sam/pleroma
sam/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Signed fetches spoofing

Browse source
This commit is contained in:
Mint 2022-08-21 21:04:01 +03:00 committed by Sam Therapy
parent d4b24ef58b
commit 77f28a4c91
Signed by: sam
GPG key ID: 4D8B07C18F31ACBD
2 changed files with 28 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
config/config.exs
View file

@ -365,6 +365,12 @@
note_replies_output_limit: 5,
sign_object_fetches: true,
authorized_fetch_mode: false,
spoof_object_fetch_signatures: false,
spoofed_key: "-----BEGIN RSA PRIVATE KEY-----
overwrite this with your internal.fetch key rippen from donor instance DB
yes, just like that, newlines are important
-----END RSA PRIVATE KEY-----",
spoofed_instance: "https://funnydomain.example",
max_collection_objects: 50
config :pleroma, :streamer,

23
lib/pleroma/object/fetcher.ex
View file

@ -3,7 +3,10 @@
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Object.Fetcher do
@behaviour HTTPSignatures.Adapter
alias Pleroma.HTTP
alias Pleroma.Keys
alias Pleroma.Instances
alias Pleroma.Maps
alias Pleroma.Object
@ -203,13 +206,31 @@ def fetch_object_from_id!(id, options \\ []) do
defp make_signature(id, date) do
uri = URI.parse(id)
signature =
spoofed_pem = Pleroma.Config.get([:activitypub, :spoofed_key])
# workaround for syntax shite disallowing me from defining signature in "if" block
spoofed_key = if Pleroma.Config.get([:activitypub, :spoof_object_fetch_signatures]) do
with {:ok, private_key, _} <- Keys.keys_from_pem(spoofed_pem) do
private_key
end
else
""
end
spoofed_instance = Pleroma.Config.get([:activitypub, :spoofed_instance])
signature = if Pleroma.Config.get([:activitypub, :spoof_object_fetch_signatures]) do
HTTPSignatures.sign(spoofed_key, spoofed_instance <> "/internal/fetch#main-key", %{
"(request-target)": "get #{uri.path}",
host: uri.host,
date: date
})
else
InternalFetchActor.get_actor()
|> Signature.sign(%{
"(request-target)": "get #{uri.path}",
host: uri.host,
date: date
})
end
{"signature", signature}
end