check domain blocks way earlier on

2025-12-18 14:33:00 -06:00 · 2021-06-30 14:22:46 +02:00 · 2021-06-30 14:22:46 +02:00 · 5bf7b46cf4
commit 5bf7b46cf4
parent 99eb3bf564
19 changed files with 255 additions and 77 deletions
--- a/internal/api/s2s/user/followers.go
+++ b/internal/api/s2s/user/followers.go
@ -19,10 +19,12 @@
 package user

 import (
+	"context"
 	"net/http"

 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
 )

 // FollowersGETHandler returns a collection of URIs for followers of the target user, formatted so that other AP servers can understand it.
@ -46,9 +48,14 @@ func (m *Module) FollowersGETHandler(c *gin.Context) {
 	}
 	l.Tracef("negotiated format: %s", format)

-	// make a copy of the context to pass along so we don't break anything
-	cp := c.Copy()
-	user, err := m.processor.GetFediFollowers(requestedUsername, cp.Request) // GetFediUser handles auth as well
+	// transfer the signature verifier from the gin context to the request context
+	ctx := c.Request.Context()
+	verifier, signed := c.Get(string(util.APRequestingPublicKeyVerifier))
+	if signed {
+		ctx = context.WithValue(ctx, util.APRequestingPublicKeyVerifier, verifier)
+	}
+
+	user, err := m.processor.GetFediFollowers(ctx, requestedUsername, c.Request.URL) // GetFediUser handles auth as well
 	if err != nil {
 		l.Info(err.Error())
 		c.JSON(err.Code(), gin.H{"error": err.Safe()})
--- a/internal/api/s2s/user/following.go
+++ b/internal/api/s2s/user/following.go
@ -19,10 +19,12 @@
 package user

 import (
+	"context"
 	"net/http"

 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
 )

 // FollowingGETHandler returns a collection of URIs for accounts that the target user follows, formatted so that other AP servers can understand it.
@ -46,9 +48,14 @@ func (m *Module) FollowingGETHandler(c *gin.Context) {
 	}
 	l.Tracef("negotiated format: %s", format)

-	// make a copy of the context to pass along so we don't break anything
-	cp := c.Copy()
-	user, err := m.processor.GetFediFollowing(requestedUsername, cp.Request) // handles auth as well
+	// transfer the signature verifier from the gin context to the request context
+	ctx := c.Request.Context()
+	verifier, signed := c.Get(string(util.APRequestingPublicKeyVerifier))
+	if signed {
+		ctx = context.WithValue(ctx, util.APRequestingPublicKeyVerifier, verifier)
+	}
+
+	user, err := m.processor.GetFediFollowing(ctx, requestedUsername, c.Request.URL) // handles auth as well
 	if err != nil {
 		l.Info(err.Error())
 		c.JSON(err.Code(), gin.H{"error": err.Safe()})
--- a/internal/api/s2s/user/inboxpost.go
+++ b/internal/api/s2s/user/inboxpost.go
@ -19,11 +19,13 @@
 package user

 import (
+	"context"
 	"net/http"

 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
 )

 // InboxPOSTHandler deals with incoming POST requests to an actor's inbox.
@ -40,7 +42,14 @@ func (m *Module) InboxPOSTHandler(c *gin.Context) {
 		return
 	}

-	posted, err := m.processor.InboxPost(c.Request.Context(), c.Writer, c.Request)
+	// transfer the signature verifier from the gin context to the request context
+	ctx := c.Request.Context()
+	verifier, signed := c.Get(string(util.APRequestingPublicKeyVerifier))
+	if signed {
+		ctx = context.WithValue(ctx, util.APRequestingPublicKeyVerifier, verifier)
+	}
+
+	posted, err := m.processor.InboxPost(ctx, c.Writer, c.Request)
 	if err != nil {
 		if withCode, ok := err.(gtserror.WithCode); ok {
 			l.Debug(withCode.Error())
--- a/internal/api/s2s/user/publickeyget.go
+++ b/internal/api/s2s/user/publickeyget.go
@ -1,10 +1,12 @@
 package user

 import (
+	"context"
 	"net/http"

