Improve error reporting and logging when processing remote accounts #15605
Conversation
ClearlyClaire
force-pushed
the
fixes/improved-error-messages
branch
2 times, most recently
from
fad57fb
to
fcbe642
Compare
ClearlyClaire
force-pushed
the
fixes/improved-error-messages
branch
4 times, most recently
from
309cb33
to
3c8ad37
Compare
ClearlyClaire
force-pushed
the
fixes/improved-error-messages
branch
2 times, most recently
from
66506b9
to
3d2435b
Compare
|
DeepSource doesn't like the multiple guarded |
|
ping @Gargron |
ClearlyClaire
force-pushed
the
fixes/improved-error-messages
branch
from
3d2435b
to
a3895bc
Compare
ClearlyClaire
force-pushed
the
fixes/improved-error-messages
branch
from
a3895bc
to
7842738
Compare
| rescue Mastodon::HostValidationError | ||
| nil | ||
| rescue Mastodon::PrivateNetworkAddressError => e | ||
| raise SignatureVerificationError, "Requests to private network addresses are disallowed (tried to query #{e.host})" |
There was a problem hiding this comment.
Hm, is this safe to disclose..? What if you were testing ways to trick the private network checks?
There was a problem hiding this comment.
I think it's safe to disclose, yes. Unless the admin has specifically allowed an address, the check is the same for everyone and can easily be inferred from the code. And in case the admin has allowed an address, it'd be rather easy to check for common ports anyway.
| rescue Mastodon::PrivateNetworkAddressError => e | ||
| raise SignatureVerificationError, "Requests to private network addresses are disallowed (tried to query #{e.host})" | ||
| rescue Mastodon::HostValidationError, ActivityPub::FetchRemoteAccountService::Error, ActivityPub::FetchRemoteKeyService::Error, Webfinger::Error => e | ||
| raise SignatureVerificationError, e.message |
There was a problem hiding this comment.
I'd be in favour of smarter use of the Rails logger for debugging purposes but I am a little uneasy at disclosing each of these errors to the public. I understand that this information would be helpful to someone building an ActivityPub implementation but it could also provide information to an attacker prodding the endpoint for weaknesses...
There was a problem hiding this comment.
I have a hard time thinking about weaknesses that it would disclose, and I'd say that any vulnerability in Mastodon could be found directly in the code, and then exploiting it would be extremely unlikely to be made easier by having such error messages.
ClearlyClaire
force-pushed
the
fixes/improved-error-messages
branch
2 times, most recently
from
6e2551d
to
d1084c0
Compare
|
Bump on codeclimate |
ClearlyClaire
force-pushed
the
fixes/improved-error-messages
branch
from
d1084c0
to
ac3ea15
Compare
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
| SUPPORTED_TYPES = %w(Application Group Organization Person Service).freeze | ||
|
|
||
| # Does a WebFinger roundtrip on each call, unless `only_key` is true | ||
| def call(uri, id: true, prefetched_body: nil, break_on_redirect: false, only_key: false) | ||
| def call(uri, id: true, prefetched_body: nil, break_on_redirect: false, only_key: false, suppress_errors: true) |
There was a problem hiding this comment.
Avoid parameter lists longer than 5 parameters. [6/5]
There was a problem hiding this comment.
I wonder if we should set CountKeywordArgs to false in rubocop's config
ClearlyClaire
force-pushed
the
fixes/improved-error-messages
branch
from
ac3ea15
to
52c1fef
Compare
|
snarfed/bridgy-fed#77 too would have been easier to figure out with such a PR merged |
ClearlyClaire
force-pushed
the
fixes/improved-error-messages
branch
2 times, most recently
from
f72f728
to
ec49f62
Compare
Defaults to true (to preserve previous behavior). If set to false, errors will be raised instead of caught, allowing the caller to be informed of what went wrong.
