Merge branch 'security/digest-signature-validation' into 'develop'
digest signature validation See merge request pleroma/pleroma!260
This commit is contained in:
commit
ab4b4538ce
10
lib/pleroma/plugs/digest.ex
Normal file
10
lib/pleroma/plugs/digest.ex
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
defmodule Pleroma.Web.Plugs.DigestPlug do
|
||||||
|
alias Plug.Conn
|
||||||
|
require Logger
|
||||||
|
|
||||||
|
def read_body(conn, opts) do
|
||||||
|
{:ok, body, conn} = Conn.read_body(conn, opts)
|
||||||
|
digest = "SHA-256=" <> (:crypto.hash(:sha256, body) |> Base.encode64())
|
||||||
|
{:ok, body, Conn.assign(conn, :digest, digest)}
|
||||||
|
end
|
||||||
|
end
|
@ -19,6 +19,8 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
|
|||||||
|
|
||||||
cond do
|
cond do
|
||||||
signature && String.contains?(signature, user) ->
|
signature && String.contains?(signature, user) ->
|
||||||
|
# set (request-target) header to the appropriate value
|
||||||
|
# we also replace the digest header with the one we computed
|
||||||
conn =
|
conn =
|
||||||
conn
|
conn
|
||||||
|> put_req_header(
|
|> put_req_header(
|
||||||
@ -26,6 +28,14 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
|
|||||||
String.downcase("#{conn.method}") <> " #{conn.request_path}"
|
String.downcase("#{conn.method}") <> " #{conn.request_path}"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
conn =
|
||||||
|
if conn.assigns[:digest] do
|
||||||
|
conn
|
||||||
|
|> put_req_header("digest", conn.assigns[:digest])
|
||||||
|
else
|
||||||
|
conn
|
||||||
|
end
|
||||||
|
|
||||||
assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn))
|
assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn))
|
||||||
|
|
||||||
signature ->
|
signature ->
|
||||||
|
@ -641,8 +641,14 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
|
|||||||
Logger.info("Federating #{id} to #{inbox}")
|
Logger.info("Federating #{id} to #{inbox}")
|
||||||
host = URI.parse(inbox).host
|
host = URI.parse(inbox).host
|
||||||
|
|
||||||
|
digest = "SHA-256=" <> (:crypto.hash(:sha256, json) |> Base.encode64())
|
||||||
|
|
||||||
signature =
|
signature =
|
||||||
Pleroma.Web.HTTPSignatures.sign(actor, %{host: host, "content-length": byte_size(json)})
|
Pleroma.Web.HTTPSignatures.sign(actor, %{
|
||||||
|
host: host,
|
||||||
|
"content-length": byte_size(json),
|
||||||
|
digest: digest
|
||||||
|
})
|
||||||
|
|
||||||
@httpoison.post(
|
@httpoison.post(
|
||||||
inbox,
|
inbox,
|
||||||
|
@ -35,7 +35,8 @@ defmodule Pleroma.Web.Endpoint do
|
|||||||
parsers: [:urlencoded, :multipart, :json],
|
parsers: [:urlencoded, :multipart, :json],
|
||||||
pass: ["*/*"],
|
pass: ["*/*"],
|
||||||
json_decoder: Jason,
|
json_decoder: Jason,
|
||||||
length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit)
|
length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit),
|
||||||
|
body_reader: {Pleroma.Web.Plugs.DigestPlug, :read_body, []}
|
||||||
)
|
)
|
||||||
|
|
||||||
plug(Plug.MethodOverride)
|
plug(Plug.MethodOverride)
|
||||||
|
Loading…
Reference in New Issue
Block a user