From 2bef3e415da4b42a1667cba8244aaaa094d4df75 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Fri, 14 Jul 2023 03:10:48 -0600 Subject: [PATCH 1/3] Update AP Helpers, improve url validation and add optional dns verification, disabled by default --- app/Services/DomainService.php | 28 ++++++++++++++++++++++++++ app/Util/ActivityPub/Helpers.php | 34 ++++++++++++++++---------------- config/security.php | 9 +++++++++ 3 files changed, 54 insertions(+), 17 deletions(-) create mode 100644 app/Services/DomainService.php create mode 100644 config/security.php diff --git a/app/Services/DomainService.php b/app/Services/DomainService.php new file mode 100644 index 000000000..01f050ca0 --- /dev/null +++ b/app/Services/DomainService.php @@ -0,0 +1,28 @@ + 0; + }); + } +} diff --git a/app/Util/ActivityPub/Helpers.php b/app/Util/ActivityPub/Helpers.php index 243b92482..7f47a8fea 100644 --- a/app/Util/ActivityPub/Helpers.php +++ b/app/Util/ActivityPub/Helpers.php @@ -40,6 +40,7 @@ use App\Models\Poll; use Illuminate\Contracts\Cache\LockTimeoutException; use App\Jobs\ProfilePipeline\IncrementPostCount; use App\Jobs\ProfilePipeline\DecrementPostCount; +use App\Services\DomainService; use App\Services\UserFilterService; class Helpers { @@ -168,17 +169,24 @@ class Helpers { $hash = hash('sha256', $url); $key = "helpers:url:valid:sha256-{$hash}"; - $ttl = now()->addMinutes(5); - $valid = Cache::remember($key, $ttl, function() use($url) { + $valid = Cache::remember($key, 900, function() use($url) { $localhosts = [ '127.0.0.1', 'localhost', '::1' ]; - if(mb_substr($url, 0, 8) !== 'https://') { + if(strtolower(mb_substr($url, 0, 8)) !== 'https://') { return false; } + if(substr_count($url, '://') !== 1) { + return false; + } + + if(mb_substr($url, 0, 8) !== 'https://') { + $url = 'https://' . substr($url, 8); + } + $valid = filter_var($url, FILTER_VALIDATE_URL); if(!$valid) { @@ -187,15 +195,12 @@ class Helpers { $host = parse_url($valid, PHP_URL_HOST); - // if(count(dns_get_record($host, DNS_A | DNS_AAAA)) == 0) { - // return false; - // } + if(in_array($host, $localhosts)) { + return false; + } - if(config('costar.enabled') == true) { - if( - (config('costar.domain.block') != null && Str::contains($host, config('costar.domain.block')) == true) || - (config('costar.actor.block') != null && in_array($url, config('costar.actor.block')) == true) - ) { + if(config('security.url.verify_dns')) { + if(DomainService::hasValidDns($host) === false) { return false; } } @@ -207,11 +212,6 @@ class Helpers { } } - - if(in_array($host, $localhosts)) { - return false; - } - return $url; }); @@ -224,7 +224,7 @@ class Helpers { if($url == true) { $domain = config('pixelfed.domain.app'); $host = parse_url($url, PHP_URL_HOST); - $url = $domain === $host ? $url : false; + $url = strtolower($domain) === strtolower($host) ? $url : false; return $url; } return false; diff --git a/config/security.php b/config/security.php new file mode 100644 index 000000000..a8f92360d --- /dev/null +++ b/config/security.php @@ -0,0 +1,9 @@ + [ + 'verify_dns' => env('PF_SECURITY_URL_VERIFY_DNS', false), + + 'trusted_domains' => env('PF_SECURITY_URL_TRUSTED_DOMAINS', 'pixelfed.social,pixelfed.art,mastodon.social'), + ] +]; From e0b48b2976d167ca402d774051e040d096f20db2 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Fri, 14 Jul 2023 04:28:37 -0600 Subject: [PATCH 2/3] Update admin users blade view, show last_active_at and other info --- resources/views/admin/users/show.blade.php | 151 ++++++++++++++++----- 1 file changed, 116 insertions(+), 35 deletions(-) diff --git a/resources/views/admin/users/show.blade.php b/resources/views/admin/users/show.blade.php index 7652db6ea..1a482467e 100644 --- a/resources/views/admin/users/show.blade.php +++ b/resources/views/admin/users/show.blade.php @@ -58,42 +58,82 @@ ADMIN

@endif -

- Joined {{$profile->created_at->diffForHumans()}} -

+ +
+
+

+ {{$profile->created_at->diffForHumans()}} +

+

+ Joined +

+
+ @if($user->last_active_at) +
+

+ {{$user->last_active_at->diffForHumans()}} +

+

+ Last Active +

+
+ @endif +
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
bookmarks{{$profile->bookmarks()->count()}}
collections{{$profile->collections()->count()}}
likes{{$profile->likes()->count()}}
reports{{$profile->reports()->count()}}
reported{{$profile->reported()->count()}}
Active stories{{$profile->stories()->count()}}
storage used{{PrettyNumber::size($profile->media()->sum('size'))}} / {{PrettyNumber::size(config_cache('pixelfed.max_account_size') * 1000)}}
+ +
+
+

email

+

{{$user->email}}

+
+ + @if($profile->website) +
+

website

+

{{$profile->website}}

+
+ @endif + +
+

bookmarks

+

{{$profile->bookmarks()->count()}}

+
+ +
+

collections

+

{{$profile->collections()->count()}}

+
+ +
+

likes

+

{{$profile->likes()->count()}}

+
+ +
+

reports

+

{{$profile->reports()->count()}}

+
+ +
+

reported

+

{{$profile->reported()->count()}}

+
+ +
+

active stories

+

{{$profile->stories()->count()}}

+
+ +
+

storage used

+

{{PrettyNumber::size($profile->media()->sum('size'))}} / {{PrettyNumber::size(config_cache('pixelfed.max_account_size') * 1000)}}

+
+ +
+

bio

+

{{ $profile->bio }}

+
+
@@ -119,3 +159,44 @@
@endsection + +@push('styles') + +@endpush From c07233a1c122959035977b8879b5d9b4b83787e1 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Fri, 14 Jul 2023 04:29:43 -0600 Subject: [PATCH 3/3] Update changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 28aa63658..1e6807a2a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,8 @@ - Update SearchApiV2Service, improve resolve query logic to better handle remote posts/profiles and local posts/profiles ([c61d0b91](https://github.com/pixelfed/pixelfed/commit/c61d0b91)) - Update FollowPipeline, improve follower/following count calculation ([0b515767](https://github.com/pixelfed/pixelfed/commit/0b515767)) - Update TransformImports command, increment status_count on profile model ([ba7551d8](https://github.com/pixelfed/pixelfed/commit/ba7551d8)) +- Update AP Helpers, improve url validation and add optional dns verification, disabled by default ([2bef3e41](https://github.com/pixelfed/pixelfed/commit/2bef3e41)) +- Update admin users blade view, show last_active_at and other info ([e0b48b29](https://github.com/pixelfed/pixelfed/commit/e0b48b29)) - ([](https://github.com/pixelfed/pixelfed/commit/)) ## [v0.11.8 (2023-05-29)](https://github.com/pixelfed/pixelfed/compare/v0.11.7...v0.11.8)