From eb11c6028973b945361095d3f4791ac6f61379a9 Mon Sep 17 00:00:00 2001 From: Maxim Filippov Date: Fri, 13 Dec 2019 19:00:26 +0300 Subject: Disable rate limiter for socket/localhost (unless RemoteIp is enabled) --- lib/pleroma/plugs/rate_limiter/rate_limiter.ex | 37 +++++++++++++++++++++----- 1 file changed, 30 insertions(+), 7 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/plugs/rate_limiter/rate_limiter.ex b/lib/pleroma/plugs/rate_limiter/rate_limiter.ex index d720508c8..7fb92489c 100644 --- a/lib/pleroma/plugs/rate_limiter/rate_limiter.ex +++ b/lib/pleroma/plugs/rate_limiter/rate_limiter.ex @@ -67,6 +67,8 @@ defmodule Pleroma.Plugs.RateLimiter do alias Pleroma.Plugs.RateLimiter.LimiterSupervisor alias Pleroma.User + require Logger + def init(opts) do limiter_name = Keyword.get(opts, :name) @@ -89,18 +91,39 @@ defmodule Pleroma.Plugs.RateLimiter do def call(conn, nil), do: conn def call(conn, settings) do - settings - |> incorporate_conn_info(conn) - |> check_rate() - |> case do - {:ok, _count} -> + case disabled?() do + true -> + if Pleroma.Config.get(:env) == :prod, + do: Logger.warn("Rate limiter is disabled for localhost/socket") + conn - {:error, _count} -> - render_throttled_error(conn) + false -> + settings + |> incorporate_conn_info(conn) + |> check_rate() + |> case do + {:ok, _count} -> + conn + + {:error, _count} -> + render_throttled_error(conn) + end end end + def disabled? do + localhost_or_socket = + Pleroma.Config.get([Pleroma.Web.Endpoint, :http, :ip]) + |> Tuple.to_list() + |> Enum.join(".") + |> String.match?(~r/^local|^127.0.0.1/) + + remote_ip_disabled = not Pleroma.Config.get([Pleroma.Plugs.RemoteIp, :enabled]) + + localhost_or_socket and remote_ip_disabled + end + def inspect_bucket(conn, name_root, settings) do settings = settings -- cgit v1.2.3 From 6302b407916fb75db3d728176eb5da605dfc8349 Mon Sep 17 00:00:00 2001 From: Egor Kislitsyn Date: Tue, 28 Jan 2020 18:04:13 +0400 Subject: Warn if HTTPSecurityPlug is disabled --- lib/pleroma/application.ex | 1 + lib/pleroma/plugs/http_security_plug.ex | 11 +++++++++++ 2 files changed, 12 insertions(+) (limited to 'lib') diff --git a/lib/pleroma/application.ex b/lib/pleroma/application.ex index e17068876..2c8889ce5 100644 --- a/lib/pleroma/application.ex +++ b/lib/pleroma/application.ex @@ -33,6 +33,7 @@ defmodule Pleroma.Application do def start(_type, _args) do Pleroma.HTML.compile_scrubbers() Pleroma.Config.DeprecationWarnings.warn() + Pleroma.Plugs.HTTPSecurityPlug.warn_if_disabled() Pleroma.Repo.check_migrations_applied!() setup_instrumenters() load_custom_modules() diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index a7cc22831..8bc324f48 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -6,6 +6,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do alias Pleroma.Config import Plug.Conn + require Logger + def init(opts), do: opts def call(conn, _options) do @@ -90,6 +92,15 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do |> Enum.join("; ") end + def warn_if_disabled do + unless Config.get([:http_security, :enabled]) do + Logger.warn("HTTP Security is disabled. Add this line to you config to enable it: + + config :pleroma, :http_security, enabled: true + ") + end + end + defp maybe_send_sts_header(conn, true) do max_age_sts = Config.get([:http_security, :sts_max_age]) max_age_ct = Config.get([:http_security, :ct_max_age]) -- cgit v1.2.3 From 77f24525ca6636f5fb0b3864c346be683566efd3 Mon Sep 17 00:00:00 2001 From: lain Date: Tue, 28 Jan 2020 16:40:44 +0100 Subject: Streamer: Correctly handle reblog mutes --- lib/pleroma/web/streamer/worker.ex | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/streamer/worker.ex b/lib/pleroma/web/streamer/worker.ex index a1b445f2f..5392c1ec3 100644 --- a/lib/pleroma/web/streamer/worker.ex +++ b/lib/pleroma/web/streamer/worker.ex @@ -138,7 +138,8 @@ defmodule Pleroma.Web.Streamer.Worker do with parent <- Object.normalize(item) || item, true <- - Enum.all?