Merge branch 'fix-dockerfile-perms' into 'develop'

Fix config ownership in dockerfile to pass restriction test See merge request pleroma/pleroma!3931
Fix config ownership in dockerfile to pass restriction test
2023-08-10 00:42:29 +00:00 · 2023-08-08 19:07:48 +02:00 · 2023-08-06 08:27:27 +00:00 · 2023-08-05 14:17:04 +02:00 · 2023-08-05 11:04:32 +00:00 · 2023-08-05 08:13:03 +00:00
13 changed files with 71 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -18,6 +18,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Removed
 - BREAKING: Support for passwords generated with `crypt(3)` (Gnu Social migration artifact)
 ## 2.5.4
 ## Security
 - Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
 ## 2.5.3
 ### Security
--- a/2
+++ b/2
@ -49,7 +49,7 @@ USER pleroma
 COPY --from=build --chown=pleroma:0 /release ${HOME}
-COPY ./config/docker.exs /etc/pleroma/config.exs
+COPY --chown=pleroma --chmod=640 ./config/docker.exs /etc/pleroma/config.exs
 COPY ./docker-entrypoint.sh ${HOME}
 EXPOSE 4000
--- a/changelog.d/akkoma-xml-remote-entities.security
+++ b/changelog.d/akkoma-xml-remote-entities.security
@ -0,0 +1 @@
 Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
--- a/changelog.d/disable-xml-entity-resolution.security
+++ b/changelog.d/disable-xml-entity-resolution.security
@ -0,0 +1 @@
 Disable XML entity resolution completely to fix a dos vulnerability
--- a/changelog.d/dockerfile-config-perms.fix
+++ b/changelog.d/dockerfile-config-perms.fix
@ -0,0 +1 @@
 - Fix config ownership in dockerfile to pass restriction test
--- a/changelog.d/gentoo_otp_intro.skip
+++ b/changelog.d/gentoo_otp_intro.skip
--- a/docs/installation/gentoo_otp_en.md
+++ b/docs/installation/gentoo_otp_en.md
@ -2,7 +2,7 @@
 {! backend/installation/otp_vs_from_source.include !}
-A [manual installation guide for gentoo](./gentoo_en.md) is also available.
+This guide covers installation via Gentoo provided packaging. A [manual installation guide for gentoo](./gentoo_en.md) is also available.
 ## Installation
--- a/lib/pleroma/web/xml.ex
+++ b/lib/pleroma/web/xml.ex
@ -29,7 +29,10 @@ def parse_document(text) do
      {doc, _rest} =
        text
        |> :binary.bin_to_list()
-        |> :xmerl_scan.string(quiet: true)
+        |> :xmerl_scan.string(
          quiet: true,
          allow_entities: false
        )
      {:ok, doc}
    rescue
--- a/mix.exs
+++ b/mix.exs
@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
  def project do
    [
      app: :pleroma,
-      version: version("2.5.53"),
+      version: version("2.5.54"),
      elixir: "~> 1.11",
      elixirc_paths: elixirc_paths(Mix.env()),
      compilers: [:phoenix] ++ Mix.compilers(),
--- a/test/fixtures/xml_billion_laughs.xml
+++ b/test/fixtures/xml_billion_laughs.xml
@ -0,0 +1,15 @@
 <?xml version="1.0"?>
 <!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
 ]>
 <lolz>&lol9;</lolz>
--- a/test/fixtures/xml_external_entities.xml
+++ b/test/fixtures/xml_external_entities.xml
@ -0,0 +1,3 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
 <stockCheck><productId>&xxe;</productId></stockCheck>
--- a/test/pleroma/web/web_finger_test.exs
+++ b/test/pleroma/web/web_finger_test.exs
@ -180,5 +180,28 @@ test "respects xml content-type" do
      {:ok, _data} = WebFinger.finger("pekorino@pawoo.net")
    end
    test "refuses to process XML remote entities" do
      Tesla.Mock.mock(fn
        %{
          url: "https://pawoo.net/.well-known/webfinger?resource=acct:pekorino@pawoo.net"
        } ->
          {:ok,
           %Tesla.Env{
             status: 200,
             body: File.read!("test/fixtures/xml_external_entities.xml"),
             headers: [{"content-type", "application/xrd+xml"}]
           }}
        %{url: "https://pawoo.net/.well-known/host-meta"} ->
          {:ok,
           %Tesla.Env{
             status: 200,
             body: File.read!("test/fixtures/tesla_mock/pawoo.net_host_meta")
           }}
      end)
      assert :error = WebFinger.finger("pekorino@pawoo.net")
    end
  end
 end
--- a/test/pleroma/web/xml_test.exs
+++ b/test/pleroma/web/xml_test.exs
@ -0,0 +1,15 @@
 defmodule Pleroma.Web.XMLTest do
  use Pleroma.DataCase, async: true
  alias Pleroma.Web.XML
  test "refuses to parse any entities from XML" do
    data = File.read!("test/fixtures/xml_billion_laughs.xml")
    assert(:error == XML.parse_document(data))
  end
  test "refuses to load external entities from XML" do
    data = File.read!("test/fixtures/xml_external_entities.xml")
    assert(:error == XML.parse_document(data))
  end
 end
Author	SHA1	Message	Date
tusooa	b729a8b140	Merge branch 'fix-dockerfile-perms' into 'develop' Fix config ownership in dockerfile to pass restriction test See merge request pleroma/pleroma!3931	2023-08-10 00:42:29 +00:00
Cat pony Black	c298e0165c	Fix config ownership in dockerfile to pass restriction test	2023-08-08 19:07:48 +02:00
Haelwenn	4e355b8595	Merge branch 'disable-xml-entities-completely' into 'develop' Completely disable xml entity resolution See merge request pleroma/pleroma!3932	2023-08-06 08:27:27 +00:00
mae	48b1e9bdc7	Completely disable xml entity resolution	2023-08-05 14:17:04 +02:00
Haelwenn	17c336de66	Merge branch 'docs/gentoo-otp-intro' into 'develop' gentoo_otp_en.md: Indicate which install method it covers See merge request pleroma/pleroma!3928	2023-08-05 11:04:32 +00:00
Haelwenn	d0f7a5c4f5	Merge branch 'mergeback/2.5.4' into 'develop' Mergeback: 2.5.4 See merge request pleroma/pleroma!3930	2023-08-05 08:13:03 +00:00
Haelwenn (lanodan) Monnier	4099ddb3dc	Mergeback release 2.5.4	2023-08-05 08:58:05 +02:00
Mark Felder	6d48b0f1a9	Document and test that XXE processing is disabled https://vuln.be/post/xxe-in-erlang-and-elixir/	2023-08-05 08:14:27 +02:00
FloatingGhost	307692cee8	Add unit test for external entity loading	2023-08-05 08:14:27 +02:00
Mae	ca0859b90f	Prevent XML parser from loading external entities	2023-08-04 22:35:13 -04:00
Haelwenn (lanodan) Monnier	0e321698d2	gentoo_otp_en.md: Indicate which install method it covers	2023-08-04 17:11:20 +02:00
		`@ -0,0 +1 @@`
							`Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem`
		`@ -0,0 +1 @@`
							`Disable XML entity resolution completely to fix a dos vulnerability`
		`@ -0,0 +1 @@`
							`- Fix config ownership in dockerfile to pass restriction test`