From 1e6a290fb3460928294e425ee7c496eeee2b1717 Mon Sep 17 00:00:00 2001 From: Thomas Sileo Date: Mon, 15 Aug 2022 10:15:00 +0200 Subject: [PATCH] Start supporting a server blocklist --- app/activitypub.py | 2 ++ app/actor.py | 4 ++++ app/boxes.py | 5 +++++ app/config.py | 9 +++++++++ app/httpsig.py | 20 ++++++++++++++++++++ app/utils/url.py | 5 +++++ 6 files changed, 45 insertions(+) diff --git a/app/activitypub.py b/app/activitypub.py index 80e5201..77edd68 100644 --- a/app/activitypub.py +++ b/app/activitypub.py @@ -59,6 +59,8 @@ class ObjectNotFoundError(Exception): class FetchErrorTypeEnum(str, enum.Enum): TIMEOUT = "TIMEOUT" NOT_FOUND = "NOT_FOUND" + UNAUHTORIZED = "UNAUTHORIZED" + INTERNAL_ERROR = "INTERNAL_ERROR" diff --git a/app/actor.py b/app/actor.py index 33d57e9..6ebdf3f 100644 --- a/app/actor.py +++ b/app/actor.py @@ -114,6 +114,10 @@ class Actor: def attachments(self) -> list[ap.RawObject]: return ap.as_list(self.ap_actor.get("attachment", [])) + @cached_property + def server(self) -> str: + return urlparse(self.ap_id).netloc + class RemoteActor(Actor): def __init__(self, ap_actor: ap.RawObject) -> None: diff --git a/app/boxes.py b/app/boxes.py index cf68865..078759c 100644 --- a/app/boxes.py +++ b/app/boxes.py @@ -26,6 +26,7 @@ from app.actor import fetch_actor from app.actor import save_actor from app.ap_object import RemoteObject from app.config import BASE_URL +from app.config import BLOCKED_SERVERS from app.config import ID from app.config import MANUALLY_APPROVES_FOLLOWERS from app.database import AsyncSession @@ -1447,6 +1448,10 @@ async def save_to_inbox( logger.exception("Failed to fetch actor") return + if actor.server in BLOCKED_SERVERS: + logger.warning(f"Server {actor.server} is blocked") + return + if "id" not in raw_object: await _process_transient_object(db_session, raw_object, actor) return None diff --git a/app/config.py b/app/config.py index 9578d08..9df50a9 100644 --- a/app/config.py +++ b/app/config.py @@ -50,6 +50,11 @@ class _ProfileMetadata(pydantic.BaseModel): value: str +class _BlockedServer(pydantic.BaseModel): + hostname: str + reason: str | None = None + + class Config(pydantic.BaseModel): domain: str username: str @@ -65,6 +70,7 @@ class Config(pydantic.BaseModel): privacy_replace: list[_PrivacyReplace] | None = None metadata: list[_ProfileMetadata] | None = None code_highlighting_theme = "friendly_grayscale" + blocked_servers: list[_BlockedServer] = [] # Config items to make tests easier sqlalchemy_database: str | None = None @@ -109,6 +115,9 @@ MANUALLY_APPROVES_FOLLOWERS = CONFIG.manually_approves_followers PRIVACY_REPLACE = None if CONFIG.privacy_replace: PRIVACY_REPLACE = {pr.domain: pr.replace_by for pr in CONFIG.privacy_replace} + +BLOCKED_SERVERS = {blocked_server.hostname for blocked_server in CONFIG.blocked_servers} + BASE_URL = ID DEBUG = CONFIG.debug DB_PATH = CONFIG.sqlalchemy_database or ROOT_DIR / "data" / "microblogpub.db" diff --git a/app/httpsig.py b/app/httpsig.py index 34be69b..645b0cc 100644 --- a/app/httpsig.py +++ b/app/httpsig.py @@ -9,6 +9,7 @@ from typing import Any from typing import Dict from typing import MutableMapping from typing import Optional +from urllib.parse import urlparse import fastapi import httpx @@ -21,6 +22,7 @@ from sqlalchemy import select from app import activitypub as ap from app import config +from app.config import BLOCKED_SERVERS from app.config import KEY_PATH from app.database import AsyncSession from app.database import get_db_session @@ -144,6 +146,7 @@ class HTTPSigInfo: is_ap_actor_gone: bool = False is_unsupported_algorithm: bool = False is_expired: bool = False + server: str | None = None async def httpsig_checker( @@ -157,11 +160,22 @@ async def httpsig_checker( logger.info("No HTTP signature found") return HTTPSigInfo(has_valid_signature=False) + try: + key_id = hsig["keyId"] + except KeyError: + logger.info("Missing keyId") + return HTTPSigInfo( + has_valid_signature=False, + ) + + server = urlparse(key_id).hostname + if alg := hsig.get("algorithm") not in ["rsa-sha256", "hs2019"]: logger.info(f"Unsupported HTTP sig algorithm: {alg}") return HTTPSigInfo( has_valid_signature=False, is_unsupported_algorithm=True, + server=server, ) logger.debug(f"hsig={hsig}") @@ -180,6 +194,7 @@ async def httpsig_checker( return HTTPSigInfo( has_valid_signature=False, is_expired=True, + server=server, ) try: @@ -196,6 +211,7 @@ async def httpsig_checker( signed_string, base64.b64decode(hsig["signature"]), k.pubkey ), signed_by_ap_actor_id=k.owner, + server=server, ) logger.info(f"Valid HTTP signature for {httpsig_info.signed_by_ap_actor_id}") return httpsig_info @@ -206,6 +222,10 @@ async def enforce_httpsig( httpsig_info: HTTPSigInfo = fastapi.Depends(httpsig_checker), ) -> HTTPSigInfo: """FastAPI Depends""" + if httpsig_info.server in BLOCKED_SERVERS: + logger.warning(f"{httpsig_info.server} is blocked") + raise fastapi.HTTPException(status_code=403, detail="Blocked") + if not httpsig_info.has_valid_signature: logger.warning(f"Invalid HTTP sig {httpsig_info=}") body = await request.body() diff --git a/app/utils/url.py b/app/utils/url.py index 8e03af9..64cff05 100644 --- a/app/utils/url.py +++ b/app/utils/url.py @@ -5,6 +5,7 @@ from urllib.parse import urlparse from loguru import logger +from app.config import BLOCKED_SERVERS from app.config import DEBUG @@ -53,6 +54,10 @@ def is_url_valid(url: str) -> bool: if not parsed.hostname or parsed.hostname.lower() in ["localhost"]: return False + if parsed.hostname in BLOCKED_SERVERS: + logger.warning(f"{parsed.hostname} is blocked") + return False + ip_address = _getaddrinfo( parsed.hostname, parsed.port or (80 if parsed.scheme == "http" else 443) )