Compare commits

...

10 Commits

Author SHA1 Message Date
r f4881e7267 Remove form-action CSP directive
Chrome incorrectly restricts the redirect URL to the sources specified
in the form-action value, which prevents the instance oauth page from
loading.
2023-10-25 06:40:34 +00:00
r 597cfc6b1e fluoride: Add image preview for profile image 2023-10-22 11:12:27 +00:00
r 9b053e32ec Fix replace syntax 2023-10-22 11:11:21 +00:00
r 67b13c71ba Use CSP header to restrict resource loading
This helps mitigate XSS exploits.
Users will have to save the settings again to make the custom CSS
work.
2023-10-15 15:53:44 +00:00
r ed521dd33d Restrict instance level custom CSS to static directory 2023-10-15 15:46:54 +00:00
r 927072e26a Remove unused session ID field 2023-10-07 10:20:11 +00:00
r c7f40c1e15 Cleanup oauth redirect URL generation 2023-10-07 09:19:56 +00:00
r d297eb5658 Use stricter cookie attributes 2023-10-07 09:11:43 +00:00
r b83a00aa2c Revoke oauth token on signout 2023-10-02 06:44:26 +00:00
r df031d5edd Cleanup file upload functions 2023-10-01 13:29:04 +00:00
11 changed files with 93 additions and 147 deletions

View File

@ -38,5 +38,4 @@ post_formats=PlainText:text/plain,HTML:text/html,Markdown:text/markdown,BBCode:t
# single_instance=pl.mydomain.com
# Path to custom CSS. Value can be a file path relative to the static directory.
# or a URL starting with either "http://" or "https://".
# custom_css=custom.css

View File

@ -8,7 +8,6 @@ import (
"net/http"
"os"
"path/filepath"
"strings"
"bloat/config"
"bloat/renderer"
@ -47,14 +46,8 @@ func main() {
errExit(err)
}
customCSS := config.CustomCSS
if len(customCSS) > 0 && !strings.HasPrefix(customCSS, "http://") &&
!strings.HasPrefix(customCSS, "https://") {
customCSS = "/static/" + customCSS
}
s := service.NewService(config.ClientName, config.ClientScope,
config.ClientWebsite, customCSS, config.SingleInstance,
config.ClientWebsite, config.CustomCSS, config.SingleInstance,
config.PostFormats, renderer)
handler := service.NewHandler(s, *verbose, config.StaticDirectory)

View File

@ -2,18 +2,14 @@
package mastodon
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"io"
"mime/multipart"
"net/http"
"net/url"
"os"
"path"
"path/filepath"
"strings"
"github.com/tomnomnom/linkheader"
@ -61,83 +57,6 @@ func (c *Client) doAPI(ctx context.Context, method string, uri string, params in
if err != nil {
return err
}
} else if file, ok := params.(string); ok {
f, err := os.Open(file)
if err != nil {
return err
}
defer f.Close()
var buf bytes.Buffer
mw := multipart.NewWriter(&buf)
part, err := mw.CreateFormFile("file", filepath.Base(file))
if err != nil {
return err
}
_, err = io.Copy(part, f)
if err != nil {
return err
}
err = mw.Close()
if err != nil {
return err
}
req, err = http.NewRequest(method, u.String(), &buf)
if err != nil {
return err
}
ct = mw.FormDataContentType()
} else if file, ok := params.(*multipart.FileHeader); ok {
f, err := file.Open()
if err != nil {
return err
}
defer f.Close()
var buf bytes.Buffer
mw := multipart.NewWriter(&buf)
fname := filepath.Base(file.Filename)
err = mw.WriteField("description", fname)
if err != nil {
return err
}
part, err := mw.CreateFormFile("file", fname)
if err != nil {
return err
}
_, err = io.Copy(part, f)
if err != nil {
return err
}
err = mw.Close()
if err != nil {
return err
}
req, err = http.NewRequest(method, u.String(), &buf)
if err != nil {
return err
}
ct = mw.FormDataContentType()
} else if reader, ok := params.(io.Reader); ok {
var buf bytes.Buffer
mw := multipart.NewWriter(&buf)
part, err := mw.CreateFormFile("file", "upload")
if err != nil {
return err
}
_, err = io.Copy(part, reader)
if err != nil {
return err
}
err = mw.Close()
if err != nil {
return err
}
req, err = http.NewRequest(method, u.String(), &buf)
if err != nil {
return err
}
ct = mw.FormDataContentType()
} else if mr, ok := params.(*multipartRequest); ok {
req, err = http.NewRequest(method, u.String(), mr.Data)
if err != nil {
@ -219,6 +138,16 @@ func (c *Client) AuthenticateToken(ctx context.Context, authCode, redirectURI st
return c.authenticate(ctx, params)
}
func (c *Client) RevokeToken(ctx context.Context) error {
params := url.Values{
"client_id": {c.config.ClientID},
"client_secret": {c.config.ClientSecret},
"token": {c.GetAccessToken(ctx)},
}
return c.doAPI(ctx, http.MethodPost, "/oauth/revoke", params, nil, nil)
}
func (c *Client) authenticate(ctx context.Context, params url.Values) error {
u, err := url.Parse(c.config.Server)
if err != nil {

