Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delete actor request is missing validation #22

Open
erka opened this issue Feb 10, 2023 · 3 comments
Open

Delete actor request is missing validation #22

erka opened this issue Feb 10, 2023 · 3 comments

Comments

@erka
Copy link

erka commented Feb 10, 2023

There is some missing parts with validation during delete actor request processing and with simple modification it's possible to remove any actor owned by pub.

This could be done just with replacing object with correct pub actor.uri in any incoming request.

Request sample

POST /inbox HTTP/1.1
Host: .....ngrok.io
User-Agent: http.rb/5.1.0 (Mastodon/4.0.2; +https://mastodon.world/)
Content-Length: 775
Accept-Encoding: gzip
Content-Type: application/activity+json
Date: Fri, 10 Feb 2023 17:09:40 GMT
Digest: SHA-256=sToIIllPgwEKsuOW8nsX0/cS2vxhnrRkkSRCZXof5yY=
Signature: keyId="https://mastodon.world/users/ellenhoil#main-key",algorithm="rsa-sha256",headers="(request-target) host date digest content-type",signature="XfFuML/982h+d3Kay2sAOjrOrwW0iJX2eOQcfhXleFsMohww4euAGkjkIvX8ACN+2rM0LVTGw+YYHn0MTH+fXwy37moJbWeB54y2ElCG49i5UrUDGsi5vd48a6GMPWihcpLVrmPjmCNGdWwbu29DEEeVdIZdikHsEazgvAhUNxM0OgaW5/kn2uoy7ADCwPfXU0zuCtEkuk93T1uf7Oanbb41Zna732Q8yLjpgn5QBlCir8DeJP/+l702A/cpiTTZYWYir87S5ZSd/z9OS34I94mcwGp+dGgqkTCHTWUdvIGmdMNxPFIOQBku2xKdF5sfYI29WKFL9VOLrgenvk+nHA=="
X-Forwarded-For: ....
X-Forwarded-Proto: https

{"@context":"https://www.w3.org/ns/activitystreams","id":"https://mastodon.world/users/ellenhoil#delete","type":"Delete","actor":"https://mastodon.world/users/ellenhoil","to":["https://www.w3.org/ns/activitystreams#Public"],"object":"https://<<pub>>/u/you","signature":{"type":"RsaSignature2017","creator":"https://mastodon.world/users/ellenhoil#main-key","created":"2023-02-10T17:09:36Z","signatureValue":"hXsaRTphNXNKFu2pfJoYI+3ku54vGXsi5fZ43fj57+HFOWTboPcPRkpIXC488Cn3oVnBuJdZh20XSpHWOMzskho+MQ346loLeeTa5SCdn0qeRefUVHT3K9WdE2NyIUaGnNUerWja2b7r7lKyzQy3+WM5vIvg5mT3o9VJCynIUDSgolCoyUP5BQEf8b0cZExoayoFp7Oqx7R9y7HThr8Z4+nkmqftQTLAWbvSuz/ZEKiKKLU36hFioS6Vzda89QyPu3dUbmyPFfi2LI+C26b04u966yUCeXE3Y4QzeiNQCldbltLKt86y26UfnqzTb7o6W/i4A2luBh4x5cD/TrjNIw=="}}
@davecheney
Copy link
Owner

Yeah, deletes are something that confuse me. I see hundreds of them a day on my instance which can’t be validated because they are signed with the credentials of the person who’s been deleted.

Thank you for raising this, I’ll have a think about it

@erka
Copy link
Author

erka commented Feb 11, 2023

Yep, I get a lot of such requests and it looks like those requests are time sensitive. I was able to fetch the key when pub got the delete account request.

Looking in the Mastodon https://github.com/mastodon/mastodon/blob/e7b81d7d9625893b1323e12215a2a98c0f19f58f/app/lib/activitypub/activity/delete.rb#L3-L10, they process delete actor action only if object.uri equals actor.uri. pub currently processes it when object is any string.

@davecheney
Copy link
Owner

I’m sure I can make that improvement quickly.

@spirillen spirillen mentioned this issue Feb 6, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davecheney @erka