Security Hot fix: GHSA-3f39-6537-3cgc

nexryai · Nov 27, 2023 · b96da0e · b96da0e
1 parent 1321e3e
commit b96da0e
Showing 1 changed file with 123 additions and 52 deletions.
diff --git a/packages/backend/src/server/activitypub.ts b/packages/backend/src/server/activitypub.ts
@@ -1,52 +1,107 @@
-import Router from '@koa/router';
-import json from 'koa-json-body';
-import httpSignature from '@peertube/http-signature';
-
-import { renderActivity } from '@/remote/activitypub/renderer/index.js';
-import renderNote from '@/remote/activitypub/renderer/note.js';
-import renderKey from '@/remote/activitypub/renderer/key.js';
-import { renderPerson } from '@/remote/activitypub/renderer/person.js';
-import renderEmoji from '@/remote/activitypub/renderer/emoji.js';
-import Outbox, { packActivity } from './activitypub/outbox.js';
-import Followers from './activitypub/followers.js';
-import Following from './activitypub/following.js';
-import Featured from './activitypub/featured.js';
-import { inbox as processInbox } from '@/queue/index.js';
-import { isSelfHost } from '@/misc/convert-host.js';
-import { Notes, Users, Emojis, NoteReactions } from '@/models/index.js';
-import { ILocalUser, User } from '@/models/entities/user.js';
-import { In, IsNull, Not } from 'typeorm';
-import { renderLike } from '@/remote/activitypub/renderer/like.js';
-import { getUserKeypair } from '@/misc/keypair-store.js';
-import renderFollow from '@/remote/activitypub/renderer/follow.js';
+import Router from "@koa/router";
+import bodyParser from "koa-bodyparser";
+import * as crypto from 'crypto';
+import httpSignature from "@peertube/http-signature";
+
+import { In, IsNull, Not } from "typeorm";
+import config from "@/config/index.js";
+import { apLogger } from '@/remote/activitypub/logger.js';
+import { renderActivity } from "@/remote/activitypub/renderer/index.js";
+import renderNote from "@/remote/activitypub/renderer/note.js";
+import renderKey from "@/remote/activitypub/renderer/key.js";
+import { renderPerson } from "@/remote/activitypub/renderer/person.js";
+import renderEmoji from "@/remote/activitypub/renderer/emoji.js";
+import { inbox as processInbox } from "@/queue/index.js";
+import { isSelfHost } from "@/misc/convert-host.js";
+import { Notes, Users, Emojis, NoteReactions } from "@/models/index.js";
+import { ILocalUser, User } from "@/models/entities/user.js";
+import { renderLike } from "@/remote/activitypub/renderer/like.js";
+import { getUserKeypair } from "@/misc/keypair-store.js";
+import renderFollow from "@/remote/activitypub/renderer/follow.js";
+import Featured from "./activitypub/featured.js";
+import Following from "./activitypub/following.js";
+import Followers from "./activitypub/followers.js";
+import Outbox, { packActivity } from "./activitypub/outbox.js";
+import { IActivity } from "@/remote/activitypub/type.js";
+import Koa from "koa";
+
+const logger = apLogger;
 
 // Init router
 const router = new Router();
 
 //#region Routing
 
 function inbox(ctx: Router.RouterContext) {
-	let signature;
+	// 署名の検証
+	// referenced: https://github.com/mei23/misskey/pull/4749
+	let signature: httpSignature.IParsedSignature;
 
