Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clarify/extend security consideration B.2 "verification" for attached files #432

Open
Johann150 opened this issue Mar 21, 2024 · 2 comments
Open

clarify/extend security consideration B.2 "verification" for attached files #432

Johann150 opened this issue Mar 21, 2024 · 2 comments
Assignees
@evanp
Labels
Needs errata We need to add errata for this Needs FEP Needs a FEP Needs Primer Page Needs a page in the ActivityPub primer

Comments

@Johann150
Copy link

As a thought after Mastodon's GHSA-jhrq-qvrm-qr36 it might be a good idea to extend the security consideration B.2 with a bit of wording about what kind of user submitted content is meant, and what relevance the Content-Type and perhaps Content Type Negotiation has in that context.

Especially when reading the 2nd paragraph the focus seems to me to be on ActivityPub Content, perhaps not taking into account that attached files/media may be hosted on the same host(-name).

In particular I'm thinking of wording like this:

Servers should not trust client submitted content (both ActivityPub activites and, if hosted by the same host, other resources), ...

And perhaps inserting another paragraph like this at the end of the section:

Federated servers that serve resources completely under the control of users, like for example attached media files, SHOULD make sure that the Content-Type header of such files can never be application/ld+json; profile="https://www.w3.org/ns/activitystreams" or application/activity+json. On paths/directories controlled by users, they SHOULD return the HTTP status code 406 "Not Acceptable" if a client's Accept header is set to application/ld+json; profile="https://www.w3.org/ns/activitystreams" as required of the client in section 3.2.
@evanp evanp self-assigned this Mar 22, 2024
@evanp evanp added Needs Primer Page Needs a page in the ActivityPub primer Needs errata We need to add errata for this Needs FEP Needs a FEP labels Mar 22, 2024
@evanp
Copy link
Collaborator

evanp commented Mar 22, 2024

This is an issue with user-uploaded data. Here are some ways to mitigate:

  1. As suggested, No JSON uploads.
  2. Remote clients should check the content-type for JSON types when GETting, and don't accept e.g. text/plain as AP, maybe application/json.
  3. Use a separate domain for uploaded artifacts. This will prevent naive checks that just accept the same origin as verification.
  4. Develop an attribution endpoint FEP to check attribution of objects. Possibly other types of endpoints for other verification, including a server-wide verification.
  5. Use digital signatures. Who the signature is from and what it entails is an open question. E.g. is it client side, server side, user owned, server owned, ...

I believe this solution requires at least these fixes:

  1. A Primer page on the topic.
  2. An Erratum for the security consideration in verification that covers the issue.
  3. Potentially pushing the editor's draft to the public document.

@ap-socialhub
Copy link
Collaborator

This issue has been mentioned on SocialHub. There might be relevant details there:

https://socialhub.activitypub.rocks/t/fep-0391-special-collection-proofs/4165/4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@evanp evanp

Labels
Needs errata We need to add errata for this Needs FEP Needs a FEP Needs Primer Page Needs a page in the ActivityPub primer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@evanp @Johann150 @ap-socialhub