UA-Fediland/pixelfed
2
0
Fork 0
mirror of https://github.com/pixelfed/pixelfed.git synced 2024-11-18 04:21:27 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #5252 from pixelfed/staging

Browse source 
Add Authorized Fetch
This commit is contained in:
daniel 2024-08-07 22:28:08 -06:00 committed by GitHub
commit 2ebe714821
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 216 additions and 161 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/Http/Controllers/Admin/AdminSettingsController.php
View file

@ -531,6 +531,7 @@ trait AdminSettingsController
'registration_status' => 'required|in:open,filtered,closed', 'registration_status' => 'required|in:open,filtered,closed',
'cloud_storage' => 'required', 'cloud_storage' => 'required',
'activitypub_enabled' => 'required', 'activitypub_enabled' => 'required',
'authorized_fetch' => 'required',
'account_migration' => 'required', 'account_migration' => 'required',
'mobile_apis' => 'required', 'mobile_apis' => 'required',
'stories' => 'required', 'stories' => 'required',
@ -555,6 +556,7 @@ trait AdminSettingsController
} }
} }
} }
ConfigCacheService::put('federation.activitypub.authorized_fetch', $request->boolean('authorized_fetch'));
ConfigCacheService::put('federation.activitypub.enabled', $request->boolean('activitypub_enabled')); ConfigCacheService::put('federation.activitypub.enabled', $request->boolean('activitypub_enabled'));
ConfigCacheService::put('federation.migration', $request->boolean('account_migration')); ConfigCacheService::put('federation.migration', $request->boolean('account_migration'));
ConfigCacheService::put('pixelfed.oauth_enabled', $request->boolean('mobile_apis')); ConfigCacheService::put('pixelfed.oauth_enabled', $request->boolean('mobile_apis'));

1
app/Services/AdminSettingsService.php
View file

@ -37,6 +37,7 @@ class AdminSettingsService
'registration_status' => $regState, 'registration_status' => $regState,
'cloud_storage' => $cloud_ready && $cloud_storage, 'cloud_storage' => $cloud_ready && $cloud_storage,
'activitypub_enabled' => (bool) config_cache('federation.activitypub.enabled'), 'activitypub_enabled' => (bool) config_cache('federation.activitypub.enabled'),
'authorized_fetch' => (bool) config_cache('federation.activitypub.authorized_fetch'),
'account_migration' => (bool) config_cache('federation.migration'), 'account_migration' => (bool) config_cache('federation.migration'),
'mobile_apis' => (bool) config_cache('pixelfed.oauth_enabled'), 'mobile_apis' => (bool) config_cache('pixelfed.oauth_enabled'),
'stories' => (bool) config_cache('instance.stories.enabled'), 'stories' => (bool) config_cache('instance.stories.enabled'),

1
app/Services/ConfigCacheService.php
View file

@ -46,6 +46,7 @@ class ConfigCacheService
'pixelfed.oauth_enabled', 'pixelfed.oauth_enabled',
'pixelfed.import.instagram.enabled', 'pixelfed.import.instagram.enabled',
'pixelfed.bouncer.enabled', 'pixelfed.bouncer.enabled',
'federation.activitypub.authorized_fetch',
'pixelfed.enforce_email_verification', 'pixelfed.enforce_email_verification',
'pixelfed.max_account_size', 'pixelfed.max_account_size',

