Force signed headers in http signatures

Thanks Roger
author: Chocobozzz <me@florianbigard.com> 2020-11-12 10:42:25 +0100
committer: Chocobozzz <me@florianbigard.com> 2020-11-12 16:29:32 +0100
commit: 797d05bdd99b63104522051d0f61f1e0f003e780 (patch)
tree: a0e356958e03aa62c4539afacbf7715eba305954 /server
parent: 2a9562fc5894509e63016b1fe09f6dce0c4b6e5e (diff)
download: PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.tar.gz
PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.tar.zst
PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.zip
4 files changed, 39 insertions, 3 deletions
diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts
index 1655cd7b5..994f725d8 100644
--- a/server/helpers/peertube-crypto.ts
+++ b/server/helpers/peertube-crypto.ts
@@ -50,7 +50,11 @@ function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): bool
 }
 function parseHTTPSignature (req: Request, clockSkew?: number) {
-  return httpSignature.parse(req, { clockSkew })
+  const headers = req.method === 'POST'
+    ? HTTP_SIGNATURE.REQUIRED_HEADERS.POST
+    : HTTP_SIGNATURE.REQUIRED_HEADERS.ALL
+  return httpSignature.parse(req, { clockSkew, headers })
 }
 // JSONLD
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts
index 501e06396..679503731 100644
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@@ -513,6 +513,10 @@ const HTTP_SIGNATURE = {
  HEADER_NAME: 'signature',
  ALGORITHM: 'rsa-sha256',
  HEADERS_TO_SIGN: [ '(request-target)', 'host', 'date', 'digest' ],
+  REQUIRED_HEADERS: {
+    ALL: [ '(request-target)', 'host', 'date' ],
+    POST: [ '(request-target)', 'host', 'date', 'digest' ]
+  },
  CLOCK_SKEW_SECONDS: 1800
 }
diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts
index 580606a68..d00594059 100644
--- a/server/middlewares/activitypub.ts
+++ b/server/middlewares/activitypub.ts
@@ -63,7 +63,16 @@ async function checkHttpSignature (req: Request, res: Response) {
  const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
  if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '')
-  const parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS)
+  let parsed: any
+  try {
+    parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS)
+  } catch (err) {
+    logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err })
+    res.status(403).json({ error: err.message })
+    return false
+  }
  const keyId = parsed.keyId
  if (!keyId) {
diff --git a/server/tests/api/activitypub/security.ts b/server/tests/api/activitypub/security.ts
index ac4bc7c6a..e6002b661 100644
--- a/server/tests/api/activitypub/security.ts
+++ b/server/tests/api/activitypub/security.ts
@@ -99,13 +99,32 @@ describe('Test ActivityPub security', function () {
      expect(response.statusCode).to.equal(403)
    })
-    it('Should succeed with a valid HTTP signature', async function () {
+    it('Should reject requests without appropriate signed headers', async function () {
      await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
      await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
      const headers = buildGlobalHeaders(body)
+      const signatureOptions = baseHttpSignature()
+      const badHeadersMatrix = [
+        [ '(request-target)', 'date', 'digest' ],
+        [ 'host', 'date', 'digest' ],
+        [ '(request-target)', 'host', 'digest' ]
+      ]
+      for (const badHeaders of badHeadersMatrix) {
+        signatureOptions.headers = badHeaders
+        const { response } = await makePOSTAPRequest(url, body, signatureOptions, headers)
+        expect(response.statusCode).to.equal(403)
+      }
+    })
+    it('Should succeed with a valid HTTP signature', async function () {
+      const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
+      const headers = buildGlobalHeaders(body)
      const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
      expect(response.statusCode).to.equal(204)
author	Chocobozzz <me@florianbigard.com>	2020-11-12 10:42:25 +0100
committer	Chocobozzz <me@florianbigard.com>	2020-11-12 16:29:32 +0100
commit	797d05bdd99b63104522051d0f61f1e0f003e780 (patch)
tree	a0e356958e03aa62c4539afacbf7715eba305954 /server
parent	2a9562fc5894509e63016b1fe09f6dce0c4b6e5e (diff)
download	PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.tar.gz PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.tar.zst PeerTube-797d05bdd99b63104522051d0f61f1e0f003e780.zip

diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts index 1655cd7b5..994f725d8 100644 --- a/server/helpers/peertube-crypto.ts +++ b/server/helpers/peertube-crypto.ts
@@ -50,7 +50,11 @@ function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): bool
50	}	50	}
51		51
52	function parseHTTPSignature (req: Request, clockSkew?: number) {	52	function parseHTTPSignature (req: Request, clockSkew?: number) {
53	return httpSignature.parse(req, { clockSkew })	53	const headers = req.method === 'POST'
		54	? HTTP_SIGNATURE.REQUIRED_HEADERS.POST
		55	: HTTP_SIGNATURE.REQUIRED_HEADERS.ALL
		56
		57	return httpSignature.parse(req, { clockSkew, headers })
54	}	58	}
55		59
56	// JSONLD	60	// JSONLD


diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts index 501e06396..679503731 100644 --- a/server/initializers/constants.ts +++ b/server/initializers/constants.ts
@@ -513,6 +513,10 @@ const HTTP_SIGNATURE = {
513	HEADER_NAME: 'signature',	513	HEADER_NAME: 'signature',
514	ALGORITHM: 'rsa-sha256',	514	ALGORITHM: 'rsa-sha256',
515	HEADERS_TO_SIGN: [ '(request-target)', 'host', 'date', 'digest' ],	515	HEADERS_TO_SIGN: [ '(request-target)', 'host', 'date', 'digest' ],
		516	REQUIRED_HEADERS: {
		517	ALL: [ '(request-target)', 'host', 'date' ],
		518	POST: [ '(request-target)', 'host', 'date', 'digest' ]
		519	},
516	CLOCK_SKEW_SECONDS: 1800	520	CLOCK_SKEW_SECONDS: 1800
517	}	521	}
518		522


diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index 580606a68..d00594059 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts
@@ -63,7 +63,16 @@ async function checkHttpSignature (req: Request, res: Response) {
63	const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string	63	const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string
64	if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '')	64	if (sig && sig.startsWith('Signature ') === true) req.headers[HTTP_SIGNATURE.HEADER_NAME] = sig.replace(/^Signature /, '')
65		65
66	const parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS)	66	let parsed: any
		67
		68	try {
		69	parsed = parseHTTPSignature(req, HTTP_SIGNATURE.CLOCK_SKEW_SECONDS)
		70	} catch (err) {
		71	logger.warn('Invalid signature because of exception in signature parser', { reqBody: req.body, err })
		72
		73	res.status(403).json({ error: err.message })
		74	return false
		75	}
67		76
68	const keyId = parsed.keyId	77	const keyId = parsed.keyId
69	if (!keyId) {	78	if (!keyId) {


diff --git a/server/tests/api/activitypub/security.ts b/server/tests/api/activitypub/security.ts index ac4bc7c6a..e6002b661 100644 --- a/server/tests/api/activitypub/security.ts +++ b/server/tests/api/activitypub/security.ts
@@ -99,13 +99,32 @@ describe('Test ActivityPub security', function () {
99	expect(response.statusCode).to.equal(403)	99	expect(response.statusCode).to.equal(403)
100	})	100	})
101		101
102	it('Should succeed with a valid HTTP signature', async function () {	102	it('Should reject requests without appropriate signed headers', async function () {
103	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)	103	await setKeysOfServer(servers[0], servers[1], keys.publicKey, keys.privateKey)
104	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)	104	await setKeysOfServer(servers[1], servers[1], keys.publicKey, keys.privateKey)
105		105
106	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))	106	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
107	const headers = buildGlobalHeaders(body)	107	const headers = buildGlobalHeaders(body)
108		108
		109	const signatureOptions = baseHttpSignature()
		110	const badHeadersMatrix = [
		111	[ '(request-target)', 'date', 'digest' ],
		112	[ 'host', 'date', 'digest' ],
		113	[ '(request-target)', 'host', 'digest' ]
		114	]
		115
		116	for (const badHeaders of badHeadersMatrix) {
		117	signatureOptions.headers = badHeaders
		118
		119	const { response } = await makePOSTAPRequest(url, body, signatureOptions, headers)
		120	expect(response.statusCode).to.equal(403)
		121	}
		122	})
		123
		124	it('Should succeed with a valid HTTP signature', async function () {
		125	const body = activityPubContextify(getAnnounceWithoutContext(servers[1]))
		126	const headers = buildGlobalHeaders(body)
		127
109	const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)	128	const { response } = await makePOSTAPRequest(url, body, baseHttpSignature(), headers)
110		129
111	expect(response.statusCode).to.equal(204)	130	expect(response.statusCode).to.equal(204)