gitforge/modules/setting/federation.go
elle 540551acf2 federation: protect against SSRF attacks (#11795)
Adds an extra check to ensure the `keyId` and `actorId` included in signed requests and actor records point back to the originating host.

This check prevents server-side request forgery (SSRF) attacks where a carefully crafted request could be used to trick a federation server into making requests to arbitrary hosts and ports.

Further refactors can make these checks more robust, but would better fit after other existing refactor PRs are merged.

Related: https://codeberg.org/forgejo/forgejo/issues/11779

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11795
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-07-08 02:03:17 +02:00

55 lines
1.7 KiB
Go

// Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package setting
import (
"forgejo.org/modules/log"
"github.com/42wim/httpsig"
)
// Federation settings
var (
Federation = struct {
Enabled bool
ShareUserStatistics bool
MaxSize int64
SignatureAlgorithms []string
DigestAlgorithm string
GetHeaders []string
PostHeaders []string
SignatureEnforced bool
InsecureAllowInvalidHosts bool
}{
Enabled: false,
ShareUserStatistics: true,
MaxSize: 4,
SignatureAlgorithms: []string{"rsa-sha256", "rsa-sha512", "ed25519"},
DigestAlgorithm: "SHA-256",
GetHeaders: []string{"(request-target)", "Date", "Host"},
PostHeaders: []string{"(request-target)", "Date", "Host", "Digest"},
SignatureEnforced: true,
InsecureAllowInvalidHosts: false,
}
)
// HttpsigAlgs is a constant slice of httpsig algorithm objects
var HttpsigAlgs []httpsig.Algorithm
func loadFederationFrom(rootCfg ConfigProvider) {
if err := rootCfg.Section("federation").MapTo(&Federation); err != nil {
log.Fatal("Failed to map Federation settings: %v", err)
} else if !httpsig.IsSupportedDigestAlgorithm(Federation.DigestAlgorithm) {
log.Fatal("unsupported digest algorithm: %s", Federation.DigestAlgorithm)
return
}
// Get MaxSize in bytes instead of MiB
Federation.MaxSize = 1 << 20 * Federation.MaxSize
HttpsigAlgs = make([]httpsig.Algorithm, len(Federation.SignatureAlgorithms))
for i, alg := range Federation.SignatureAlgorithms {
HttpsigAlgs[i] = httpsig.Algorithm(alg)
}
}