-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve error reporting and logging when processing remote accounts #15605
Improve error reporting and logging when processing remote accounts #15605
Conversation
fad57fb
to
fcbe642
Compare
309cb33
to
3c8ad37
Compare
66506b9
to
3d2435b
Compare
DeepSource doesn't like the multiple guarded |
ping @Gargron |
3d2435b
to
a3895bc
Compare
a3895bc
to
7842738
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't want to knock this PR down but I'm not sure 🤔
rescue Mastodon::HostValidationError | ||
nil | ||
rescue Mastodon::PrivateNetworkAddressError => e | ||
raise SignatureVerificationError, "Requests to private network addresses are disallowed (tried to query #{e.host})" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, is this safe to disclose..? What if you were testing ways to trick the private network checks?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's safe to disclose, yes. Unless the admin has specifically allowed an address, the check is the same for everyone and can easily be inferred from the code. And in case the admin has allowed an address, it'd be rather easy to check for common ports anyway.
rescue Mastodon::PrivateNetworkAddressError => e | ||
raise SignatureVerificationError, "Requests to private network addresses are disallowed (tried to query #{e.host})" | ||
rescue Mastodon::HostValidationError, ActivityPub::FetchRemoteAccountService::Error, ActivityPub::FetchRemoteKeyService::Error, Webfinger::Error => e | ||
raise SignatureVerificationError, e.message |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd be in favour of smarter use of the Rails logger for debugging purposes but I am a little uneasy at disclosing each of these errors to the public. I understand that this information would be helpful to someone building an ActivityPub implementation but it could also provide information to an attacker prodding the endpoint for weaknesses...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a hard time thinking about weaknesses that it would disclose, and I'd say that any vulnerability in Mastodon could be found directly in the code, and then exploiting it would be extremely unlikely to be made easier by having such error messages.
6e2551d
to
d1084c0
Compare
Bump on codeclimate |
d1084c0
to
ac3ea15
Compare
SUPPORTED_TYPES = %w(Application Group Organization Person Service).freeze | ||
|
||
# Does a WebFinger roundtrip on each call, unless `only_key` is true | ||
def call(uri, id: true, prefetched_body: nil, break_on_redirect: false, only_key: false) | ||
def call(uri, id: true, prefetched_body: nil, break_on_redirect: false, only_key: false, suppress_errors: true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Avoid parameter lists longer than 5 parameters. [6/5]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we should set CountKeywordArgs
to false
in rubocop's config
ac3ea15
to
52c1fef
Compare
snarfed/bridgy-fed#77 too would have been easier to figure out with such a PR merged |
f72f728
to
ec49f62
Compare
Defaults to true (to preserve previous behavior). If set to false, errors will be raised instead of caught, allowing the caller to be informed of what went wrong.
ec49f62
to
35caf0a
Compare
@Gargron I still think this would be useful |
@Gargron I would very much like if you could finally review this before I need to change remote account processing to support groups |
Fix regression from mastodon#15605
…astodon#15605) * Add a more descriptive PrivateNetworkAddressError exception class * Remove unnecessary exception class to rescue clause * Remove unnecessary include to JsonLdHelper * Give more neutral error message when too many webfinger redirects * Remove unnecessary guard condition * Rework how “ActivityPub::FetchRemoteAccountService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteAccountService#call (default/previous behavior). * Rework how “ActivityPub::FetchRemoteKeyService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteKeyService#call (default/previous behavior). * Fix Webfinger::RedirectError not being a subclass of Webfinger::Error * Add suppress_errors option to ResolveAccountService Defaults to true (to preserve previous behavior). If set to false, errors will be raised instead of caught, allowing the caller to be informed of what went wrong. * Return more precise error when failing to fetch account signing AP payloads * Add tests * Fixes * Refactor error handling a bit * Fix various issues * Add specific error when provided Digest is not 256 bits of base64-encoded data * Please CodeClimate * Improve webfinger error reporting
Fix regression from mastodon#15605
…astodon#15605) * Add a more descriptive PrivateNetworkAddressError exception class * Remove unnecessary exception class to rescue clause * Remove unnecessary include to JsonLdHelper * Give more neutral error message when too many webfinger redirects * Remove unnecessary guard condition * Rework how “ActivityPub::FetchRemoteAccountService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteAccountService#call (default/previous behavior). * Rework how “ActivityPub::FetchRemoteKeyService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteKeyService#call (default/previous behavior). * Fix Webfinger::RedirectError not being a subclass of Webfinger::Error * Add suppress_errors option to ResolveAccountService Defaults to true (to preserve previous behavior). If set to false, errors will be raised instead of caught, allowing the caller to be informed of what went wrong. * Return more precise error when failing to fetch account signing AP payloads * Add tests * Fixes * Refactor error handling a bit * Fix various issues * Add specific error when provided Digest is not 256 bits of base64-encoded data * Please CodeClimate * Improve webfinger error reporting
Fix regression from mastodon#15605
https://github.com/mastodon/mastodon/blob/main/app/controllers/concerns/signature_verification.rb#L167 has an error in it. It validates the string length of base64 encoded digests, but it checks for a length of 32 vs 64, making it impossible for requests to get to the next validation. |
That's not true. |
…astodon#15605) * Add a more descriptive PrivateNetworkAddressError exception class * Remove unnecessary exception class to rescue clause * Remove unnecessary include to JsonLdHelper * Give more neutral error message when too many webfinger redirects * Remove unnecessary guard condition * Rework how “ActivityPub::FetchRemoteAccountService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteAccountService#call (default/previous behavior). * Rework how “ActivityPub::FetchRemoteKeyService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteKeyService#call (default/previous behavior). * Fix Webfinger::RedirectError not being a subclass of Webfinger::Error * Add suppress_errors option to ResolveAccountService Defaults to true (to preserve previous behavior). If set to false, errors will be raised instead of caught, allowing the caller to be informed of what went wrong. * Return more precise error when failing to fetch account signing AP payloads * Add tests * Fixes * Refactor error handling a bit * Fix various issues * Add specific error when provided Digest is not 256 bits of base64-encoded data * Please CodeClimate * Improve webfinger error reporting
Fix regression from mastodon#15605
When discovering/fetching/processing a remote account fails, without adding additional instrumentation to the code, users, developers and admins alike get very few information on the actual reason behind the failure.
This is especially troublesome for fediverse server developers that get very few feedback from Mastodon regarding what exactly failed.
This PR reworks the error handling in the
SignatureVerification
concern,ResolveAccountService
andActivityPub::FetchRemoteAccountService
services, as well as related classes to return meaningful error messages to ActivityPub queries and log additional information at the “debug” loglevel.