ClearlyClaire
force-pushed
the
fixes/improved-error-messages
branch
from
ec49f62
to
35caf0a
Compare
|
@Gargron I still think this would be useful |
|
@Gargron I would very much like if you could finally review this before I need to change remote account processing to support groups |
Fix regression from mastodon#15605
…astodon#15605) * Add a more descriptive PrivateNetworkAddressError exception class * Remove unnecessary exception class to rescue clause * Remove unnecessary include to JsonLdHelper * Give more neutral error message when too many webfinger redirects * Remove unnecessary guard condition * Rework how “ActivityPub::FetchRemoteAccountService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteAccountService#call (default/previous behavior). * Rework how “ActivityPub::FetchRemoteKeyService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteKeyService#call (default/previous behavior). * Fix Webfinger::RedirectError not being a subclass of Webfinger::Error * Add suppress_errors option to ResolveAccountService Defaults to true (to preserve previous behavior). If set to false, errors will be raised instead of caught, allowing the caller to be informed of what went wrong. * Return more precise error when failing to fetch account signing AP payloads * Add tests * Fixes * Refactor error handling a bit * Fix various issues * Add specific error when provided Digest is not 256 bits of base64-encoded data * Please CodeClimate * Improve webfinger error reporting
Fix regression from mastodon#15605
…astodon#15605) * Add a more descriptive PrivateNetworkAddressError exception class * Remove unnecessary exception class to rescue clause * Remove unnecessary include to JsonLdHelper * Give more neutral error message when too many webfinger redirects * Remove unnecessary guard condition * Rework how “ActivityPub::FetchRemoteAccountService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteAccountService#call (default/previous behavior). * Rework how “ActivityPub::FetchRemoteKeyService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteKeyService#call (default/previous behavior). * Fix Webfinger::RedirectError not being a subclass of Webfinger::Error * Add suppress_errors option to ResolveAccountService Defaults to true (to preserve previous behavior). If set to false, errors will be raised instead of caught, allowing the caller to be informed of what went wrong. * Return more precise error when failing to fetch account signing AP payloads * Add tests * Fixes * Refactor error handling a bit * Fix various issues * Add specific error when provided Digest is not 256 bits of base64-encoded data * Please CodeClimate * Improve webfinger error reporting
Fix regression from mastodon#15605
|
https://github.com/mastodon/mastodon/blob/main/app/controllers/concerns/signature_verification.rb#L167 has an error in it. It validates the string length of base64 encoded digests, but it checks for a length of 32 vs 64, making it impossible for requests to get to the next validation. |
That's not true. |
…astodon#15605) * Add a more descriptive PrivateNetworkAddressError exception class * Remove unnecessary exception class to rescue clause * Remove unnecessary include to JsonLdHelper * Give more neutral error message when too many webfinger redirects * Remove unnecessary guard condition * Rework how “ActivityPub::FetchRemoteAccountService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteAccountService#call (default/previous behavior). * Rework how “ActivityPub::FetchRemoteKeyService” handles errors Add “suppress_errors” keyword argument to avoid raising errors in ActivityPub::FetchRemoteKeyService#call (default/previous behavior). * Fix Webfinger::RedirectError not being a subclass of Webfinger::Error * Add suppress_errors option to ResolveAccountService Defaults to true (to preserve previous behavior). If set to false, errors will be raised instead of caught, allowing the caller to be informed of what went wrong. * Return more precise error when failing to fetch account signing AP payloads * Add tests * Fixes * Refactor error handling a bit * Fix various issues * Add specific error when provided Digest is not 256 bits of base64-encoded data * Please CodeClimate * Improve webfinger error reporting
Fix regression from mastodon#15605
When discovering/fetching/processing a remote account fails, without adding additional instrumentation to the code, users, developers and admins alike get very few information on the actual reason behind the failure.
This is especially troublesome for fediverse server developers that get very few feedback from Mastodon regarding what exactly failed.
This PR reworks the error handling in the
SignatureVerificationconcern,ResolveAccountServiceandActivityPub::FetchRemoteAccountServiceservices, as well as related classes to return meaningful error messages to ActivityPub queries and log additional information at the “debug” loglevel.