View File

@ -1,12 +1,14 @@
package mastodon
import (
"bytes"
"context"
"fmt"
"io"
"mime/multipart"
"net/http"
"net/url"
"path/filepath"
"time"
)
@ -293,30 +295,35 @@ func (c *Client) Search(ctx context.Context, q string, qType string, limit int,
return &results, nil
}
// UploadMedia upload a media attachment from a file.
func (c *Client) UploadMedia(ctx context.Context, file string) (*Attachment, error) {
var attachment Attachment
err := c.doAPI(ctx, http.MethodPost, "/api/v1/media", file, &attachment, nil)
if err != nil {
return nil, err
}
return &attachment, nil
}
// UploadMediaFromReader uploads a media attachment from a io.Reader.
func (c *Client) UploadMediaFromReader(ctx context.Context, reader io.Reader) (*Attachment, error) {
var attachment Attachment
err := c.doAPI(ctx, http.MethodPost, "/api/v1/media", reader, &attachment, nil)
if err != nil {
return nil, err
}
return &attachment, nil
}
// UploadMediaFromReader uploads a media attachment from a io.Reader.
func (c *Client) UploadMediaFromMultipartFileHeader(ctx context.Context, fh *multipart.FileHeader) (*Attachment, error) {
f, err := fh.Open()
if err != nil {
return nil, err
}
defer f.Close()
var buf bytes.Buffer
mw := multipart.NewWriter(&buf)
fname := filepath.Base(fh.Filename)
err = mw.WriteField("description", fname)
if err != nil {
return nil, err
}
part, err := mw.CreateFormFile("file", fname)
if err != nil {
return nil, err
}
_, err = io.Copy(part, f)
if err != nil {
return nil, err
}
err = mw.Close()
if err != nil {
return nil, err
}
params := &multipartRequest{Data: &buf, ContentType: mw.FormDataContentType()}
var attachment Attachment
err := c.doAPI(ctx, http.MethodPost, "/api/v1/media", fh, &attachment, nil)
err = c.doAPI(ctx, http.MethodPost, "/api/v1/media", params, &attachment, nil)
if err != nil {
return nil, err
}

View File

@ -1,7 +1,6 @@
package model
type Session struct {
ID string `json:"id,omitempty"`
UserID string `json:"uid,omitempty"`
Instance string `json:"ins,omitempty"`
ClientID string `json:"cid,omitempty"`
@ -28,6 +27,7 @@ type Settings struct {
AntiDopamineMode bool `json:"adm,omitempty"`
HideUnsupportedNotifs bool `json:"hun,omitempty"`
CSS string `json:"css,omitempty"`
CSSHash string `json:"cssh,omitempty"`
}
func NewSettings() *Settings {
@ -44,5 +44,6 @@ func NewSettings() *Settings {
AntiDopamineMode: false,
HideUnsupportedNotifs: false,
CSS: "",
CSSHash: "",
}
}

View File

@ -33,9 +33,11 @@ func (c *client) setSession(sess *model.Session) error {
return err
}
http.SetCookie(c.w, &http.Cookie{
Name: "session",
Value: sb.String(),
Expires: time.Now().Add(365 * 24 * time.Hour),
Name: "session",
Path: "/",
HttpOnly: true,
Value: sb.String(),
Expires: time.Now().Add(365 * 24 * time.Hour),
})
return nil
}
@ -53,6 +55,7 @@ func (c *client) getSession() (sess *model.Session, err error) {
func (c *client) unsetSession() {
http.SetCookie(c.w, &http.Cookie{
Name: "session",
Path: "/",
Value: "",
Expires: time.Now(),
})

