1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-28 13:49:13 -05:00
forgejo/docs/unsure-where-to-put/threat_analysis_star_activity.md

146 lines
7.3 KiB
Markdown
Raw Normal View History

2024-01-05 05:34:32 -05:00
# Threat analysis for the federated Like Activity
2023-11-29 03:21:54 -05:00
2023-12-19 02:36:02 -05:00
See also [1] for getting an idea about the analysis.
2023-11-29 03:21:54 -05:00
## Technical Background
### Control Flow
```mermaid
sequenceDiagram
participant fs as foreign_repository_server
participant os as our_repository_server
2024-01-05 05:34:32 -05:00
fs ->> os: post /api/activitypub/repository-id/1/inbox {Like-Activity}
2023-11-29 03:21:54 -05:00
activate os
2024-01-05 05:40:35 -05:00
os ->> repository: load "1"
2024-01-05 05:34:32 -05:00
os ->> os: validate actor id inputs
2024-01-13 11:16:43 -05:00
activate os
os ->> FederationInfo: get by Host
os ->> os: if FederatonInfo not found
activate os
os ->> fs: get .well-known/nodeinfo
os ->> NodeInfoWellKnown: create & validate
os ->> fs: get api/v1/nodeinfo
os ->> NodeInfo: create & validate
2024-01-13 11:16:43 -05:00
os ->> FederationInfo: create
deactivate os
2024-01-05 05:34:32 -05:00
os ->> ForgeLike: validate
deactivate os
2024-01-05 05:34:32 -05:00
2023-12-15 09:37:00 -05:00
os ->> user: search for user with actor-id
2024-01-05 05:34:32 -05:00
os ->> os: create user if not found
activate os
os ->> fs: get /api/activitypub/user-id/{id from actor}
os ->> ForgePerson: validate
2024-01-05 05:40:35 -05:00
os ->> user: create user from ForgePerson
2024-01-05 05:34:32 -05:00
deactivate os
2024-01-05 05:40:35 -05:00
os ->> repository: execute star
2024-01-13 11:16:43 -05:00
os ->> FederationInfo: update latest activity
2023-11-29 03:21:54 -05:00
os -->> fs: 200 ok
deactivate os
```
### Data transfered
```
# NodeInfoWellKnown
{"links":[
{"href":"https://federated-repo.prod.meissa.de/api/v1/nodeinfo",
"rel":"http://nodeinfo.diaspora.software/ns/schema/2.1"}]}
2023-11-29 03:21:54 -05:00
# NodeInfo
{"version":"2.1",
"software":{"name":"gitea",
...}}
# LikeActivity
2023-11-29 03:21:54 -05:00
{"id": "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1/outbox/12345",
"type": "Like",
2023-11-29 03:21:54 -05:00
"actor": "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1",
2023-12-15 09:37:00 -05:00
"object": "https://codeberg.org/api/v1/activitypub/repository-id/12"
"startTime": "2014-12-31T23:00:00-08:00"
2023-11-29 03:21:54 -05:00
}
# Person
{"id":"https://federated-repo.prod.meissa.de/api/v1/activitypub/user-id/10",
"type":"Person",
"preferredUsername":"stargoose9",
2024-01-05 05:34:32 -05:00
"name": "goose going to star the repo",
"publicKey":{"id":"https://federated-repo.prod.meissa.de/api/v1/activitypub/user-id/10#main-key",
"owner":"https://federated-repo.prod.meissa.de/api/v1/activitypub/user-id/10",
"publicKeyPem":"-----BEGIN PUBLIC KEY-----\nMIIBoj...XAgMBAAE=\n-----END PUBLIC KEY-----\n"}}
2023-11-29 03:21:54 -05:00
```
### Data Flow
```mermaid
flowchart TD
A(User) --> |stars a federated repository| B(foreign repository server)
B --> |Like Activity| C(our repository server)
C --> |get NodeInfoWellKnown| B
C --> |get NodeInfo| B
2023-12-15 09:37:00 -05:00
C --> |get Person Actor| B
C --> |cache/create federated user localy| D(our database)
C --> |cache/create NodeInfo localy| D(our database)
2023-11-29 03:21:54 -05:00
C --> |add star to repo localy| D
```
## Analysis
### Assets
1. **Service Availability**: The availability of our or foreign servers.
2024-01-05 05:40:35 -05:00
2. **Instance Reputation**: We hope our project does not live on a spam instance.
3. **Project Reputation**: The reputation of an individual project.
2023-11-29 03:21:54 -05:00
### Actors
2023-12-19 04:19:35 -05:00
1. **Script Kiddies**: Boored teens, willing to do some illegal stuff without deep knowlege of tech details but broad knowlege across internet discussions. Able to do some bash / python scripting.
