From f1e07f49b927a73a7b151bafe850ca35fe95f6e6 Mon Sep 17 00:00:00 2001 From: mei23 Date: Sat, 2 Dec 2023 09:40:06 +0900 Subject: [PATCH] Check Signature Algorithm --- package.json | 2 +- pnpm-lock.yaml | 30 +++++++++++++++--------------- src/@types/http-signature.d.ts | 2 +- src/queue/index.ts | 2 +- src/queue/processors/inbox.ts | 2 +- src/queue/types.ts | 3 +-- src/server/activitypub.ts | 14 +++++++++++++- test/ap-request.ts | 2 +- 8 files changed, 34 insertions(+), 23 deletions(-) diff --git a/package.json b/package.json index 23ad708cd6..e5e1fe681c 100644 --- a/package.json +++ b/package.json @@ -87,7 +87,7 @@ "highlight.js": "10.6.0", "html-minifier": "4.0.0", "http-proxy-agent": "5.0.0", - "http-signature": "1.3.6", + "@peertube/http-signature": "1.7.0", "https-proxy-agent": "5.0.1", "insert-text-at-cursor": "0.3.0", "ip-cidr": "3.0.11", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index a9f4008774..c4955ecf9b 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -36,6 +36,9 @@ dependencies: '@koa/router': specifier: 8.0.8 version: 8.0.8 + '@peertube/http-signature': + specifier: 1.7.0 + version: 1.7.0 '@swc/core': specifier: 1.3.39 version: 1.3.39 @@ -171,9 +174,6 @@ dependencies: http-proxy-agent: specifier: 5.0.0 version: 5.0.0 - http-signature: - specifier: 1.3.6 - version: 1.3.6 https-proxy-agent: specifier: 5.0.1 version: 5.0.1 @@ -1056,6 +1056,15 @@ packages: - encoding dev: false + /@peertube/http-signature@1.7.0: + resolution: {integrity: sha512-aGQIwo6/sWtyyqhVK4e1MtxYz4N1X8CNt6SOtCc+Wnczs5S5ONaLHDDR8LYaGn0MgOwvGgXyuZ5sJIfd7iyoUw==} + engines: {node: '>=0.10'} + dependencies: + assert-plus: 1.0.0 + jsprim: 1.4.2 + sshpk: 1.17.0 + dev: false + /@redocly/ajv@8.11.0: resolution: {integrity: sha512-9GWx27t7xWhDIR02PA18nzBdLcKQRgc46xNQvjFkrYk4UOmvKhJ/dawwiX0cCOeetN5LcaaiqQbVOWYK62SGHw==} dependencies: @@ -5641,15 +5650,6 @@ packages: - supports-color dev: false - /http-signature@1.3.6: - resolution: {integrity: sha512-3adrsD6zqo4GsTqtO7FyrejHNv+NgiIfAfv68+jVlFmSr9OGy7zrxONceFRLKvnnZA5jbxQBX1u9PpB6Wi32Gw==} - engines: {node: '>=0.10'} - dependencies: - assert-plus: 1.0.0 - jsprim: 2.0.2 - sshpk: 1.17.0 - dev: false - /http2-wrapper@1.0.3: resolution: {integrity: sha512-V+23sDMr12Wnz7iTcDeJr3O6AIxlnvT/bmaAAAP/Xda35C90p9599p0F1eHR/N1KILWSoWVAiOMFjBBXaXSMxg==} engines: {node: '>=10.19.0'} @@ -6416,9 +6416,9 @@ packages: engines: {node: '>=0.10.0'} dev: false - /jsprim@2.0.2: - resolution: {integrity: sha512-gqXddjPqQ6G40VdnI6T6yObEC+pDNvyP95wdQhkWkg7crHH3km5qP1FsOXEkzEQwnz6gz5qGTn1c2Y52wP3OyQ==} - engines: {'0': node >=0.6.0} + /jsprim@1.4.2: + resolution: {integrity: sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==} + engines: {node: '>=0.6.0'} dependencies: assert-plus: 1.0.0 extsprintf: 1.3.0 diff --git a/src/@types/http-signature.d.ts b/src/@types/http-signature.d.ts index 8d484312dc..41d9a60898 100644 --- a/src/@types/http-signature.d.ts +++ b/src/@types/http-signature.d.ts @@ -1,4 +1,4 @@ -declare module 'http-signature' { +declare module '@peertube/http-signature' { import { IncomingMessage, ClientRequest } from 'http'; interface ISignature { diff --git a/src/queue/index.ts b/src/queue/index.ts index 91213f10c0..83e733644b 100644 --- a/src/queue/index.ts +++ b/src/queue/index.ts @@ -1,4 +1,4 @@ -import * as httpSignature from 'http-signature'; +import * as httpSignature from '@peertube/http-signature'; import config from '../config'; import { ILocalUser, User } from '../models/entities/user'; diff --git a/src/queue/processors/inbox.ts b/src/queue/processors/inbox.ts index 7853ce0d29..359ebbb862 100644 --- a/src/queue/processors/inbox.ts +++ b/src/queue/processors/inbox.ts @@ -1,5 +1,5 @@ import * as Bull from 'bull'; -import * as httpSignature from 'http-signature'; +import * as httpSignature from '@peertube/http-signature'; import perform from '../../remote/activitypub/perform'; import Logger from '../../services/logger'; import { registerOrFetchInstanceDoc } from '../../services/register-or-fetch-instance-doc'; diff --git a/src/queue/types.ts b/src/queue/types.ts index 875304a3e5..fe53c59a08 100644 --- a/src/queue/types.ts +++ b/src/queue/types.ts @@ -1,5 +1,4 @@ -//import { ObjectID } from 'mongodb'; -import * as httpSignature from 'http-signature'; +import * as httpSignature from '@peertube/http-signature'; import { ILocalUser, User } from '../models/entities/user'; import { IActivity } from '../remote/activitypub/type'; diff --git a/src/server/activitypub.ts b/src/server/activitypub.ts index 3ff25263f5..941a5c5f43 100644 --- a/src/server/activitypub.ts +++ b/src/server/activitypub.ts @@ -3,7 +3,7 @@ import config from '../config'; import * as coBody from 'co-body'; import * as crypto from 'crypto'; import { IActivity } from '../remote/activitypub/type'; -import * as httpSignature from 'http-signature'; +import * as httpSignature from '@peertube/http-signature'; import Logger from '../services/logger'; import { inspect } from 'util'; @@ -61,6 +61,18 @@ async function inbox(ctx: Router.RouterContext) { return; } + // Validate signature algorithm + if (!signature.algorithm.toLowerCase().match(/^((dsa|rsa|ecdsa)-(sha256|sha384|sha512)|ed25519-sha512|hs2019)$/)) { + logger.warn(`inbox: invalid signature algorithm ${signature.algorithm}`); + ctx.status = 401; + ctx.message = 'Invalid Signature Algorithm'; + return; + + // hs2019 + // keyType=ED25519 => ed25519-sha512 + // keyType=other => (keyType)-sha256 + } + // Digestヘッダーの検証 const digest = ctx.req.headers.digest; diff --git a/test/ap-request.ts b/test/ap-request.ts index 4a9799eb99..54eb6b8a61 100644 --- a/test/ap-request.ts +++ b/test/ap-request.ts @@ -1,7 +1,7 @@ import * as assert from 'assert'; import { genRsaKeyPair } from '../src/misc/gen-key-pair'; import { createSignedPost, createSignedGet } from '../src/remote/activitypub/ap-request'; -const httpSignature = require('http-signature'); +const httpSignature = require('@peertube/http-signature'); export const buildParsedSignature = (signingString: string, signature: string, algorithm: string) => { return {