 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
 )

 // PublicKeyGETHandler should be served at eg https://example.org/users/:username/main-key.
@ -32,9 +34,14 @@ func (m *Module) PublicKeyGETHandler(c *gin.Context) {
 	}
 	l.Tracef("negotiated format: %s", format)

-	// make a copy of the context to pass along so we don't break anything
-	cp := c.Copy()
-	user, err := m.processor.GetFediUser(requestedUsername, cp.Request) // GetFediUser handles auth as well
+	// transfer the signature verifier from the gin context to the request context
+	ctx := c.Request.Context()
+	verifier, signed := c.Get(string(util.APRequestingPublicKeyVerifier))
+	if signed {
+		ctx = context.WithValue(ctx, util.APRequestingPublicKeyVerifier, verifier)
+	}
+
+	user, err := m.processor.GetFediUser(ctx, requestedUsername, c.Request.URL) // GetFediUser handles auth as well
 	if err != nil {
 		l.Info(err.Error())
 		c.JSON(err.Code(), gin.H{"error": err.Safe()})
--- a/internal/api/s2s/user/statusget.go
+++ b/internal/api/s2s/user/statusget.go
@ -1,10 +1,12 @@
 package user

 import (
+	"context"
 	"net/http"

 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
 )

 // StatusGETHandler serves the target status as an activitystreams NOTE so that other AP servers can parse it.
@ -34,9 +36,14 @@ func (m *Module) StatusGETHandler(c *gin.Context) {
 	}
 	l.Tracef("negotiated format: %s", format)

-	// make a copy of the context to pass along so we don't break anything
-	cp := c.Copy()
-	status, err := m.processor.GetFediStatus(requestedUsername, requestedStatusID, cp.Request) // handles auth as well
+	// transfer the signature verifier from the gin context to the request context
+	ctx := c.Request.Context()
+	verifier, signed := c.Get(string(util.APRequestingPublicKeyVerifier))
+	if signed {
+		ctx = context.WithValue(ctx, util.APRequestingPublicKeyVerifier, verifier)
+	}
+
+	status, err := m.processor.GetFediStatus(ctx, requestedUsername, requestedStatusID, c.Request.URL) // handles auth as well
 	if err != nil {
 		l.Info(err.Error())
 		c.JSON(err.Code(), gin.H{"error": err.Safe()})
--- a/internal/api/s2s/user/userget.go
+++ b/internal/api/s2s/user/userget.go
@ -19,10 +19,12 @@
 package user

 import (
+	"context"
 	"net/http"

 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
 )

 // UsersGETHandler should be served at https://example.org/users/:username.
@ -54,9 +56,14 @@ func (m *Module) UsersGETHandler(c *gin.Context) {
 	}
 	l.Tracef("negotiated format: %s", format)

-	// make a copy of the context to pass along so we don't break anything
-	cp := c.Copy()
-	user, err := m.processor.GetFediUser(requestedUsername, cp.Request) // GetFediUser handles auth as well
+	// transfer the signature verifier from the gin context to the request context
+	ctx := c.Request.Context()
+	verifier, signed := c.Get(string(util.APRequestingPublicKeyVerifier))
+	if signed {
+		ctx = context.WithValue(ctx, util.APRequestingPublicKeyVerifier, verifier)
+	}
+
+	user, err := m.processor.GetFediUser(ctx, requestedUsername, c.Request.URL) // GetFediUser handles auth as well
 	if err != nil {
 		l.Info(err.Error())
 		c.JSON(err.Code(), gin.H{"error": err.Safe()})
--- a/internal/api/s2s/webfinger/webfingerget.go
+++ b/internal/api/s2s/webfinger/webfingerget.go
@ -19,12 +19,14 @@
 package webfinger

 import (
+	"context"
 	"fmt"
 	"net/http"
 	"strings"

 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
 )

 // WebfingerGETRequest handles requests to, for example, https://example.org/.well-known/webfinger?resource=acct:some_user@example.org
@ -68,7 +70,14 @@ func (m *Module) WebfingerGETRequest(c *gin.Context) {
 		return
 	}

