Add mix task to detect uploaded spoof payloads
This commit is contained in:
parent
31f90bbb52
commit
d441101200
2 changed files with 241 additions and 0 deletions
32
docs/docs/administration/CLI_tasks/security.md
Normal file
32
docs/docs/administration/CLI_tasks/security.md
Normal file
|
@ -0,0 +1,32 @@
|
|||
# Security-related tasks
|
||||
|
||||
{! administration/CLI_tasks/general_cli_task_info.include !}
|
||||
|
||||
!!! danger
|
||||
Many of these tasks were written in response to a patched exploit.
|
||||
It is recommended to run those very soon after installing its respective security update.
|
||||
Over time with db migrations they might become less accurate or be removed altogether.
|
||||
If you never ran an affected version, there’s no point in running them.
|
||||
|
||||
## Spoofed AcitivityPub objects exploit (2024-03, fixed in 3.11.1)
|
||||
|
||||
### Search for uploaded spoofing payloads
|
||||
|
||||
Scans local uploads for spoofing payloads.
|
||||
If the instance is not using the local uploader it was not affected.
|
||||
Attachments wil be scanned anyway in case local uploader was used in the past.
|
||||
|
||||
!!! note
|
||||
This cannot reliably detect payloads attached to deleted posts.
|
||||
|
||||
=== "OTP"
|
||||
|
||||
```sh
|
||||
./bin/pleroma_ctl security spoof-uploaded
|
||||
```
|
||||
|
||||
=== "From Source"
|
||||
|
||||
```sh
|
||||
mix pleroma.security spoof-uploaded
|
||||
```
|
209
lib/mix/tasks/pleroma/security.ex
Normal file
209
lib/mix/tasks/pleroma/security.ex
Normal file
|
@ -0,0 +1,209 @@
|
|||
# Akkoma: Magically expressive social media
|
||||
# Copyright © 2024 Akkoma Authors <https://akkoma.dev/>
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
defmodule Mix.Tasks.Pleroma.Security do
|
||||
use Mix.Task
|
||||
import Mix.Pleroma
|
||||
|
||||
alias Pleroma.Config
|
||||
|
||||
require Logger
|
||||
|
||||
@shortdoc """
|
||||
Security-related tasks, like e.g. checking for signs past exploits were abused.
|
||||
"""
|
||||
|
||||
# Constants etc
|
||||
defp local_id_prefix(), do: Pleroma.Web.Endpoint.url() <> "/"
|
||||
|
||||
defp local_id_pattern(), do: local_id_prefix() <> "%"
|
||||
|
||||
@activity_exts ["activity+json", "activity%2Bjson"]
|
||||
|
||||
defp activity_ext_url_patterns() do
|
||||
for e <- @activity_exts do
|
||||
for suf <- ["", "?%"] do
|
||||
# Escape literal % for use in SQL patterns
|
||||
ee = String.replace(e, "%", "\\%")
|
||||
"%.#{ee}#{suf}"
|
||||
end
|
||||
end
|
||||
|> List.flatten()
|
||||
end
|
||||
|
||||
# Search for malicious uploads exploiting the lack of Content-Type sanitisation from before 2024-03
|
||||
def run(["spoof-uploaded"]) do
|
||||
Logger.put_process_level(self(), :notice)
|
||||
start_pleroma()
|
||||
|
||||
IO.puts("""
|
||||
+------------------------+
|
||||
| SPOOF SEARCH UPLOADS |
|
||||
+------------------------+
|
||||
Checking if any uploads are using privileged types.
|
||||
NOTE if attachment deletion is enabled, payloads used
|
||||
in the past may no longer exist.
|
||||
""")
|
||||
|
||||
do_spoof_uploaded()
|
||||
end
|
||||
|
||||
# +-----------------------------+
|
||||
# | S P O O F - U P L O A D E D |
|
||||
# +-----------------------------+
|
||||
defp do_spoof_uploaded() do
|
||||
files =
|
||||
case Config.get!([Pleroma.Upload, :uploader]) do
|
||||
Pleroma.Uploaders.Local ->
|
||||
uploads_search_spoofs_local_dir(Config.get!([Pleroma.Uploaders.Local, :uploads]))
|
||||
|
||||
_ ->
|
||||
IO.puts("""
|
||||
NOTE:
|
||||
Not using local uploader; thus not affected by this exploit.
|
||||
It's impossible to check for files, but in case local uploader was used before
|
||||
or to check if anyone futilely attempted a spoof, notes will still be scanned.
|
||||
""")
|
||||
|
||||
[]
|
||||
end
|
||||
|
||||
emoji = uploads_search_spoofs_local_dir(Config.get!([:instance, :static_dir]))
|
||||
|
||||
post_attachs = uploads_search_spoofs_notes()
|
||||
|
||||
not_orphaned_urls =
|
||||
post_attachs
|
||||
|> Enum.map(fn {_u, _a, url} -> url end)
|
||||
|> MapSet.new()
|
||||
|
||||
orphaned_attachs = upload_search_orphaned_attachments(not_orphaned_urls)
|
||||
|
||||
IO.puts("\nSearch concluded; here are the results:")
|
||||
pretty_print_list_with_title(emoji, "Emoji")
|
||||
pretty_print_list_with_title(files, "Uploaded Files")
|
||||
pretty_print_list_with_title(post_attachs, "(Not Deleted) Post Attachments")
|
||||
pretty_print_list_with_title(orphaned_attachs, "Orphaned Uploads")
|
||||
|
||||
IO.puts("""
|
||||
In total found
|
||||
#{length(emoji)} emoji
|
||||
#{length(files)} uploads
|
||||
#{length(post_attachs)} not deleted posts
|
||||
#{length(orphaned_attachs)} orphaned attachments
|
||||
""")
|
||||
end
|
||||
|
||||
defp uploads_search_spoofs_local_dir(dir) do
|
||||
local_dir = String.replace_suffix(dir, "/", "")
|
||||
|
||||
IO.puts("Searching for suspicious files in #{local_dir}...")
