Merge branch 'fix-dockerfile-perms' into 'develop'

Fix config ownership in dockerfile to pass restriction test See merge request pleroma/pleroma!3931
Fix config ownership in dockerfile to pass restriction test
2023-08-10 00:42:29 +00:00 · 2023-08-08 19:07:48 +02:00 · 2023-08-06 08:27:27 +00:00 · 2023-08-05 14:17:04 +02:00 · 2023-08-05 11:04:32 +00:00 · 2023-08-05 08:13:03 +00:00
13 changed files with 71 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -18,6 +18,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Removed
 - BREAKING: Support for passwords generated with `crypt(3)` (Gnu Social migration artifact)

+## 2.5.4
+
+## Security
+- Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
+
 ## 2.5.3

 ### Security
--- a/2
+++ b/2
@ -49,7 +49,7 @@ USER pleroma

 COPY --from=build --chown=pleroma:0 /release ${HOME}

-COPY ./config/docker.exs /etc/pleroma/config.exs
+COPY --chown=pleroma --chmod=640 ./config/docker.exs /etc/pleroma/config.exs
 COPY ./docker-entrypoint.sh ${HOME}

 EXPOSE 4000
--- a/changelog.d/akkoma-xml-remote-entities.security
+++ b/changelog.d/akkoma-xml-remote-entities.security
@ -0,0 +1 @@
+Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
--- a/changelog.d/disable-xml-entity-resolution.security
+++ b/changelog.d/disable-xml-entity-resolution.security
@ -0,0 +1 @@
+Disable XML entity resolution completely to fix a dos vulnerability
--- a/changelog.d/dockerfile-config-perms.fix
+++ b/changelog.d/dockerfile-config-perms.fix
@ -0,0 +1 @@
+- Fix config ownership in dockerfile to pass restriction test
--- a/changelog.d/gentoo_otp_intro.skip
+++ b/changelog.d/gentoo_otp_intro.skip
--- a/docs/installation/gentoo_otp_en.md
+++ b/docs/installation/gentoo_otp_en.md
@ -2,7 +2,7 @@

 {! backend/installation/otp_vs_from_source.include !}

-A [manual installation guide for gentoo](./gentoo_en.md) is also available.
+This guide covers installation via Gentoo provided packaging. A [manual installation guide for gentoo](./gentoo_en.md) is also available.

 ## Installation

--- a/lib/pleroma/web/xml.ex
+++ b/lib/pleroma/web/xml.ex
@ -29,7 +29,10 @@ def parse_document(text) do
      {doc, _rest} =
        text
        |> :binary.bin_to_list()
-        |> :xmerl_scan.string(quiet: true)
+        |> :xmerl_scan.string(
+          quiet: true,
+          allow_entities: false
+        )

      {:ok, doc}
    rescue
--- a/mix.exs
+++ b/mix.exs
@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
  def project do
    [
      app: :pleroma,
-      version: version("2.5.53"),
+      version: version("2.5.54"),
      elixir: "~> 1.11",
      elixirc_paths: elixirc_paths(Mix.env()),
      compilers: [:phoenix] ++ Mix.compilers(),
--- a/test/fixtures/xml_billion_laughs.xml
+++ b/test/fixtures/xml_billion_laughs.xml
@ -0,0 +1,15 @@
+<?xml version="1.0"?>
+<!DOCTYPE lolz [
+ <!ENTITY lol "lol">
+ <!ELEMENT lolz (#PCDATA)>
+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
+ <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
+ <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
+ <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
+ <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
+ <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
+ <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
+ <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
+ <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
+]>
+<lolz>&lol9;</lolz>
--- a/test/fixtures/xml_external_entities.xml
+++ b/test/fixtures/xml_external_entities.xml
@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
+<stockCheck><productId>&xxe;</productId></stockCheck>
--- a/test/pleroma/web/web_finger_test.exs
+++ b/test/pleroma/web/web_finger_test.exs
@ -180,5 +180,28 @@ test "respects xml content-type" do