-	resp, err := m.processor.GetWebfingerAccount(username, c.Request)
+	// transfer the signature verifier from the gin context to the request context
+	ctx := c.Request.Context()
+	verifier, signed := c.Get(string(util.APRequestingPublicKeyVerifier))
+	if signed {
+		ctx = context.WithValue(ctx, util.APRequestingPublicKeyVerifier, verifier)
+	}
+
+	resp, err := m.processor.GetWebfingerAccount(ctx, username, c.Request.URL)
 	if err != nil {
 		l.Debugf("aborting request with an error: %s", err.Error())
 		c.JSON(err.Code(), gin.H{"error": err.Safe()})
--- a/internal/api/security/security.go
+++ b/internal/api/security/security.go
@ -24,6 +24,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/superseriousbusiness/gotosocial/internal/api"
 	"github.com/superseriousbusiness/gotosocial/internal/config"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"github.com/superseriousbusiness/gotosocial/internal/router"
 )

@ -33,18 +34,21 @@ const robotsPath = "/robots.txt"
 type Module struct {
 	config *config.Config
 	log    *logrus.Logger
+	db     db.DB
 }

 // New returns a new security module
-func New(config *config.Config, log *logrus.Logger) api.ClientModule {
+func New(config *config.Config, db db.DB, log *logrus.Logger) api.ClientModule {
 	return &Module{
 		config: config,
 		log:    log,
+		db:     db,
 	}
 }

 // Route attaches security middleware to the given router
 func (m *Module) Route(s router.Router) error {
+	s.AttachMiddleware(m.SignatureCheck)
 	s.AttachMiddleware(m.FlocBlock)
 	s.AttachMiddleware(m.ExtraHeaders)
 	s.AttachMiddleware(m.UserAgentBlock)
--- a/internal/api/security/signaturecheck.go
+++ b/internal/api/security/signaturecheck.go
@ -0,0 +1,66 @@
+package security
+
+import (
+	"net/http"
+	"net/url"
+
+	"github.com/gin-gonic/gin"
+	"github.com/go-fed/httpsig"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
+)
+
+func (m *Module) SignatureCheck(c *gin.Context) {
+	l := m.log.WithField("func", "DomainBlockChecker")
+
+	// set this extra field for signature validation
+	c.Request.Header.Set("host", m.config.Host)
+
+	// create the verifier from the request
+	// if the request is signed, it will have a signature header
+	verifier, err := httpsig.NewVerifier(c.Request)
+	if err == nil {
+		// the request was signed!
+
+		// The key ID should be given in the signature so that we know where to fetch it from the remote server.
+		// This will be something like https://example.org/users/whatever_requesting_user#main-key
+		requestingPublicKeyID, err := url.Parse(verifier.KeyId())
+		if err == nil && requestingPublicKeyID != nil {
+			// we managed to parse the url!
+
+			// if the domain is blocked we want to bail as early as possible
+			blockedDomain, err := m.blockedDomain(requestingPublicKeyID.Host)
+			if err != nil {
+				l.Errorf("could not tell if domain %s was blocked or not: %s", requestingPublicKeyID.Host, err)
+				c.AbortWithStatus(http.StatusInternalServerError)
+				return
+			}
+			if blockedDomain {
+				l.Infof("domain %s is blocked", requestingPublicKeyID.Host)
+				c.AbortWithStatus(http.StatusForbidden)
+				return
+			}
+
+			// set the verifier on the context here to save some work further down the line
+			c.Set(string(util.APRequestingPublicKeyVerifier), verifier)
+		}
+	}
+}
+
+func (m *Module) blockedDomain(host string) (bool, error) {
+	b := &gtsmodel.DomainBlock{}
+	err := m.db.GetWhere([]db.Where{{Key: "domain", Value: host, CaseInsensitive: true}}, b)
+	if err == nil {
+		// block exists
+		return true, nil
+	}
+
+	if _, ok := err.(db.ErrNoEntries); ok {
+		// there are no entries so there's no block
+		return false, nil
+	}
+
+	// there's an actual error
+	return false, err
+}