akkoma/lib/pleroma/web/activity_pub
Oneric a4fa2ec9af StealEmoji: make final paths infeasible to predict
Certain attacks rely on predictable paths for their payloads.
If we weren’t so overly lax in our (id, URL) check, the current
counterfeit activity exploit would be one of those.
It seems plausible for future attacks to hinge on
or being made easier by predictable paths too.

In general, letting remote actors place arbitrary data at
a path within our domain of their choosing (sans prefix)
just doesn’t seem like a good idea.

Using fully random filenames would have worked as well, but this
is less friendly for admins checking emoji dirs.
The generated suffix should still be more than enough;
an attacker needs on average 140 trillion attempts to
correctly guess the final path.
2024-03-18 22:33:10 -01:00
..
activity_pub Remove deps from Streaming/Persisting behaviors 2021-06-01 13:55:07 -05:00
mrf StealEmoji: make final paths infeasible to predict 2024-03-18 22:33:10 -01:00
object_validator Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
object_validators Support elixir1.15 2023-08-03 17:44:09 +01:00
side_effects Refactor ES on top of search behaviour 2022-06-30 16:28:31 +01:00
views Federate user profile background 2024-02-16 16:35:51 +01:00
activity_pub.ex Federate user profile background 2024-02-16 16:35:51 +01:00
activity_pub_controller.ex Support elixir1.15 2023-08-03 17:44:09 +01:00
builder.ex Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
internal_fetch_actor.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
mrf.ex Support elixir1.15 2023-08-03 17:44:09 +01:00
object_validator.ex Post editing (#202) 2022-09-06 19:24:02 +00:00
pipeline.ex Refactor ES on top of search behaviour 2022-06-30 16:28:31 +01:00
publisher.ex MIX FORMAT 2023-08-15 23:26:22 +01:00
relay.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
side_effects.ex Add ability to auto-approve followbacks 2024-02-13 15:42:37 +01:00
transmogrifier.ex Support elixir1.15 2023-08-03 17:44:09 +01:00
utils.ex Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
visibility.ex local-only-fixed (#138) 2022-08-02 14:46:46 +00:00