View File

@ -1,6 +1,8 @@
package service
import (
"crypto/sha256"
"encoding/base64"
"errors"
"fmt"
"mime/multipart"
@ -840,10 +842,6 @@ func (s *service) NewSession(c *client, instance string) (rurl string, sess *mod
instanceURL = "https://" + instance
}
sid, err := util.NewSessionID()
if err != nil {
return
}
csrf, err := util.NewCSRFToken()
if err != nil {
return
@ -859,28 +857,14 @@ func (s *service) NewSession(c *client, instance string) (rurl string, sess *mod
if err != nil {
return
}
rurl = app.AuthURI
sess = &model.Session{
ID: sid,
Instance: instance,
ClientID: app.ClientID,
ClientSecret: app.ClientSecret,
CSRFToken: csrf,
Settings: *model.NewSettings(),
}
u, err := url.Parse("/oauth/authorize")
if err != nil {
return
}
q := make(url.Values)
q.Set("scope", "read write follow")
q.Set("client_id", app.ClientID)
q.Set("response_type", "code")
q.Set("redirect_uri", s.cwebsite+"/oauth_callback")
u.RawQuery = q.Encode()
rurl = instanceURL + u.String()
return
}
@ -902,6 +886,10 @@ func (s *service) Signin(c *client, code string) (err error) {
return c.setSession(c.s)
}
func (s *service) Signout(c *client) (err error) {
return c.RevokeToken(c.ctx)
}
func (s *service) Post(c *client, content string, replyToID string,
format string, visibility string, isNSFW bool,
files []*multipart.FileHeader) (id string, err error) {
@ -1028,8 +1016,18 @@ func (s *service) SaveSettings(c *client, settings *model.Settings) (err error)
default:
return errInvalidArgument
}
if len(settings.CSS) > 1<<20 {
return errInvalidArgument
if len(settings.CSS) > 0 {
if len(settings.CSS) > 1<<20 {
return errInvalidArgument
}
// For some reason, browsers convert CRLF to LF before calculating
// the hash of the inline resources.
settings.CSS = strings.Replace(settings.CSS, "\x0d\x0a", "\x0a", -1)
h := sha256.Sum256([]byte(settings.CSS))
settings.CSSHash = base64.StdEncoding.EncodeToString(h[:])
} else {
settings.CSSHash = ""
}
c.s.Settings = *settings
return c.setSession(c.s)

View File

@ -26,6 +26,15 @@ const (
CSRF
)
const csp = "default-src 'none';" +
" img-src *;" +
" media-src *;" +
" font-src *;" +
" child-src *;" +
" connect-src 'self';" +
" script-src 'self';" +
" style-src 'self'"
func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
r := mux.NewRouter()
@ -58,14 +67,14 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
}(time.Now())
}
var ct string
h := c.w.Header()
switch rt {
case HTML:
ct = "text/html; charset=utf-8"
h.Set("Content-Type", "text/html; charset=utf-8")
h.Set("Content-Security-Policy", csp)
case JSON:
ct = "application/json"
h.Set("Content-Type", "application/json")
}
c.w.Header().Add("Content-Type", ct)
err = c.authenticate(at, s.instance)
if err != nil {
@ -73,6 +82,13 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
return
}
// Override the CSP header to allow custom CSS
if rt == HTML && len(c.s.Settings.CSS) > 0 &&
len(c.s.Settings.CSSHash) > 0 {
v := fmt.Sprintf("%s 'sha256-%s'", csp, c.s.Settings.CSSHash)
h.Set("Content-Security-Policy", v)
}
err = f(c)
if err != nil {
writeError(c, err, rt, req.Method == http.MethodGet)
@ -676,6 +692,10 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler {
}, CSRF, HTML)
signout := handle(func(c *client) error {
err := s.Signout(c)
if err != nil {
return err
}
c.unsetSession()
c.redirect("/")
return nil

View File

@ -325,7 +325,7 @@ document.addEventListener("DOMContentLoaded", function() {
links[j].target = "_blank";
}
var links = document.querySelectorAll(".status-media-container .img-link");
var links = document.querySelectorAll(".status-media-container .img-link, .user-profile-img-container .img-link");
for (var j = 0; j < links.length; j++) {
handleImgPreview(links[j]);
}

View File

@ -20,7 +20,7 @@
<title> {{if gt .Count 0}}({{.Count}}){{end}} {{.Title}} </title>
<link rel="stylesheet" href="/static/style.css">
{{if .CustomCSS}}
<link rel="stylesheet" href="{{.CustomCSS}}">
<link rel="stylesheet" href="/static/{{.CustomCSS}}">
{{end}}
{{if $.Ctx.FluorideMode}}
<script src="/static/fluoride.js"></script>

View File

@ -16,10 +16,6 @@ func NewRandID(n int) (string, error) {
return enc.EncodeToString(data), nil
}
func NewSessionID() (string, error) {
return NewRandID(24)
}
func NewCSRFToken() (string, error) {
return NewRandID(24)
}