From 86e6d395d931f532b18fccdeb65c300b22fbce8a Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Wed, 14 Feb 2024 17:54:56 -0500 Subject: [PATCH 1/3] Fix atom leak in password digest functionality The value here gets passesd to :crypto.pbkdf2_hmac and it expects one of these atoms: :sha | :sha224 | :sha256 | :sha384 | :sha512 so it will always exist --- lib/pleroma/password/pbkdf2.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/pleroma/password/pbkdf2.ex b/lib/pleroma/password/pbkdf2.ex index 92e9e1952..9c6d2e381 100644 --- a/lib/pleroma/password/pbkdf2.ex +++ b/lib/pleroma/password/pbkdf2.ex @@ -28,7 +28,7 @@ def verify_pass(password, hash) do iterations = String.to_integer(iterations) - digest = String.to_atom(digest) + digest = String.to_existing_atom(digest) binary_hash = KeyGenerator.generate(password, salt, digest: digest, iterations: iterations, length: 64) From 91c83a82a052ec73c82b9b5576fd5b05c7dc8a74 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Wed, 14 Feb 2024 17:58:36 -0500 Subject: [PATCH 2/3] Fix atom leak in background worker The only permitted values are "blocks_import", "follow_import", "mutes_import" of which we already have the equivalent atoms defined. --- lib/pleroma/workers/background_worker.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/pleroma/workers/background_worker.ex b/lib/pleroma/workers/background_worker.ex index 794417612..7a2210dc1 100644 --- a/lib/pleroma/workers/background_worker.ex +++ b/lib/pleroma/workers/background_worker.ex @@ -28,7 +28,7 @@ def perform(%Job{args: %{"op" => "force_password_reset", "user_id" => user_id}}) def perform(%Job{args: %{"op" => op, "user_id" => user_id, "identifiers" => identifiers}}) when op in ["blocks_import", "follow_import", "mutes_import"] do user = User.get_cached_by_id(user_id) - {:ok, User.Import.perform(String.to_atom(op), user, identifiers)} + {:ok, User.Import.perform(String.to_existing_atom(op), user, identifiers)} end def perform(%Job{ From 9138754b0acaac9714bbf12d9d00a22870b2af6e Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Wed, 14 Feb 2024 18:04:39 -0500 Subject: [PATCH 3/3] Changelog --- changelog.d/atom-leak.skip | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 changelog.d/atom-leak.skip diff --git a/changelog.d/atom-leak.skip b/changelog.d/atom-leak.skip new file mode 100644 index 000000000..e69de29bb