph

71 commits

Author SHA1 Message Date
Oneric fee57eb376 Move actor check into fetch_and_contain_remote_object_from_id
This brings it in line with its name and closes an,
in practice harmless, verification hole.

This was/is the only user of contain_origin making it
safe to change the behaviour on actor-less objects.

Until now refetched objects did not ensure the new actor matches the
domain of the object. We refetch polls occasionally to retrieve
up-to-date vote counts. A malicious AP server could have switched out
the poll after initial posting with a completely different post
attribute to an actor from another server.
While we indeed fell for this spoof before the commit,
it fortunately seems to have had no ill effect in practice,
since the asociated Create activity is not changed. When exposing the
actor via our REST API, we read this info from the activity not the
object.

This at first thought still keeps one avenue for exploit open though:
the updated actor can be from our own domain and a third server be
instructed to fetch the object from us. However this is foiled by an
id mismatch. By necessity of being fetchable and our longstanding
same-domain check, the id must still be from the attacker’s server.
Even the most barebone authenticity check is able to sus this out.
2024-03-25 14:05:05 -01:00
Oneric c4cf4d7f0b Reject cross-domain redirects when fetching AP objects
Such redirects on AP queries seem most likely to be a spoofing attempt.
If the object is legit, the id should match the final domain anyway and
users can directly use the canonical URL.

The lack of such a check (and use of the initially queried domain’s
authority instead of the final domain) was enabling the current exploit
to even affect instances which already migrated away from a same-domain
upload/proxy setup in the past, but retained a redirect to not break old
attachments.

(In theory this redirect could, with some effort, have been limited to
 only old files, but common guides employed a catch-all redirect, which
 allows even future uploads to be reachable via an initial query to the
 main domain)

Same-domain redirects are valid and also used by ourselves,
e.g. for redirecting /notice/XXX to /objects/YYY.
2024-03-25 14:05:05 -01:00
Oneric 2bcf633dc2 Document Pleroma.Object.Fetcher 2024-03-25 14:05:05 -01:00
Oneric c806adbfdb Refactor Fetcher.get_object for readability
Apart from slightly different error reasons wrt content-type,
this does not change functionality in any way.
2024-03-18 22:40:43 -01:00
FloatingGhost 64e233ca20 Tag Mock-tests as "mocked" and run them seperately 2023-08-04 12:50:50 +01:00
FloatingGhost 77e9a52450 allow http AS profile in ld+json header 2022-12-12 19:06:04 +00:00
FloatingGhost 68894089e8 Do not fetch anything from blocked instances 2022-12-10 00:09:45 +00:00
FloatingGhost f5a315f04c Add URL and code to :not_found errors
Ref #355
2022-12-09 20:13:31 +00:00
@r3g_5z@plem.sapphic.site 565ead8397 minor-changes (#313)
Only real change here is making MRF rejects log as debug instead of info (https://akkoma.dev/AkkomaGang/akkoma/issues/234)

I don't know if it's the best way to do it, but it seems it's just MRF using this and almost always this is intended.

The rest are just minor docs changes and syncing the restricted nicknames stuff.

I compiled and ran my changes with Docker and they all work.

Co-authored-by: r3g_5z <june@terezi.dev>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/313
Co-authored-by: @r3g_5z@plem.sapphic.site <june@girlboss.ceo>
Co-committed-by: @r3g_5z@plem.sapphic.site <june@girlboss.ceo>
2022-11-26 19:27:58 +00:00
Haelwenn (lanodan) Monnier 3e0a5851e5 Set instance reachable on fetch 2022-11-15 17:23:47 +00:00
floatingghost 2641dcdd15 Post editing (#202)
Rebased from #103

Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/202
2022-09-06 19:24:02 +00:00
Haelwenn (lanodan) Monnier 461123110b
Object.Fetcher: Fix getting transmogrifier reject reason 2021-04-05 19:19:12 +02:00
Haelwenn (lanodan) Monnier 96212b2e32
Fix addressing 2021-04-05 19:19:12 +02:00
Haelwenn (lanodan) Monnier c4439c630f
Bump Copyright to 2021
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;'
2021-01-13 07:49:50 +01:00
lain e1e7e4d379 Object: Rework how Object.normalize works
Now it defaults to not fetching, and the option is named.
2021-01-04 13:38:31 +01:00
rinpatch 2c55f7d7cb Remove FedSockets
Current FedSocket implementation has a bunch of problems. It doesn't
have proper error handling (in case of an error the server just doesn't
respond until the connection is closed, while the client doesn't match
any error messages and just assumes there has been an error after 15s)
and the code is full of bad descisions (see: fetch registry which uses
uuids for no reason and waits for a response by recursively querying a
 ets table until the value changes, or double JSON encoding).

Sometime ago I almost completed rewriting fedsockets from scrach to
adress these issues. However, while doing so, I realized that fedsockets
 are just too overkill for what they were trying to accomplish, which is
 reduce the overhead of federation by not signing every message.
This could be done without reimplementing failure states and endpoint
 logic we already have with HTTP by, for example, using TLS cert auth,
or switching to a more performant signature algorithm. I opened
https://git.pleroma.social/pleroma/pleroma/-/issues/2262 for further
discussion on alternatives to fedsockets.