88
app/Util/ActivityPub/Helpers.php
View file

@ -25,6 +25,8 @@ use Cache;
use Carbon\Carbon; use Carbon\Carbon;
use Illuminate\Support\Str; use Illuminate\Support\Str;
use Illuminate\Validation\Rule; use Illuminate\Validation\Rule;
use League\Uri\Exceptions\UriException;
use League\Uri\Uri;
use Purify; use Purify;
use Validator; use Validator;
@ -153,61 +155,74 @@ class Helpers
return in_array($url, $audience['to']) || in_array($url, $audience['cc']); return in_array($url, $audience['to']) || in_array($url, $audience['cc']);
} }
public static function validateUrl($url) public static function validateUrl($url = null, $disableDNSCheck = false)
{ {
if (is_array($url)) { if (is_array($url) && ! empty($url)) {
$url = $url[0]; $url = $url[0];
} }
if (! $url || strlen($url) === 0) {
return false;
}
try {
$uri = Uri::new($url);
$hash = hash('sha256', $url); if (! $uri) {
$key = "helpers:url:valid:sha256-{$hash}"; return false;
}
if ($uri->getScheme() !== 'https') {
return false;
}
$host = $uri->getHost();
if (! $host || $host === '') {
return false;
}
if (! filter_var($host, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)) {
return false;
}
if (! str_contains($host, '.')) {
return false;
}
$valid = Cache::remember($key, 900, function () use ($url) {
$localhosts = [ $localhosts = [
'127.0.0.1', 'localhost', '::1', 'localhost',
'127.0.0.1',
'::1',
'broadcasthost',
'ip6-localhost',
'ip6-loopback',
]; ];
if (strtolower(mb_substr($url, 0, 8)) !== 'https://') {
return false;
}
if (substr_count($url, '://') !== 1) {
return false;
}
if (mb_substr($url, 0, 8) !== 'https://') {
$url = 'https://'.substr($url, 8);
}
$valid = filter_var($url, FILTER_VALIDATE_URL);
if (! $valid) {
return false;
}
$host = parse_url($valid, PHP_URL_HOST);
if (in_array($host, $localhosts)) { if (in_array($host, $localhosts)) {
return false; return false;
} }
if (config('security.url.verify_dns')) { if ($disableDNSCheck !== true && app()->environment() === 'production' && (bool) config('security.url.verify_dns')) {
if (DomainService::hasValidDns($host) === false) { $hash = hash('sha256', $host);
$key = "helpers:url:valid-dns:sha256-{$hash}";
$domainValidDns = Cache::remember($key, 14440, function () use ($host) {
return DomainService::hasValidDns($host);
});
if (! $domainValidDns) {
return false; return false;
} }
} }
if (app()->environment() === 'production') { if ($disableDNSCheck !== true && app()->environment() === 'production') {
$bannedInstances = InstanceService::getBannedDomains(); $bannedInstances = InstanceService::getBannedDomains();
if (in_array($host, $bannedInstances)) { if (in_array($host, $bannedInstances)) {
return false; return false;
} }
} }
return $url; return $uri->toString();
}); } catch (UriException $e) {
return false;
return $valid; }
} }
public static function validateLocalUrl($url) public static function validateLocalUrl($url)
@ -215,7 +230,12 @@ class Helpers
$url = self::validateUrl($url); $url = self::validateUrl($url);
if ($url == true) { if ($url == true) {
$domain = config('pixelfed.domain.app'); $domain = config('pixelfed.domain.app');
$host = parse_url($url, PHP_URL_HOST);
$uri = Uri::new($url);
$host = $uri->getHost();
if (! $host || empty($host)) {
return false;
}
$url = strtolower($domain) === strtolower($host) ? $url : false; $url = strtolower($domain) === strtolower($host) ? $url : false;
return $url; return $url;

43
app/Util/ActivityPub/HttpSignature.php
View file

@ -2,19 +2,20 @@
namespace App\Util\ActivityPub; namespace App\Util\ActivityPub;
use Cache, Log;
use App\Models\InstanceActor; use App\Models\InstanceActor;
use App\Profile; use App\Profile;
use \DateTime; use Cache;
use DateTime;
class HttpSignature {
class HttpSignature
{
/* /*
* source: https://github.com/aaronpk/Nautilus/blob/master/app/ActivityPub/HTTPSignature.php * source: https://github.com/aaronpk/Nautilus/blob/master/app/ActivityPub/HTTPSignature.php
* thanks aaronpk! * thanks aaronpk!
*/ */
public static function sign(Profile $profile, $url, $body = false, $addlHeaders = []) { public static function sign(Profile $profile, $url, $body = false, $addlHeaders = [])
{
if ($body) { if ($body) {
$digest = self::_digest($body); $digest = self::_digest($body);
} }
@ -56,7 +57,8 @@ class HttpSignature {
return $headers; return $headers;
} }
public static function parseSignatureHeader($signature) { public static function parseSignatureHeader($signature)
{
$parts = explode(',', $signature); $parts = explode(',', $signature);
$signatureData = []; $signatureData = [];
@ -68,26 +70,33 @@ class HttpSignature {
if (! isset($signatureData['keyId'])) { if (! isset($signatureData['keyId'])) {
return [ return [
'error' => 'No keyId was found in the signature header. Found: '.implode(', ', array_keys($signatureData)) 'error' => 'No keyId was found in the signature header. Found: '.implode(', ', array_keys($signatureData)),
]; ];
} }
if (! filter_var($signatureData['keyId'], FILTER_VALIDATE_URL)) { if (! filter_var($signatureData['keyId'], FILTER_VALIDATE_URL)) {
return [ return [
'error' => 'keyId is not a URL: '.$signatureData['keyId'] 'error' => 'keyId is not a URL: '.$signatureData['keyId'],
];
}
if (! Helpers::validateUrl($signatureData['keyId'])) {
return [
'error' => 'keyId is not a URL: '.$signatureData['keyId'],
]; ];
} }
if (! isset($signatureData['headers']) || ! isset($signatureData['signature'])) { if (! isset($signatureData['headers']) || ! isset($signatureData['signature'])) {
return [ return [
'error' => 'Signature is missing headers or signature parts' 'error' => 'Signature is missing headers or signature parts',
]; ];
} }
return $signatureData; return $signatureData;
} }
public static function verify($publicKey, $signatureData, $inputHeaders, $path, $body) { public static function verify($publicKey, $signatureData, $inputHeaders, $path, $body)
{
$digest = 'SHA-256='.base64_encode(hash('sha256', $body, true)); $digest = 'SHA-256='.base64_encode(hash('sha256', $body, true));
$headersToSign = []; $headersToSign = [];
foreach (explode(' ', $signatureData['headers']) as $h) { foreach (explode(' ', $signatureData['headers']) as $h) {
@ -106,26 +115,31 @@ class HttpSignature {
return [$verified, $signingString]; return [$verified, $signingString];
} }
private static function _headersToSigningString($headers) { private static function _headersToSigningString($headers)
{
return implode("\n", array_map(function ($k, $v) { return implode("\n", array_map(function ($k, $v) {
return strtolower($k).': '.$v; return strtolower($k).': '.$v;
}, array_keys($headers), $headers)); }, array_keys($headers), $headers));
} }
private static function _headersToCurlArray($headers) { private static function _headersToCurlArray($headers)
{
return array_map(function ($k, $v) { return array_map(function ($k, $v) {
return "$k: $v"; return "$k: $v";
}, array_keys($headers), $headers); }, array_keys($headers), $headers);
} }
private static function _digest($body) { private static function _digest($body)
{
if (is_array($body)) { if (is_array($body)) {
$body = json_encode($body); $body = json_encode($body);
} }
return base64_encode(hash('sha256', $body, true)); return base64_encode(hash('sha256', $body, true));
} }
protected static function _headersToSign($url, $digest = false, $method = 'post') { protected static function _headersToSign($url, $digest = false, $method = 'post')
{
$date = new DateTime('UTC'); $date = new DateTime('UTC');
if (! in_array($method, ['post', 'get'])) { if (! in_array($method, ['post', 'get'])) {
@ -143,5 +157,4 @@ class HttpSignature {
return $headers; return $headers;
} }
} }

