From 916592944af8e32f2044c9acf0d57eb7991427a5 Mon Sep 17 00:00:00 2001 From: Riley Date: Fri, 3 Jul 2020 12:22:39 -0500 Subject: [PATCH] Verify activitypub payload digests (#885) --- server/Cargo.lock | 4 ++-- server/Cargo.toml | 2 +- server/src/routes/federation.rs | 12 +++++++++--- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/server/Cargo.lock b/server/Cargo.lock index c54419e1..7b0d9a88 100644 --- a/server/Cargo.lock +++ b/server/Cargo.lock @@ -1413,9 +1413,9 @@ dependencies = [ [[package]] name = "http-signature-normalization-actix" -version = "0.4.0-alpha.0" +version = "0.4.0-alpha.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09afff6987c7edbed101d1cddd2185786fb0af0dd9c06b654aca73a0a763680f" +checksum = "1c6efbc3e600cdd617585f4f15be3726c6942fb2eba3c8c79474c5d3159ad7c0" dependencies = [ "actix-http", "actix-web", diff --git a/server/Cargo.toml b/server/Cargo.toml index 8daf72c4..22507994 100644 --- a/server/Cargo.toml +++ b/server/Cargo.toml @@ -43,7 +43,7 @@ percent-encoding = "2.1.0" comrak = "0.7" openssl = "0.10" http = "0.2.1" -http-signature-normalization-actix = { version = "0.4.0-alpha.0", default-features = false, features = ["sha-2"] } +http-signature-normalization-actix = { version = "0.4.0-alpha.1", default-features = false, features = ["sha-2"] } base64 = "0.12.1" tokio = "0.2.21" futures = "0.3.5" diff --git a/server/src/routes/federation.rs b/server/src/routes/federation.rs index fe6e3365..20b5dc83 100644 --- a/server/src/routes/federation.rs +++ b/server/src/routes/federation.rs @@ -12,6 +12,8 @@ use crate::{ settings::Settings, }; use actix_web::*; +use http_signature_normalization_actix::digest::middleware::VerifyDigest; +use sha2::{Digest, Sha256}; pub fn config(cfg: &mut web::ServiceConfig) { if Settings::get().federation.enabled { @@ -38,8 +40,12 @@ pub fn config(cfg: &mut web::ServiceConfig) { .route("/comment/{comment_id}", web::get().to(get_apub_comment)), ) // Inboxes dont work with the header guard for some reason. - .route("/c/{community_name}/inbox", web::post().to(community_inbox)) - .route("/u/{user_name}/inbox", web::post().to(user_inbox)) - .route("/inbox", web::post().to(shared_inbox)); + .service( + web::scope("/") + .wrap(VerifyDigest::new(Sha256::new())) + .route("/c/{community_name}/inbox", web::post().to(community_inbox)) + .route("/u/{user_name}/inbox", web::post().to(user_inbox)) + .route("/inbox", web::post().to(shared_inbox)), + ); } } -- 2.44.1