Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

reserve .well-known username #7637

Merged

Conversation

@ashimokawa
Copy link
Contributor

commented Jul 26, 2019

This PR is meant to prevent a scenario where a user creates an account ".well-known" and then a repo with an auth key filename, so that for example https://codeberg.org/.well_known/authkey-for-whatever.txt becomes valid. The "authkey-for-whatever.txt" can then have the required data inside its description.

It actually happened to us. But we do not know yet weather it was successful. (EDIT: it was)

Generally it is hard to fix such attacks, what if a service just wants a file in the rood directory called 3435345345342523534.html, then a user account with a description would suffice.

It also depends if the remote accepts files with a lot of html or if they expect data to be plain text starting in line 1.

@techknowlogick techknowlogick added this to the 1.10.0 milestone Jul 26, 2019

@techknowlogick

This comment has been minimized.

Copy link
Member

commented Jul 26, 2019

Thanks for PR :)

@GiteaBot GiteaBot added lgtm/done and removed lgtm/need 1 labels Jul 26, 2019

@mrsdizzie

This comment has been minimized.

Copy link
Contributor

commented Jul 26, 2019

Agree this should be reserved but I don't think its actually possible to access a file by .well-known/filename in any case, as it will always have /src or /raw and also branch or commit information

@ashimokawa

This comment has been minimized.

Copy link
Contributor Author

commented Jul 26, 2019

@mrsdizzie
The URL is vaild and looks just as expected for the remote in the above scenario. wenn getting the file with wget the description is inside the html file and that might suffice for some validators if they say "in the file just write xyz somewhere". In our case it was brave.com with a token here https://codeberg.org/.well-known/brave-rewards-verification.txt (locked the repo now), but the file content had inside all the html code:

Domain: codeberg.org
Token: XXXXXXXXXXXXXXXXXXXXXXX (redacted)

including the line breaks, so src or raw is not necessary if the parser ignores html

We do not know if the attack succeeded

@ashimokawa

This comment has been minimized.

Copy link
Contributor Author

commented Jul 26, 2019

To clarify the repo name is the filename, not a file inside a repo, the description is then misused to carry the actual payload.

@mrsdizzie

This comment has been minimized.

Copy link
Contributor

commented Jul 26, 2019

Ah OK I see, thats more clear.

@codecov-io

This comment has been minimized.

Copy link

commented Jul 26, 2019

Codecov Report

Merging #7637 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #7637   +/-   ##
=======================================
  Coverage   41.27%   41.27%           
=======================================
  Files         469      469           
  Lines       63716    63716           
=======================================
  Hits        26299    26299           
  Misses      33992    33992           
  Partials     3425     3425
Impacted Files Coverage Δ
models/user.go 50.5% <ø> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c22b741...0b8ef59. Read the comment docs.

@techknowlogick techknowlogick merged commit cdaf9a5 into go-gitea:master Jul 26, 2019

2 checks passed

approvals/lgtm this commit looks good
continuous-integration/drone/pr Build is passing
Details
@techknowlogick

This comment has been minimized.

Copy link
Member

commented Jul 26, 2019

@ashimokawa please send backport to release/v1.9 branch :)

@ashimokawa ashimokawa deleted the Codeberg-org:reserve-well-known-names branch Jul 26, 2019

@Codeberg-org Codeberg-org restored the Codeberg-org:reserve-well-known-names branch Jul 26, 2019

@Codeberg-org Codeberg-org deleted the Codeberg-org:reserve-well-known-names branch Jul 26, 2019

@ashimokawa

This comment has been minimized.

Copy link
Contributor Author

commented Jul 26, 2019

For the record: the attack was successful , so the remote did accept the content inside the html file.

@zeripath

This comment has been minimized.

Copy link
Contributor

commented Jul 26, 2019

I think in the context this should be backported to the 1.8 branch too

@ashimokawa

This comment has been minimized.

Copy link
Contributor Author

commented Jul 26, 2019

In our case someone tries to make money from brave browser in our name by claiming to be owner of codeberg.org. A transfer takes 10 days, problem is that this can happen with every gitea instance and might be unnoticed since everyone can delete his account after successfully taking something over.

@gsantner

This comment has been minimized.

Copy link
Contributor

commented Jul 28, 2019

Why is this even possible? Shouldn't it be impossible / validation disallow any username starting with a dot? Usually username means alphanumeric as first character.

Btw, this is also allowed:

  • logout, signup, register
  • favicon.ico, favicon.png
  • index.html / index.php
  • atom.xml, site.json, * sitemap.xml,
  • google39f1asdsad.html (for google search console)

shouldn't be a problem for most stuff I guess. But maybe please have a look 😄 .

When creating user/org called favicon.ico, you get a redirection/loop error ;). Guess with some combined brainstorming there are more things to consider illegal/reserved, maybe also security relevant.

@zeripath

This comment has been minimized.

Copy link
Contributor

commented Jul 28, 2019

This is the result of following github in this regard - It really was a bad design to stick the username as the base segment in the url.

There seem to be a number of repositories that have attempted to list the names that are reserved on github e.g.

https://github.com/shouldbee/reserved-usernames
https://github.com/Mottie/github-reserved-names

These lists appear huge!

Github doesn't appear to allow . in its names which means that it doesn't get affected by this favicon issue.

We may want to take a look at these

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.