1
composer.json
View file

@ -29,6 +29,7 @@
"laravel/ui": "^4.2", "laravel/ui": "^4.2",
"league/flysystem-aws-s3-v3": "^3.0", "league/flysystem-aws-s3-v3": "^3.0",
"league/iso3166": "^2.1|^4.0", "league/iso3166": "^2.1|^4.0",
"league/uri": "^7.4",
"pbmedia/laravel-ffmpeg": "^8.0", "pbmedia/laravel-ffmpeg": "^8.0",
"phpseclib/phpseclib": "~2.0", "phpseclib/phpseclib": "~2.0",
"pixelfed/fractal": "^0.18.0", "pixelfed/fractal": "^0.18.0",

2
composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically" "This file is @generated automatically"
], ],
"content-hash": "c055c4b1ba26004ab6951e9dba4b4508", "content-hash": "fecc0efcc40880a422690feefedef584",
"packages": [ "packages": [
{ {
"name": "aws/aws-crt-php", "name": "aws/aws-crt-php",

2
config/federation.php
View file

@ -30,6 +30,8 @@ return [
'ingest' => [ 'ingest' => [
'store_notes_without_followers' => env('AP_INGEST_STORE_NOTES_WITHOUT_FOLLOWERS', false), 'store_notes_without_followers' => env('AP_INGEST_STORE_NOTES_WITHOUT_FOLLOWERS', false),
], ],
'authorized_fetch' => env('AUTHORIZED_FETCH', false),
], ],
'atom' => [ 'atom' => [

15
resources/assets/components/admin/AdminSettings.vue
View file

@ -63,6 +63,13 @@
@change="handleChange($event, 'features', 'activitypub_enabled')" @change="handleChange($event, 'features', 'activitypub_enabled')"
/> />
<checkbox
name="Authorized Fetch Mode"
:value="features.authorized_fetch"
description="Strictly enforce domain restrictions by enabling Authorized Fetch mode."
@change="handleChange($event, 'features', 'authorized_fetch')"
/>
<checkbox <checkbox
name="Account Migration" name="Account Migration"
:value="features.account_migration" :value="features.account_migration"
@ -93,6 +100,13 @@
@change="handleChange($event, 'features', 'instagram_import')" @change="handleChange($event, 'features', 'instagram_import')"
/> />
<!-- <checkbox
name="Allowlist Mode"
:value="features.activitypub_enabled"
description="Permit interactions only with instances you specifically authorize, both for sending and receiving."
@change="handleChange($event, 'features', 'activitypub_enabled')"
/> -->
<checkbox <checkbox
name="Spam detection" name="Spam detection"
:value="features.autospam_enabled" :value="features.autospam_enabled"
@ -1268,6 +1282,7 @@
stories: this.features.stories, stories: this.features.stories,
instagram_import: this.features.instagram_import, instagram_import: this.features.instagram_import,
autospam_enabled: this.features.autospam_enabled, autospam_enabled: this.features.autospam_enabled,
authorized_fetch: this.features.authorized_fetch,
}).then(res => { }).then(res => {
this.isSubmitting = false; this.isSubmitting = false;
this.isSubmittingTimeout = true; this.isSubmittingTimeout = true;