From discussions I had with other Pleroma developers it seems like they
 would approve the descision to remove them as well,
therefore I am submitting this patch.
2020-11-17 17:28:30 +03:00
rinpatch 6ca709816f Fix object spoofing vulnerability in attachments
Validate the content-type of the response when fetching an object,
according to https://www.w3.org/TR/activitypub/#x3-2-retrieving-objects.

content-type headers had to be added to many mocks in order to support
this, some of this was done with a regex. While I did go over the
resulting files to check I didn't modify anything unrelated, there is a
 possibility I missed something.

Closes pleroma#1948
2020-11-12 15:25:33 +03:00
Steven Fuchs f2ef9735c5 Federate data through persistent websocket connections 2020-09-18 11:58:22 +00:00
Haelwenn (lanodan) Monnier f1f44069ae
Fetcher: Correctly return MRF reject reason 2020-09-11 20:00:41 +02:00
lain 9433311923 Merge branch 'bugfix/incoming-poll-emoji' into 'develop'
Fix emoji in Question, force generated context/context_id insertion

Closes #1870

See merge request pleroma/pleroma!2915
2020-09-03 11:50:30 +00:00
Alexander Strizhakov 79f65b4374
correct pool and uniform headers format 2020-09-02 09:16:51 +03:00
Haelwenn (lanodan) Monnier d9a21e4784
fetcher: Remove fix_object call for Question activities 2020-09-01 08:35:00 +02:00
Haelwenn (lanodan) Monnier b1fc4fe0ca
fetcher: fallback to [] when to/cc is nil
Related: https://git.pleroma.social/pleroma/pleroma/-/issues/2063
2020-08-18 02:02:20 +02:00
Haelwenn (lanodan) Monnier ac2598307d
Merge remote-tracking branch 'pleroma/develop' into features/poll-validation 2020-07-31 13:57:21 +02:00
Haelwenn (lanodan) Monnier ad867ccfa1
fetcher: Reinject Question through validator 2020-07-15 11:39:55 +02:00
Haelwenn (lanodan) Monnier 6b9c4bc1f1
fetcher: more descriptive variable names 2020-07-15 11:39:55 +02:00
Haelwenn (lanodan) Monnier ce243b107f
Use Logger.info for {:reject, reason} 2020-07-13 15:26:31 +02:00
Haelwenn (lanodan) Monnier 1566543bec
object/fetcher: Pass full Transmogrifier error 2020-06-26 20:10:47 +02:00
Alexander Strizhakov 509c81e4b1
Merge branch 'develop' into gun 2020-03-03 10:08:07 +03:00
Haelwenn (lanodan) Monnier 6da6540036
Bump copyright years of files changed after 2020-01-07
Done via the following command:
git diff fcd5dd259a --stat --name-only | xargs sed -i '/Pleroma Authors/c# Copyright © 2017-2020 Pleroma Authors <https:\/\/pleroma.social\/>'
2020-03-02 06:08:45 +01:00
Alexander Strizhakov 814b275af7
Merge branch 'develop' into gun 2020-02-29 11:34:50 +03:00
Alexander Strizhakov 514c899275
adding gun adapter 2020-02-18 08:19:01 +03:00
Ivan Tashkinov 269d592181 [#1505] Restricted max thread distance for fetching replies on incoming federation (in addition to reply-to depth restriction). 2020-02-15 20:41:38 +03:00
rinpatch 6e6f1ead31 Merge branch 'no-error-404' into 'develop'
Log at debug level for object deletion, not error.

See merge request pleroma/pleroma!2066
2020-01-22 17:55:49 +00:00
Phil Hagelberg 02c3031e99 Don't log when users or objects are deleted. 2019-12-13 12:05:53 -08:00
Egor Kislitsyn a37bd5c255 Change log level 2019-12-10 15:08:57 +07:00
rinpatch 9f29930440 fetcher: move local object checking into a reusable function 2019-11-23 22:55:41 +03:00
rinpatch 32afa07995 Fetcher: fix local check returning unwrapped object
This resulted in error messages about failed refetches being logged.
2019-11-07 01:40:55 +03:00
rinpatch 54746c6c26 Object Fetcher: set cache after reinjecting
Probably fixes the issue hj had, where polls would have different
counters between endpoints.
2019-11-06 14:00:03 +03:00
stwf 2ab072f949 object fetcher error handling 2019-10-24 12:08:34 -04:00
Ariadne Conill 3c785b85a6 object: fetcher: fix up formatting 2019-10-18 14:50:10 +00:00
Ariadne Conill a177f22e02 object: fetcher: improve error reporting 2019-10-18 14:50:10 +00:00
Ariadne Conill 6f110fc04c object fetcher: fix up error handling 2019-10-18 14:50:09 +00:00
Ariadne Conill 48059c03c9 fix up some tests 2019-10-18 14:50:09 +00:00
Ariadne Conill d379b48769 kill almost all of the OStatus module 2019-10-18 14:50:09 +00:00
Maksim Pechnikov d4ed3a35b8 Merge branch 'develop' into test/activity_pub/transmogrifier.ex 2019-09-19 07:35:34 +03:00
rinpatch 5028b7b578 Fix credo issues 2019-09-18 22:09:03 +03:00
rinpatch c096dd86e5 Do not refetch local objects 2019-09-18 20:01:26 +03:00
rinpatch eb87a86b5b Preserve internal fields when reinjecting 2019-09-18 19:53:51 +03:00
rinpatch e3f902b3a1 Set updated_at even if the object stayed the same 2019-09-18 19:07:25 +03:00