([blocked_ap_ids, muted_ap_ids, reblog_muted_ap_ids], &(item.actor not in &1)), + Enum.all?([blocked_ap_ids, muted_ap_ids], &(item.actor not in &1)), + true <- item.data["type"] != "Announce" || item.actor not in reblog_muted_ap_ids, true <- Enum.all?([blocked_ap_ids, muted_ap_ids], &(parent.data["actor"] not in &1)), true <- MapSet.disjoint?(recipients, recipient_blocks), %{host: item_host} <- URI.parse(item.actor), -- cgit v1.2.3 From 1f4fbe9d98b7daef7eef2ffffbaca00e1d20c52b Mon Sep 17 00:00:00 2001 From: Alexander Strizhakov Date: Wed, 29 Jan 2020 11:13:34 +0300 Subject: title parse improvement --- lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex b/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex index c2a3c07a2..fae3c462e 100644 --- a/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex +++ b/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex @@ -48,6 +48,6 @@ defmodule Pleroma.Web.RichMedia.Parsers.MetaTagsParser do defp maybe_put_title(meta, _), do: meta defp get_page_title(html) do - Floki.find(html, "title") |> List.first() |> Floki.text() + Floki.find(html, "html head title") |> List.first() |> Floki.text() end end -- cgit v1.2.3 From a802e07241e441189f85568ee9ca58508ab6d0d3 Mon Sep 17 00:00:00 2001 From: lain Date: Wed, 29 Jan 2020 11:39:06 +0100 Subject: Emoji Reactions: Add `reacted` field to emoji reactions --- lib/pleroma/web/mastodon_api/views/status_view.ex | 6 +++++- lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex | 7 ++++--- 2 files changed, 9 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/mastodon_api/views/status_view.ex b/lib/pleroma/web/mastodon_api/views/status_view.ex index e60ef709b..5df29d93f 100644 --- a/lib/pleroma/web/mastodon_api/views/status_view.ex +++ b/lib/pleroma/web/mastodon_api/views/status_view.ex @@ -256,7 +256,11 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do emoji_reactions = with %{data: %{"reactions" => emoji_reactions}} <- object do Enum.map(emoji_reactions, fn [emoji, users] -> - %{emoji: emoji, count: length(users)} + %{ + emoji: emoji, + count: length(users), + reacted: !!(opts[:for] && opts[:for].ap_id in users) + } end) else _ -> [] diff --git a/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex b/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex index cd1c0764f..e6e2385b2 100644 --- a/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex +++ b/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex @@ -47,13 +47,14 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIController do Object.normalize(activity) do reactions = emoji_reactions - |> Enum.map(fn [emoji, users] -> - users = Enum.map(users, &User.get_cached_by_ap_id/1) + |> Enum.map(fn [emoji, user_ap_ids] -> + users = Enum.map(user_ap_ids, &User.get_cached_by_ap_id/1) %{ emoji: emoji, count: length(users), - accounts: AccountView.render("index.json", %{users: users, for: user, as: :user}) + accounts: AccountView.render("index.json", %{users: users, for: user, as: :user}), + reacted: !!(user && user.ap_id in user_ap_ids) } end) -- cgit v1.2.3 From b3a877d6c9f7645c854527fc5bf05d9161c2480b Mon Sep 17 00:00:00 2001 From: lain Date: Wed, 29 Jan 2020 11:43:36 +0100 Subject: Emoji Reactions: Correctly handle deleted users --- lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex b/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex index e6e2385b2..d76e39795 100644 --- a/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex +++ b/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex @@ -48,7 +48,9 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIController do reactions = emoji_reactions |> Enum.map(fn [emoji, user_ap_ids] -> - users = Enum.map(user_ap_ids, &User.get_cached_by_ap_id/1) + users = + Enum.map(user_ap_ids, &User.get_cached_by_ap_id/1) + |> Enum.filter(& &1) %{ emoji: emoji, -- cgit v1.2.3 From e7fee0d6fa7b2ba046e57ca9364be1b62bfc9661 Mon Sep 17 00:00:00 2001 From: Alexander Strizhakov Date: Wed, 29 Jan 2020 13:51:17 +0300 Subject: emoji api error on not writable dir --- .../web/pleroma_api/controllers/emoji_api_controller.ex | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex index 0bbf84fd3..42f62d97a 100644 --- a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex +++ b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex @@ -573,11 +573,14 @@ keeping it in cache for #{div(cache_ms, 1000)}s") assumed to be emojis and stored in the new `pack.json` file. """ def import_from_fs(conn, _params) do - with {:ok, results} <- File.ls(emoji_dir_path()) do + emoji_path = emoji_dir_path() + + with {:ok, %{access: :read_write}} <- File.stat(emoji_path), + {:ok, results} <- File.ls(emoji_path) do imported_pack_names = results |> Enum.filter(fn file -> - dir_path = Path.join(emoji_dir_path(), file) + dir_path = Path.join(emoji_path, file) # Find the directories that do NOT have pack.json File.dir?(dir_path) and not File.exists?(Path.join(dir_path, "pack.json")) end) @@ -585,6 +588,11 @@ keeping it in cache for #{div(cache_ms, 1000)}s") json(conn, imported_pack_names) else + {:ok, %{access: _}} -> + conn + |> put_status(:internal_server_error) + |> json(%{error: "Error emoji pack directory must be writable and readable"}) + {:error, _} -> conn |> put_status(:internal_server_error) -- cgit v1.2.3 From 2bd4d6289bdc01dec69756c5e1ebca551fe3a6e7 Mon Sep 17 00:00:00 2001 From: Egor Kislitsyn Date: Wed, 29 Jan 2020 18:43:23 +0400 Subject: Make the warning more scarier --- lib/pleroma/plugs/http_security_plug.ex | 38 ++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index 8bc324f48..0ba412699 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -94,7 +94,43 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do def warn_if_disabled do unless Config.get([:http_security, :enabled]) do - Logger.warn("HTTP Security is disabled. Add this line to you config to enable it: + Logger.warn(" + .i;;;;i. + iYcviii;vXY: + .YXi .i1c. + .YC. . in7. + .vc. ...... ;1c. + i7, .. .;1; + i7, .. ... .Y1i + ,7v .6MMM@; .YX, + .7;. ..IMMMMMM1 :t7. + .;Y. ;$MMMMMM9. :tc. + vY. .. .nMMM@MMU. ;1v. + i7i ... .#MM@M@C. .....:71i + it: .... $MMM@9;.,i;;;i,;tti + :t7. ..... 0MMMWv.,iii:::,,;St. + .nC. ..... IMMMQ..,::::::,.,czX. + .ct: ....... .ZMMMI..,:::::::,,:76Y. + c2: ......,i..Y$M@t..:::::::,,..inZY + vov ......:ii..c$MBc..,,,,,,,,,,..iI9i + i9Y ......iii:..7@MA,..,,,,,,,,,....;AA: + iIS. ......:ii::..;@MI....,............;Ez. + .I9. ......:i::::...8M1..................C0z. + .z9; ......:i::::,.. .i:...................zWX. + vbv ......,i::::,,. ................. :AQY + c6Y. .,...,::::,,..:t0@@QY. ................ :8bi + :6S. ..,,...,:::,,,..EMMMMMMI. ............... .;bZ, + :6o, .,,,,..:::,,,..i#MMMMMM#v................. YW2. + .n8i ..,,,,,,,::,,,,.. tMMMMM@C:.................. .1Wn + 7Uc. .:::,,,,,::,,,,.. i1t;,..................... .UEi + 7C...::::::::::::,,,,.. .................... vSi. + ;1;...,,::::::,......... .................. Yz: + v97,......... .voC. + izAotX7777777777777777777777777777777777777777Y7n92: + .;CoIIIIIUAA666666699999ZZZZZZZZZZZZZZZZZZZZ6ov. + + +HTTP Security is disabled. Add this line to your config to enable it: config :pleroma, :http_security, enabled: true ") -- cgit v1.2.3 From e07e7888d7b15d79fad98037e9830a618b93ae9b Mon Sep 17 00:00:00 2001 From: Egor Kislitsyn Date: Wed, 29 Jan 2020 18:53:43 +0400 Subject: Fix credo warning --- lib/pleroma/plugs/http_security_plug.ex | 1 - 1 file changed, 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index 0ba412699..e4939efe5 