gitforge/services/federation/delivery_queue.go
elle 540551acf2 federation: protect against SSRF attacks (#11795)
Adds an extra check to ensure the `keyId` and `actorId` included in signed requests and actor records point back to the originating host.

This check prevents server-side request forgery (SSRF) attacks where a carefully crafted request could be used to trick a federation server into making requests to arbitrary hosts and ports.

Further refactors can make these checks more robust, but would better fit after other existing refactor PRs are merged.

Related: https://codeberg.org/forgejo/forgejo/issues/11779

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11795
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-07-08 02:03:17 +02:00

84 lines
2.3 KiB
Go

// Copyright 2024 The Forgejo Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package federation
import (
"fmt"
"io"
"net/url"
"forgejo.org/models/user"
"forgejo.org/modules/activitypub"
"forgejo.org/modules/graceful"
"forgejo.org/modules/log"
"forgejo.org/modules/process"
"forgejo.org/modules/queue"
)
type deliveryQueueItem struct {
Doer *user.User
InboxURL string
Payload []byte
DeliveryCount int
}
var deliveryQueue *queue.WorkerPoolQueue[deliveryQueueItem]
func initDeliveryQueue() error {
deliveryQueue = queue.CreateUniqueQueue(graceful.GetManager().ShutdownContext(), "activitypub_inbox_delivery", deliveryQueueHandler)
if deliveryQueue == nil {
return fmt.Errorf("unable to create activitypub_inbox_delivery queue")
}
go graceful.GetManager().RunWithCancel(deliveryQueue)
return nil
}
func deliveryQueueHandler(items ...deliveryQueueItem) (unhandled []deliveryQueueItem) {
for _, item := range items {
item.DeliveryCount++
err := deliverToInbox(item)
if err != nil && item.DeliveryCount < 10 {
unhandled = append(unhandled, item)
}
}
return unhandled
}
func deliverToInbox(item deliveryQueueItem) error {
ctx, _, finished := process.GetManager().AddContext(graceful.GetManager().HammerContext(),
fmt.Sprintf("Delivering an Activity via user[%d] (%s), to %s", item.Doer.ID, item.Doer.Name, item.InboxURL))
defer finished()
clientFactory, err := activitypub.GetClientFactory(ctx)
if err != nil {
return err
}
inboxURL, err := url.Parse(item.InboxURL)
if err != nil {
return fmt.Errorf("invalid delivery item inbox URL: %w", err)
}
apclient, err := clientFactory.WithKeys(ctx, item.Doer, item.Doer.APActorID()+"#main-key", []*url.URL{inboxURL})
if err != nil {
return err
}
log.Trace("Delivering to: %s, signedBy: %s", item.InboxURL, item.Doer.ID)
res, err := apclient.Post(item.Payload, item.InboxURL)
if err != nil {
log.Info("Delivering to: %s failed: %s, times: %v", item.InboxURL, err, item.DeliveryCount)
return err
}
if res.StatusCode >= 400 {
defer res.Body.Close()
body, _ := io.ReadAll(io.LimitReader(res.Body, 16*1024))
log.Warn("Delivering to: %s failed. Status: %d, responseBody: %s, times: %v", item.InboxURL, res.StatusCode, string(body), item.DeliveryCount)
return fmt.Errorf("delivery failed")
}
return nil
}