 	try {
-		signature = httpSignature.parseRequest(ctx.req, { 'headers': [] });
+		// ヘッダーの検証はライブラリに投げる
+		signature = httpSignature.parseRequest(ctx.req, { "headers": ["(request-target)", "digest", "host", "date"] });
 	} catch (e) {
+		logger.warn("inbox: signature parse error");
+		ctx.status = 401;
+		return;
+	}
+
+	// Digestヘッダーの検証
+	const digest = ctx.req.headers.digest;
+	if (typeof digest !== "string") {
+		//logger.warn("Invalid digest (not string)")
+		ctx.status = 401;
+		return;
+	}
+
+	const match = digest.match(/^([0-9A-Za-z-]+)=(.+)$/);
+
+	if (match == null) {
+		logger.warn("Invalid digest (match == null)")
+		ctx.status = 401;
+		return;
+	}
+
+	const digestAlgo = match[1];
+	const digestExpected = match[2];
+
+	if (digestAlgo.toUpperCase() !== "SHA-256") {
+		// アルゴリズムをサポートしていない
+		logger.warn("digestAlgo is not supported")
+		ctx.status = 401;
+		return;
+	}
+
+	const digestActual = crypto.createHash("sha256").update(ctx.request.rawBody).digest("base64")
+
+	if (digestExpected !== digestActual) {
+		// 不正なダイジェスト
+		logger.warn("Invalid digest (digestExpected !== digestActual)")
 		ctx.status = 401;
 		return;
 	}
 
-	processInbox(ctx.request.body, signature);
+
+	if (!signature.params.headers.includes("host") || ctx.headers.host !== config.host) {
+		// Host not specified or not match.
+		logger.warn("Invalid host header")
+		ctx.status = 400;
+		return;
+	}
+
+	const activity = ctx.request.body as IActivity;
+	processInbox(activity, signature);
 
 	ctx.status = 202;
 }
 
-const ACTIVITY_JSON = 'application/activity+json; charset=utf-8';
-const LD_JSON = 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"; charset=utf-8';
+const ACTIVITY_JSON = "application/activity+json; charset=utf-8";
+const LD_JSON = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"; charset=utf-8";
 
 function isActivityPubReq(ctx: Router.RouterContext) {
-	ctx.response.vary('Accept');
-	const accepted = ctx.accepts('html', ACTIVITY_JSON, LD_JSON);
-	return typeof accepted === 'string' && !accepted.match(/html/);
+	ctx.response.vary("Accept");
+	const accepted = ctx.accepts("html", ACTIVITY_JSON, LD_JSON);
+	return typeof accepted === "string" && !accepted.match(/html/);
 }
 
 export function setResponseType(ctx: Router.RouterContext) {
@@ -58,17 +113,33 @@ export function setResponseType(ctx: Router.RouterContext) {
 	}
 }
 
+async function parseJsonBodyOrFail(ctx: Router.RouterContext, next: Koa.Next) {
+	const koaBodyParser = bodyParser({
+		enableTypes: ["json"],
+		detectJSON: () => true,
+	});
+
+	try {
+		await koaBodyParser(ctx, next);
+	}
+	catch {
+		ctx.status = 400;
+		return;
+	}
+}
+
+
 // inbox
-router.post('/inbox', json(), inbox);
-router.post('/users/:user/inbox', json(), inbox);
+router.post("/inbox", parseJsonBodyOrFail, inbox);
+router.post("/users/:user/inbox", parseJsonBodyOrFail, inbox);
 
 // note
-router.get('/notes/:note', async (ctx, next) => {
+router.get("/notes/:note", async (ctx, next) => {
 	if (!isActivityPubReq(ctx)) return await next();
 
 	const note = await Notes.findOneBy({
 		id: ctx.params.note,
-		visibility: In(['public' as const, 'home' as const]),
+		visibility: In(["public" as const, "home" as const]),
 		localOnly: false,
 	});
 
@@ -88,16 +159,16 @@ router.get('/notes/:note', async (ctx, next) => {
 	}
 
 	ctx.body = renderActivity(await renderNote(note, false));
-	ctx.set('Cache-Control', 'public, max-age=180');
+	ctx.set("Cache-Control", "public, max-age=180");
 	setResponseType(ctx);
 });
 
 // note activity
-router.get('/notes/:note/activity', async ctx => {
+router.get("/notes/:note/activity", async ctx => {
 	const note = await Notes.findOneBy({
 		id: ctx.params.note,
 		userHost: IsNull(),
-		visibility: In(['public' as const, 'home' as const]),
+		visibility: In(["public" as const, "home" as const]),
 		localOnly: false,
 	});
 