      {:ok, _data} = WebFinger.finger("pekorino@pawoo.net")
    end
+
+    test "refuses to process XML remote entities" do
+      Tesla.Mock.mock(fn
+        %{
+          url: "https://pawoo.net/.well-known/webfinger?resource=acct:pekorino@pawoo.net"
+        } ->
+          {:ok,
+           %Tesla.Env{
+             status: 200,
+             body: File.read!("test/fixtures/xml_external_entities.xml"),
+             headers: [{"content-type", "application/xrd+xml"}]
+           }}
+
+        %{url: "https://pawoo.net/.well-known/host-meta"} ->
+          {:ok,
+           %Tesla.Env{
+             status: 200,
+             body: File.read!("test/fixtures/tesla_mock/pawoo.net_host_meta")
+           }}
+      end)
+
+      assert :error = WebFinger.finger("pekorino@pawoo.net")
+    end
  end
 end
--- a/test/pleroma/web/xml_test.exs
+++ b/test/pleroma/web/xml_test.exs
@ -0,0 +1,15 @@
+defmodule Pleroma.Web.XMLTest do
+  use Pleroma.DataCase, async: true
+
+  alias Pleroma.Web.XML
+
+  test "refuses to parse any entities from XML" do
+    data = File.read!("test/fixtures/xml_billion_laughs.xml")
+    assert(:error == XML.parse_document(data))
+  end
+
+  test "refuses to load external entities from XML" do
+    data = File.read!("test/fixtures/xml_external_entities.xml")
+    assert(:error == XML.parse_document(data))
+  end
+end
Author	SHA1	Message	Date
tusooa	b729a8b140	Merge branch 'fix-dockerfile-perms' into 'develop' Fix config ownership in dockerfile to pass restriction test See merge request pleroma/pleroma!3931	2023-08-10 00:42:29 +00:00
Cat pony Black	c298e0165c	Fix config ownership in dockerfile to pass restriction test	2023-08-08 19:07:48 +02:00
Haelwenn	4e355b8595	Merge branch 'disable-xml-entities-completely' into 'develop' Completely disable xml entity resolution See merge request pleroma/pleroma!3932	2023-08-06 08:27:27 +00:00
mae	48b1e9bdc7	Completely disable xml entity resolution	2023-08-05 14:17:04 +02:00
Haelwenn	17c336de66	Merge branch 'docs/gentoo-otp-intro' into 'develop' gentoo_otp_en.md: Indicate which install method it covers See merge request pleroma/pleroma!3928	2023-08-05 11:04:32 +00:00
Haelwenn	d0f7a5c4f5	Merge branch 'mergeback/2.5.4' into 'develop' Mergeback: 2.5.4 See merge request pleroma/pleroma!3930	2023-08-05 08:13:03 +00:00
Haelwenn (lanodan) Monnier	4099ddb3dc	Mergeback release 2.5.4	2023-08-05 08:58:05 +02:00
Mark Felder	6d48b0f1a9	Document and test that XXE processing is disabled https://vuln.be/post/xxe-in-erlang-and-elixir/	2023-08-05 08:14:27 +02:00
FloatingGhost	307692cee8	Add unit test for external entity loading	2023-08-05 08:14:27 +02:00
Mae	ca0859b90f	Prevent XML parser from loading external entities	2023-08-04 22:35:13 -04:00
Haelwenn (lanodan) Monnier	0e321698d2	gentoo_otp_en.md: Indicate which install method it covers	2023-08-04 17:11:20 +02:00
				`@ -0,0 +1 @@`
				`Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem`
				`@ -0,0 +1 @@`
				`Disable XML entity resolution completely to fix a dos vulnerability`
				`@ -0,0 +1 @@`
				`- Fix config ownership in dockerfile to pass restriction test`