akkoma/lib/pleroma/web
Oneric 0c2b33458d Restrict media usage to owners
In Mastodon media can only be used by owners and only be associated with
a single post. We currently allow media to be associated with several
posts and until now did not limit their usage in posts to media owners.
However, media update and GET lookup was already limited to owners.
(In accordance with allowing media reuse, we also still allow GET
lookups of media already used in a post unlike Mastodon)

Allowing reuse isn’t problematic per se, but allowing use by non-owners
can be problematic if media ids of private-scoped posts can be guessed
since creating a new post with this media id will reveal the uploaded
file content and alt text.
Given media ids are currently just part of a sequentieal series shared
with some other objects, guessing media ids is with some persistence
indeed feasible.

E.g. sampline some public media ids from a real-world
instance with 112 total and 61 monthly-active users:

  17.465.096  at  t0
  17.472.673  at  t1 = t0 + 4h
  17.473.248  at  t2 = t1 + 20min

This gives about 30 new ids per minute of which most won't be
local media but remote and local posts, poll answers etc.
Assuming the default ratelimit of 15 post actions per 10s, scraping all
media for the 4h interval takes about 84 minutes and scraping the 20min
range mere 6.3 minutes. (Until the preceding commit, post updates were
not rate limited at all, allowing even faster scraping.)
If an attacker can infer (e.g. via reply to a follower-only post not
accessbile to the attacker) some sensitive information was uploaded
during a specific time interval and has some pointers regarding the
nature of the information, identifying the specific upload out of all
scraped media for this timerange is not impossible.

Thus restrict media usage to owners.

Checking ownership just in ActivitDraft would already be sufficient,
since when a scheduled status actually gets posted it goes through
ActivityDraft again, but would erroneously return a success status
when scheduling an illegal post.

Independently discovered and fixed by mint in Pleroma
1afde067b1
2024-05-22 20:30:18 +02:00
..
activity_pub Normalise public adressing to fix federation 2024-04-25 18:45:16 +02:00
admin_api Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
akkoma_api add selection UI 2023-03-28 12:44:52 +01:00
api_spec Accept body parameters for /api/pleroma/notification_settings 2024-04-09 04:11:28 +02:00
auth Support elixir1.15 2023-08-03 17:44:09 +01:00
common_api Restrict media usage to owners 2024-05-22 20:30:18 +02:00
fallback ensure we send the right files for preferred fe 2023-03-12 23:59:10 +00:00
federator Remove debug prints 2022-06-25 18:43:19 +01:00
feed Don't strip newlines in the Atom feed 2024-03-11 12:50:14 +01:00
mailer Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
mastodon_api Apply rate limits to status updates 2024-05-22 20:18:08 +02:00
media_proxy Use uppercase HTTP HEAD method for media preview proxy request (#128) 2022-07-30 21:58:14 +00:00
metadata check if data is visible before embedding it in OG tags 2024-04-12 05:16:47 +01:00
mongoose_im argon2 password hashing (#406) 2022-12-30 02:46:58 +00:00
nodeinfo Mix format 2023-04-14 17:56:34 +01:00
o_auth update tests for oauth consumer 2023-12-17 21:48:19 +00:00
o_status Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
pleroma_api Exclude deactivated users from emoji reaction lists 2023-07-17 17:53:03 +01:00
plugs Format, but this time with a non-ancient version of elixir 2024-04-19 18:07:50 +02:00
preload/providers Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
push Support elixir1.15 2023-08-03 17:44:09 +01:00
rich_media Support elixir1.15 2023-08-03 17:44:09 +01:00
static_fe Fix Twitter metadata 2024-02-19 21:09:43 +00:00
templates Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
twitter_api Accept body parameters for /api/pleroma/notification_settings 2024-04-09 04:11:28 +02:00
utils Pleroma.Web.Params --> Pleroma.Web.Utils.Params 2021-06-08 12:50:47 -05:00
views Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
web_finger giant massive dep upgrade and dialyxir-found error emporium (#371) 2022-12-14 12:38:48 +00:00
api_spec.ex update references to pleroma in docs 2022-12-30 03:43:35 +00:00
common_api.ex Support elixir1.15 2023-08-03 17:44:09 +01:00
controller_helper.ex giant massive dep upgrade and dialyxir-found error emporium (#371) 2022-12-14 12:38:48 +00:00
embed_controller.ex Add embed controller tests 2023-07-17 19:18:21 +01:00
endpoint.ex Fix Content-Type of our schema 2024-03-18 22:33:10 -01:00
federator.ex and i yoink (#275) 2022-11-14 15:07:26 +00:00
gettext.ex Fix incorrect fallback when English is set to first language 2022-06-29 20:47:10 +01:00
instance_document.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
manifest_controller.ex Expose /manifest.json for PWA 2021-11-24 17:50:55 -06:00
masto_fe_controller.ex Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
media_proxy.ex Drop base_url special casing in test env 2024-04-07 00:20:12 +02:00
metadata.ex Add configurable theme color (#53) 2022-07-06 20:00:43 +00:00
o_auth.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
pipelines.ex Remove precompiled javascript (#55) 2022-07-08 13:03:18 +00:00
plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
preload.ex remove unused variable 2022-12-16 12:36:34 +00:00
push.ex Support elixir1.15 2023-08-03 17:44:09 +01:00
rel_me.ex Add more information about failed verifications 2023-03-10 03:51:24 +00:00
router.ex Keep READ endpoints, purge WRITE 2024-04-19 11:06:01 +01:00
streamer.ex Enforce unauth restrictions for public streaming endpoints 2023-06-14 22:45:19 +00:00
swagger.ex remove anonymous function from plug 2022-07-14 11:17:14 +01:00
telemetry.ex Formatting 2024-04-16 08:02:13 +02:00
translation_helpers.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
uploader_controller.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
web_finger.ex Add HTTP backoff cache to respect 429s 2024-04-26 19:00:35 +01:00
xml.ex make xmerl shut up about markup 2024-04-16 10:19:30 +01:00