From 3327fbc39adcb09934afe33e0529271708fc5740 Mon Sep 17 00:00:00 2001 From: erik Date: Tue, 19 Dec 2023 10:19:35 +0100 Subject: [PATCH] Fix typos, small rewordings --- .../threat_analysis_star_activity.md | 14 +++++++------- routers/api/v1/activitypub/repository.go | 4 ++-- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/unsure-where-to-put/threat_analysis_star_activity.md b/docs/unsure-where-to-put/threat_analysis_star_activity.md index 8c7e6b1656..f10b04b301 100644 --- a/docs/unsure-where-to-put/threat_analysis_star_activity.md +++ b/docs/unsure-where-to-put/threat_analysis_star_activity.md @@ -71,25 +71,25 @@ flowchart TD ### Actors -1. **Script Kiddies**: Boored teens, willing to do some illigal without deep knowlege of tech details but broad knowlege across internet discussions. Able to do some bash / python scripting. +1. **Script Kiddies**: Boored teens, willing to do some illegal stuff without deep knowlege of tech details but broad knowlege across internet discussions. Able to do some bash / python scripting. 2. **Experienced Hacker**: Hacker with deep knowlege. 3. **OpenSource Promoter**: Developers motivated to increase (or decrease) star count for some dedicated projects. ### Threat -1. Script Kiddi sends a Star Activity containing an attack actor url `http://attacked.target/very/special/path` in place of actor. Our repository server sends an `get Person Actor` request to this url. The attacked target gets DenialdOffServices. We loose CPU & reputation. -2. Experienced hacker sends a Star Activity containing an actor url pointing to an evil forgejo instance. Our repository server sends an `get Person Actor` request to this instance and get a person having sth. like `; drop database;` in its name. If our server tries to create a new user out of this persion, the db might be droped. -3. OpenSource Promoter sends Star Activities having not authorized Person Actors. The Actors listed as stargazer migth get angry about this, we loose reputation. +1. Script Kiddi sends a Star Activity containing an attack actor url `http://attacked.target/very/special/path` in place of actor. Our repository server sends a `get Person Actor` request to this url. The target receives a DenialdOfService attack. We loose CPU & reputation. +2. Experienced hacker sends a Star Activity containing an actor url pointing to an evil forgejo instance. Our repository server sends an `get Person Actor` request to this instance and gets a person having sth. like `; drop database;` in its name. If our server tries to create a new user out of this persion, the db might be dropped. +3. OpenSource Promoter sends Star Activities containing non authorized Person Actors. The Actors listed as stargazer might get angry about this, we loose reputation. 4. Experienced Hacker records activities sent and replays some of them. Without order of activities (i.e. timestamp) we can not decide wether we should execute the activity again. If the replayed activities are Unstar Activity we might loose stars. -5. Experienced Hacker records activities sends a massive amount of activities which leads to new user creation & storage. Our instance might get off service. -6. Experienced Hacker may craft their malicious server to keep connections open. Then they send you a Star activity with the actor URL pointing to that malicious server, and your background job keeps waiting for data. Then they send more such requests, until you exhaust your limit of file descriptors openable for your system and cause a DoS (by causing cascading failures all over the system, given file descriptors are used for about everything, from files, to sockets, to pipes). See also [Slowloris@wikipedia][2]. +5. Experienced Hacker records activities sends a massive amount of activities which leads to new user creation & storage loss. Our instance might fall out of service. +6. Experienced Hacker may craft their malicious server to keep connections open. Then they send a Star activity with the actor URL pointing to that malicious server, and your background job keeps waiting for data. Then they send more such requests, until you exhaust your limit of file descriptors openable for your system and cause a DoS (by causing cascading failures all over the system, given file descriptors are used for about everything, from files, to sockets, to pipes). See also [Slowloris@wikipedia][2]. ### Mitigations 1. Validate object uri in order to send only requests to well defined endpoints. 2. giteas global SQL injection protection. TODO: verify if there is one. 3. We accept only signed Activities -4. We accept only activities having an timestamp & remember the last executed activity timestamp. +4. We accept only activities having a timestamp & remember the last executed activity timestamp. 5. We introduce (or have) rate limiting per IP. 6. We ensure, that outgoing HTTP requests have a reasonable timeout (if you didn't get that 500b JSON response after 10 seconds, you probably won't get it). diff --git a/routers/api/v1/activitypub/repository.go b/routers/api/v1/activitypub/repository.go index 4569895216..89fb46b40a 100644 --- a/routers/api/v1/activitypub/repository.go +++ b/routers/api/v1/activitypub/repository.go @@ -105,7 +105,7 @@ func RepositoryInbox(ctx *context.APIContext) { log.Info("RepositoryInbox: objectId validated: %v", objectId) actorAsLoginId := actorId.AsLoginName() // used as LoginName in newly created user - log.Info("RepositoryInbox: remotStargazer: %v", actorAsLoginId) + log.Info("RepositoryInbox: remoteStargazer: %v", actorAsLoginId) // Check if user already exists users, err := SearchUsersByLoginName(actorAsLoginId) @@ -180,7 +180,7 @@ func SearchUsersByLoginName(loginName string) ([]*user_model.User, error) { func createUserFromAP(ctx *context.APIContext, personId forgefed.PersonId) (*user_model.User, error) { // ToDo: Do we get a publicKeyId from server, repo or owner or repo? var actionsUser = user_model.NewActionsUser() - client, err := api.NewClient(ctx, actionsUser, "no ide where to get key material.") + client, err := api.NewClient(ctx, actionsUser, "no idea where to get key material.") if err != nil { return &user_model.User{}, err }