activitypub: verify remote http signature digests by recomputing the digest and replacing the digest header

2018-07-31 23:17:47 +00:00 · 2018-07-31 23:17:47 +00:00 · 8da406afa2
parent 2890aef9e8
commit 8da406afa2
3 changed files with 22 additions and 1 deletions
--- a/lib/pleroma/plugs/digest.ex
+++ b/lib/pleroma/plugs/digest.ex
@ -0,0 +1,10 @@
+defmodule Pleroma.Web.Plugs.DigestPlug do
+  alias Plug.Conn
+  require Logger
+
+  def read_body(conn, opts) do
+    {:ok, body, conn} = Conn.read_body(conn, opts)
+    digest = "SHA-256=" <> (:crypto.hash(:sha256, body) |> Base.encode64())
+    {:ok, body, Conn.assign(conn, :digest, digest)}
+  end
+end
--- a/lib/pleroma/plugs/http_signature.ex
+++ b/lib/pleroma/plugs/http_signature.ex
@ -19,6 +19,8 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do

    cond do
      signature && String.contains?(signature, user) ->
+        # set (request-target) header to the appropriate value
+        # we also replace the digest header with the one we computed
        conn =
          conn
          |> put_req_header(
@ -26,6 +28,14 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
            String.downcase("#{conn.method}") <> " #{conn.request_path}"
          )

+        conn =
+          if conn.assigns[:digest] do
+            conn
+            |> put_req_header("digest", conn.assigns[:digest])
+          else
+            conn
+          end
+
        assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn))

      signature ->
--- a/lib/pleroma/web/endpoint.ex
+++ b/lib/pleroma/web/endpoint.ex
@ -35,7 +35,8 @@ defmodule Pleroma.Web.Endpoint do
    parsers: [:urlencoded, :multipart, :json],
    pass: ["*/*"],
    json_decoder: Jason,
-    length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit)
+    length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit),
+    body_reader: {Pleroma.Web.Plugs.DigestPlug, :read_body, []}
  )

  plug(Plug.MethodOverride)