@@ -107,24 +178,24 @@ router.get('/notes/:note/activity', async ctx => {
 	}
 
 	ctx.body = renderActivity(await packActivity(note));
-	ctx.set('Cache-Control', 'public, max-age=180');
+	ctx.set("Cache-Control", "public, max-age=180");
 	setResponseType(ctx);
 });
 
 // outbox
-router.get('/users/:user/outbox', Outbox);
+router.get("/users/:user/outbox", Outbox);
 
 // followers
-router.get('/users/:user/followers', Followers);
+router.get("/users/:user/followers", Followers);
 
 // following
-router.get('/users/:user/following', Following);
+router.get("/users/:user/following", Following);
 
 // featured
-router.get('/users/:user/collections/featured', Featured);
+router.get("/users/:user/collections/featured", Featured);
 
 // publickey
-router.get('/users/:user/publickey', async ctx => {
+router.get("/users/:user/publickey", async ctx => {
 	const userId = ctx.params.user;
 
 	const user = await Users.findOneBy({
@@ -141,7 +212,7 @@ router.get('/users/:user/publickey', async ctx => {
 
 	if (Users.isLocalUser(user)) {
 		ctx.body = renderActivity(renderKey(user, keypair));
-		ctx.set('Cache-Control', 'public, max-age=180');
+		ctx.set("Cache-Control", "public, max-age=180");
 		setResponseType(ctx);
 	} else {
 		ctx.status = 400;
@@ -156,11 +227,11 @@ async function userInfo(ctx: Router.RouterContext, user: User | null) {
 	}
 
 	ctx.body = renderActivity(await renderPerson(user as ILocalUser));
-	ctx.set('Cache-Control', 'public, max-age=180');
+	ctx.set("Cache-Control", "public, max-age=180");
 	setResponseType(ctx);
 }
 
-router.get('/users/:user', async (ctx, next) => {
+router.get("/users/:user", async (ctx, next) => {
 	if (!isActivityPubReq(ctx)) return await next();
 
 	const userId = ctx.params.user;
@@ -174,7 +245,7 @@ router.get('/users/:user', async (ctx, next) => {
 	await userInfo(ctx, user);
 });
 
-router.get('/@:user', async (ctx, next) => {
+router.get("/@:user", async (ctx, next) => {
 	if (!isActivityPubReq(ctx)) return await next();
 
 	const user = await Users.findOneBy({
@@ -188,7 +259,7 @@ router.get('/@:user', async (ctx, next) => {
 //#endregion
 
 // emoji
-router.get('/emojis/:emoji', async ctx => {
+router.get("/emojis/:emoji", async ctx => {
 	const emoji = await Emojis.findOneBy({
 		host: IsNull(),
 		name: ctx.params.emoji,
@@ -200,12 +271,12 @@ router.get('/emojis/:emoji', async ctx => {
 	}
 
 	ctx.body = renderActivity(await renderEmoji(emoji));
-	ctx.set('Cache-Control', 'public, max-age=180');
+	ctx.set("Cache-Control", "public, max-age=180");
 	setResponseType(ctx);
 });
 
 // like
-router.get('/likes/:like', async ctx => {
+router.get("/likes/:like", async ctx => {
 	const reaction = await NoteReactions.findOneBy({ id: ctx.params.like });
 
 	if (reaction == null) {
@@ -221,12 +292,12 @@ router.get('/likes/:like', async ctx => {
 	}
 
 	ctx.body = renderActivity(await renderLike(reaction, note));
-	ctx.set('Cache-Control', 'public, max-age=180');
+	ctx.set("Cache-Control", "public, max-age=180");
 	setResponseType(ctx);
 });
 
 // follow
-router.get('/follows/:follower/:followee', async ctx => {
+router.get("/follows/:follower/:followee", async ctx => {
 	// This may be used before the follow is completed, so we do not
 	// check if the following exists.
 
@@ -247,7 +318,7 @@ router.get('/follows/:follower/:followee', async ctx => {
 	}
 
 	ctx.body = renderActivity(renderFollow(follower, followee));
-	ctx.set('Cache-Control', 'public, max-age=180');
+	ctx.set("Cache-Control", "public, max-age=180");
 	setResponseType(ctx);
 });