[bug] Accept and Content-Type headers trip OWASP Core Ruleset

[kvibber]

Describe the bug with a clear and concise description of what the bug is.

My webhost offers the mod_security web application firewall using a combination of the OWASP core ruleset and their own home-grown rules. I recently discovered that I could not reply from GoToSocial to my WordPress blog using the ActivityPub plugin. The GTS logs turned up a 418 error, which is what my host uses for requests blocked by mod_security. Looking at my web server logs, I found that it was tripping the following rules from core ruleset file REQUEST-920-PROTOCOL-ENFORCEMENT.conf

Illegal Accept header: charset parameter for application/ld+json; profile=\\x22https://www.w3.org/ns/activitystreams\\x22,application/activity+json

Illegal Content-Type header for application/ld+json; profile=\\x22https://www.w3.org/ns/activitystreams\\x22

Request content type is not allowed by policy for |application/ld+json|

Relevant log entries:

[Thu Jan 18 10:14:45.408052 2024] [:error] [pid 206460:tid 140077923862272] [client 172.233.131.132:56886] [client 172.233.131.132] ModSecurity: Warning. Match of "rx ^(?:(?:\\\\*|[^\\"(),\\\\/:;<=>?![\\\\x5c\\\\]{}]+)\\\\/(?:\\\\*|[^\\"(),\\\\/:;<=>?![\\\\x5c\\\\]{}]+))(?:\\\\s*+;\\\\s*+(?:(?:charset\\\\s*+=\\\\s*+(?:\\"?(?:iso-8859-15?|windows-1252|utf-8)\\\\b\\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\\"(),\\\\/:;<=>?![\\\\x5c\\\\]{}]|[^e\\"(),/:;<=>?![\\\\x5c ..." against "REQUEST_HEADERS:Accept" required. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1162"] [id "920600"] [msg "Illegal Accept header: charset parameter"] [data "application/ld+json; profile=\\x22https://www.w3.org/ns/activitystreams\\x22,application/activity+json"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [hostname "hyperborea.org"] [uri "/journal/2007/04/ridge-valley/"] [unique_id "ZalqlTOpiqLEOI9mTEbMkAAAAAE"]

[Thu Jan 18 10:14:45.408233 2024] [:error] [pid 206460:tid 140077848327936] [client 172.233.131.132:56886] [client 172.233.131.132] ModSecurity: Warning. Match of "rx ^[\\\\w/.+-]+(?:\\\\s?;\\\\s?(?:action|boundary|charset|type|start(?:-info)?)\\\\s?=\\\\s?['\\"\\\\w.()+,/:=?<>@-]+)*$" against "REQUEST_HEADERS:Content-Type" required. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "933"] [id "920470"] [msg "Illegal Content-Type header"] [data "application/ld+json; profile=\\x22https://www.w3.org/ns/activitystreams\\x22"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "hyperborea.org"] [uri "/journal/wp-json/activitypub/1.0/users/2/inbox"] [unique_id "ZalqlTOpiqLEOI9mTEbMkQAAAAM"]

[Thu Jan 18 10:14:45.415276 2024] [:error] [pid 206460:tid 140077848327936] [client 172.233.131.132:56886] [client 172.233.131.132] ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "957"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|application/ld+json|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "hyperborea.org"] [uri "/journal/wp-json/activitypub/1.0/users/2/inbox"] [unique_id "ZalqlTOpiqLEOI9mTEbMkQAAAAM"]

[Thu Jan 18 10:14:45.417433 2024] [:error] [pid 206460:tid 140077848327936] [client 172.233.131.132:56886] [client 172.233.131.132] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "hyperborea.org"] [uri "/journal/wp-json/activitypub/1.0/users/2/inbox"] [unique_id "ZalqlTOpiqLEOI9mTEbMkQAAAAM"]

What's your GoToSocial Version?

0.13.1

GoToSocial Arch

x86_64, docker on Alpine

What happened?

Federation of replies failed to reach the other server.

What you expected to happen?

The reply should have shown up in my WordPress dashboard.

How to reproduce it?

Run WordPress with the ActivityPub plugin on a DreamHost server with mod_security enabled (or any other Apache server running mod_security with the core ruleset) and try to reply to a post from a GoToSocial server.

After turning mod_security off, replies federate successfully to the WordPress blog.

[kvibber]

Anyway, I don't know if this is something better to change here, or submit as a change request to the ruleset maintainers, or just mark as a known issue.

[mirabilos]

Looking at the linked file, it does not allow the profile property.

I’d (also) reach out to the https://github.com/coreruleset/coreruleset issue tracker and crosslink with this one.

[kvibber]

Thanks. I wasn't familiar with the profile parameter, but I read up on it a bit and reported the false positive to the ruleset project. Along with a request to add application/ld+json to the default list of allowed types.

[tsmethurst]

Alright, sounds good. I'm going to mark it as "closed" here since it's not something we ought to be changing on our side; everything we're doing is very much by-the-book ActivityPub stuff with regard to headers. Nevertheless, thanks for opening this here so it's searchable for folks running into the same issue :)