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -129,7 +129,6 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do izAotX7777777777777777777777777777777777777777Y7n92: .;CoIIIIIUAA666666699999ZZZZZZZZZZZZZZZZZZZZ6ov. - HTTP Security is disabled. Add this line to your config to enable it: config :pleroma, :http_security, enabled: true -- cgit v1.2.3 From 889965141a1411dd546757fbb964695bd8f712d7 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Wed, 29 Jan 2020 23:59:27 +0300 Subject: RemoteIp: only trust X-Forwarded-For Our nginx config will happily pass `Forwarded`/`X-Real-IP` from the client. Caddy, Apache and Varnish pass `X-Forwarded-For` as well anyway. --- lib/pleroma/plugs/remote_ip.ex | 3 --- 1 file changed, 3 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/plugs/remote_ip.ex b/lib/pleroma/plugs/remote_ip.ex index fdedc27ee..1cd5af48a 100644 --- a/lib/pleroma/plugs/remote_ip.ex +++ b/lib/pleroma/plugs/remote_ip.ex @@ -10,10 +10,7 @@ defmodule Pleroma.Plugs.RemoteIp do @behaviour Plug @headers ~w[ - forwarded x-forwarded-for - x-client-ip - x-real-ip ] # https://en.wikipedia.org/wiki/Localhost -- cgit v1.2.3 From 36becd55733fa3fdf046e24d7bd7fdd516fdd4fc Mon Sep 17 00:00:00 2001 From: feld Date: Thu, 30 Jan 2020 14:07:41 +0000 Subject: Update http_security_plug.ex --- lib/pleroma/plugs/http_security_plug.ex | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index e4939efe5..b04273979 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -129,7 +129,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do izAotX7777777777777777777777777777777777777777Y7n92: .;CoIIIIIUAA666666699999ZZZZZZZZZZZZZZZZZZZZ6ov. -HTTP Security is disabled. Add this line to your config to enable it: +HTTP Security is disabled. Please re-enable it to prevent users from attacking +your instance and your users via malicious posts: config :pleroma, :http_security, enabled: true ") -- cgit v1.2.3 From b3e9c8772445bfdfe4ec72378fb76c4cf76dc2da Mon Sep 17 00:00:00 2001 From: feld Date: Thu, 30 Jan 2020 14:09:41 +0000 Subject: Update emoji_api_controller.ex --- lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex index 42f62d97a..a2f6d2287 100644 --- a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex +++ b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex @@ -591,7 +591,7 @@ keeping it in cache for #{div(cache_ms, 1000)}s") {:ok, %{access: _}} -> conn |> put_status(:internal_server_error) - |> json(%{error: "Error emoji pack directory must be writable and readable"}) + |> json(%{error: "Error: emoji pack directory must be writable"}) {:error, _} -> conn -- cgit v1.2.3 From a0d9d42eaab397a1913038fea5c2d3630b812849 Mon Sep 17 00:00:00 2001 From: lain Date: Thu, 30 Jan 2020 16:07:37 +0100 Subject: Emoji Reactions: Actually use the validation. --- lib/pleroma/web/activity_pub/activity_pub.ex | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 1ac67b618..5c436941a 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -325,12 +325,14 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do def react_with_emoji(user, object, emoji, options \\ []) do with local <- Keyword.get(options, :local, true), activity_id <- Keyword.get(options, :activity_id, nil), - Pleroma.Emoji.is_unicode_emoji?(emoji), + true <- Pleroma.Emoji.is_unicode_emoji?(emoji), reaction_data <- make_emoji_reaction_data(user, object, emoji, activity_id), {:ok, activity} <- insert(reaction_data, local), {:ok, object} <- add_emoji_reaction_to_object(activity, object), :ok <- maybe_federate(activity) do {:ok, activity, object} + else + e -> {:error, e} end end @@ -345,6 +347,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do {:ok, object} <- remove_emoji_reaction_from_object(reaction_activity, object), :ok <- maybe_federate(activity) do {:ok, activity, object} + else + e -> {:error, e} end end -- cgit v1.2.3