|
||||
|
||||
glob_ext = "{" <> Enum.join(@activity_exts, ",") <> "}"
|
||||
|
||||
Path.wildcard(local_dir <> "/**/*." <> glob_ext, match_dot: true)
|
||||
|> Enum.map(fn path ->
|
||||
String.replace_prefix(path, local_dir <> "/", "")
|
||||
end)
|
||||
|> Enum.sort()
|
||||
end
|
||||
|
||||
defp uploads_search_spoofs_notes() do
|
||||
IO.puts("Now querying DB for posts with spoofing attachments. This might take a while...")
|
||||
|
||||
patterns = [local_id_pattern() | activity_ext_url_patterns()]
|
||||
|
||||
# if jsonb_array_elemsts in FROM can be used with normal Ecto functions, idk how
|
||||
"""
|
||||
SELECT DISTINCT a.data->>'actor', a.id, url->>'href'
|
||||
FROM public.objects AS o JOIN public.activities AS a
|
||||
ON o.data->>'id' = a.data->>'object',
|
||||
jsonb_array_elements(o.data->'attachment') AS attachs,
|
||||
jsonb_array_elements(attachs->'url') AS url
|
||||
WHERE o.data->>'type' = 'Note' AND
|
||||
o.data->>'id' LIKE $1::text AND (
|
||||
url->>'href' LIKE $2::text OR
|
||||
url->>'href' LIKE $3::text OR
|
||||
url->>'href' LIKE $4::text OR
|
||||
url->>'href' LIKE $5::text
|
||||
)
|
||||
ORDER BY a.data->>'actor', a.id, url->>'href';
|
||||
"""
|
||||
|> Pleroma.Repo.query!(patterns, timeout: :infinity)
|
||||
|> map_raw_id_apid_tuple()
|
||||
end
|
||||
|
||||
defp upload_search_orphaned_attachments(not_orphaned_urls) do
|
||||
IO.puts("""
|
||||
Now querying DB for orphaned spoofing attachment (i.e. their post was deleted,
|
||||
but if :cleanup_attachments was not enabled traces remain in the database)
|
||||
This might take a bit...
|
||||
""")
|
||||
|
||||
patterns = activity_ext_url_patterns()
|
||||
|
||||
"""
|
||||
SELECT DISTINCT attach.id, url->>'href'
|
||||
FROM public.objects AS attach,
|
||||
jsonb_array_elements(attach.data->'url') AS url
|
||||
WHERE (attach.data->>'type' = 'Image' OR
|
||||
attach.data->>'type' = 'Document')
|
||||
AND (
|
||||
url->>'href' LIKE $1::text OR
|
||||
url->>'href' LIKE $2::text OR
|
||||
url->>'href' LIKE $3::text OR
|
||||
url->>'href' LIKE $4::text
|
||||
)
|
||||
ORDER BY attach.id, url->>'href';
|
||||
"""
|
||||
|> Pleroma.Repo.query!(patterns, timeout: :infinity)
|
||||
|> then(fn res -> Enum.map(res.rows, fn [id, url] -> {id, url} end) end)
|
||||
|> Enum.filter(fn {_, url} -> !(url in not_orphaned_urls) end)
|
||||
end
|
||||
|
||||
# +-----------------------------------+
|
||||
# | module-specific utility functions |
|
||||
# +-----------------------------------+
|
||||
defp pretty_print_list_with_title(list, title) do
|
||||
title_len = String.length(title)
|
||||
title_underline = String.duplicate("=", title_len)
|
||||
IO.puts(title)
|
||||
IO.puts(title_underline)
|
||||
pretty_print_list(list)
|
||||
end
|
||||
|
||||
defp pretty_print_list([]), do: IO.puts("")
|
||||
|
||||
defp pretty_print_list([{a, o} | rest])
|
||||
when (is_binary(a) or is_number(a)) and is_binary(o) do
|
||||
IO.puts(" {#{a}, #{o}}")
|
||||
pretty_print_list(rest)
|
||||
end
|
||||
|
||||
defp pretty_print_list([{u, a, o} | rest])
|
||||
when is_binary(a) and is_binary(u) and is_binary(o) do
|
||||
IO.puts(" {#{u}, #{a}, #{o}}")
|
||||
pretty_print_list(rest)
|
||||
end
|
||||
|
||||
defp pretty_print_list([e | rest]) when is_binary(e) do
|
||||
IO.puts(" #{e}")
|
||||
pretty_print_list(rest)
|
||||
end
|
||||
|
||||
defp pretty_print_list([e | rest]), do: pretty_print_list([inspect(e) | rest])
|
||||
|
||||
defp map_raw_id_apid_tuple(res) do
|
||||
user_prefix = local_id_prefix() <> "users/"
|
||||
|
||||
Enum.map(res.rows, fn
|
||||
[uid, aid, oid] ->
|
||||
{
|
||||
String.replace_prefix(uid, user_prefix, ""),
|
||||
FlakeId.to_string(aid),
|
||||
oid
|
||||
}
|
||||
end)
|
||||
end
|
||||
end
|
Loading…
Reference in a new issue