activitypub: verify remote http signature digests by recomputing the digest and replacing the digest header

This commit is contained in:
William Pitcock 2018-07-31 23:17:47 +00:00
parent 2890aef9e8
commit 8da406afa2
3 changed files with 22 additions and 1 deletions

View File

@ -0,0 +1,10 @@
defmodule Pleroma.Web.Plugs.DigestPlug do
alias Plug.Conn
require Logger
def read_body(conn, opts) do
{:ok, body, conn} = Conn.read_body(conn, opts)
digest = "SHA-256=" <> (:crypto.hash(:sha256, body) |> Base.encode64())
{:ok, body, Conn.assign(conn, :digest, digest)}
end
end

View File

@ -19,6 +19,8 @@ def call(conn, _opts) do
cond do cond do
signature && String.contains?(signature, user) -> signature && String.contains?(signature, user) ->
# set (request-target) header to the appropriate value
# we also replace the digest header with the one we computed
conn = conn =
conn conn
|> put_req_header( |> put_req_header(
@ -26,6 +28,14 @@ def call(conn, _opts) do
String.downcase("#{conn.method}") <> " #{conn.request_path}" String.downcase("#{conn.method}") <> " #{conn.request_path}"
) )
conn =
if conn.assigns[:digest] do
conn
|> put_req_header("digest", conn.assigns[:digest])
else
conn
end
assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn)) assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn))
signature -> signature ->

View File

@ -35,7 +35,8 @@ defmodule Pleroma.Web.Endpoint do
parsers: [:urlencoded, :multipart, :json], parsers: [:urlencoded, :multipart, :json],
pass: ["*/*"], pass: ["*/*"],
json_decoder: Jason, json_decoder: Jason,
length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit) length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit),
body_reader: {Pleroma.Web.Plugs.DigestPlug, :read_body, []}
) )
plug(Plug.MethodOverride) plug(Plug.MethodOverride)