2023-12-09 13:23:48 -05:00
2. **Experienced Hacker**: Hacker with deep knowlege.
2024-01-14 08:53:00 -05:00
3. **Hacker**: Hacker with some knowledge.
4. **OpenSource Promoter**: Developers motivated to increase (or decrease) star count for some dedicated projects.
2023-11-29 03:21:54 -05:00
### Threat
2024-01-05 05:40:35 -05:00
1. Script Kiddi sends a Like Activity containing an attack actor url `http://attacked.target/very/special/path` in place of actor. Our repository server sends a `get Person Actor` request to this url. The target receives a DenialdOfService attack. We loose CPU & instance reputation.
2024-01-05 05:34:32 -05:00
2. Experienced hacker sends a Like Activity containing an actor url pointing to an evil forgejo instance. Our repository server sends an `get Person Actor` request to this instance and gets a person having sth. like `; drop database;` in its name. If our server tries to create a new user out of this persion, the db might be dropped.
2024-01-05 05:40:35 -05:00
3. OpenSource Promoter sends Star Activities containing non authorized Person Actors. The Actors listed as stargazer might get angry about this. The project may loose project reputation.
2024-01-05 12:19:46 -05:00
4. **DOS by Rate**: Experienced Hacker records activities sent and replays some of them. Without order of activities (i.e. timestamp) we can not decide wether we should execute the activity again. If the replayed activities are UnLike Activity we might loose stars.
5. **Reply**: Experienced Hacker records activities sends a massive amount of activities which leads to new user creation & storage loss. Our instance might fall out of service.
2024-01-13 11:16:43 -05:00
6. **Reply out of Order**: Experienced Hacker records activities sends again Unlike Activities happend but was succeded by an Like. Our instance accept the Unlike and removes a star. Our repositore gets rated unintended bad.
7. **DOS by Slowlories**: Experienced Hacker may craft their malicious server to keep connections open. Then they send a Like Activity with the actor URL pointing to that malicious server, and your background job keeps waiting for data. Then they send more such requests, until you exhaust your limit of file descriptors openable for your system and cause a DoS (by causing cascading failures all over the system, given file descriptors are used for about everything, from files, to sockets, to pipes). See also [Slowloris@wikipedia][2].
2024-01-14 08:53:00 -05:00
8. **Block by future StartTime**: Hacker sends an Activity having `startTime` in far future. Our Instance does no longer accept Activities till they have far far future `startTime` from the actors instance.
2023-12-15 09:37:00 -05:00
### Mitigations
2023-12-19 02:36:02 -05:00
2023-12-15 09:37:00 -05:00
1. Validate object uri in order to send only requests to well defined endpoints.
2. giteas global SQL injection protection. TODO: verify if there is one.
3. We accept only signed Activities
2023-12-20 03:33:29 -05:00
4. We accept only activities having an startTime & remember the last executed activity startTime.
2023-12-19 02:36:02 -05:00
5. We introduce (or have) rate limiting per IP.
6. We ensure, that outgoing HTTP requests have a reasonable timeout (if you didn't get that 500b JSON response after 10 seconds, you probably won't get it).
2023-11-29 03:21:54 -05:00
2024-01-05 11:43:18 -05:00
### THREAD-Score
2023-11-29 03:21:54 -05:00
| Threat | Damage | Reproducibility | Exploitability | Affected Users | Discoverability | Mitigations |
| :----- | :------ | :-------------- | :------------- | :------------- | :-------------- | :---------- |
| 1. | ... tbd | | | | | |
| 2. | ... tbd | | | | | |
Threat Score with values between 1 - 6
2023-11-29 03:21:54 -05:00
2024-01-05 05:43:52 -05:00
* Damage how severe would the damage be if the attack is successful? 6 is a very bad damage.
* Reproducibility how easy would the attack be reproducible? 6 is very easy to reproduce.
* Exploitability How much time, effort and experience are necessary to exploit the threat? 6 is very easy to make.
* Affected Users if a threat were exploited, how many percentage of users would be affected?
* Discoverability How easy can an attack be discovered? Does the attacker have to expect prosecution? 6 is very hard to discover / is not illegal
2023-11-29 03:21:54 -05:00
2023-12-19 02:36:02 -05:00
## Contributors
In adition to direct commiter our special thanks goes to the experts joining our discussions:
* [kik](https://codeberg.org/oelmekki)
2023-11-29 03:21:54 -05:00
## Reference
2024-01-05 05:34:32 -05:00
[1]: https://geballte-sicherheit.de/threat-modelling-bedrohungsanalyse-7-teil-einstufung-von-bedrohungen-ranking-of-threats/
[2]: https://en.wikipedia.org/wiki/Slowloris_(computer_security)