Delete actor request is missing validation

Question

Delete actor request is missing validation

Opened this issue 2 years ago · 3 comments

There is some missing parts with validation during delete actor request processing and with simple modification it's possible to remove any actor owned by pub.

This could be done just with replacing object with correct pub actor.uri in any incoming request.

Request sample

POST /inbox HTTP/1.1
Host: .....ngrok.io
User-Agent: http.rb/5.1.0 (Mastodon/4.0.2; +https://mastodon.world/)
Content-Length: 775
Accept-Encoding: gzip
Content-Type: application/activity+json
Date: Fri, 10 Feb 2023 17:09:40 GMT
Digest: SHA-256=sToIIllPgwEKsuOW8nsX0/cS2vxhnrRkkSRCZXof5yY=
Signature: keyId="https://mastodon.world/users/ellenhoil#main-key",algorithm="rsa-sha256",headers="(request-target) host date digest content-type",signature="XfFuML/982h+d3Kay2sAOjrOrwW0iJX2eOQcfhXleFsMohww4euAGkjkIvX8ACN+2rM0LVTGw+YYHn0MTH+fXwy37moJbWeB54y2ElCG49i5UrUDGsi5vd48a6GMPWihcpLVrmPjmCNGdWwbu29DEEeVdIZdikHsEazgvAhUNxM0OgaW5/kn2uoy7ADCwPfXU0zuCtEkuk93T1uf7Oanbb41Zna732Q8yLjpgn5QBlCir8DeJP/+l702A/cpiTTZYWYir87S5ZSd/z9OS34I94mcwGp+dGgqkTCHTWUdvIGmdMNxPFIOQBku2xKdF5sfYI29WKFL9VOLrgenvk+nHA=="
X-Forwarded-For: ....
X-Forwarded-Proto: https

{"@context":"https://www.w3.org/ns/activitystreams","id":"https://mastodon.world/users/ellenhoil#delete","type":"Delete","actor":"https://mastodon.world/users/ellenhoil","to":["https://www.w3.org/ns/activitystreams#Public"],"object":"https://<<pub>>/u/you","signature":{"type":"RsaSignature2017","creator":"https://mastodon.world/users/ellenhoil#main-key","created":"2023-02-10T17:09:36Z","signatureValue":"hXsaRTphNXNKFu2pfJoYI+3ku54vGXsi5fZ43fj57+HFOWTboPcPRkpIXC488Cn3oVnBuJdZh20XSpHWOMzskho+MQ346loLeeTa5SCdn0qeRefUVHT3K9WdE2NyIUaGnNUerWja2b7r7lKyzQy3+WM5vIvg5mT3o9VJCynIUDSgolCoyUP5BQEf8b0cZExoayoFp7Oqx7R9y7HThr8Z4+nkmqftQTLAWbvSuz/ZEKiKKLU36hFioS6Vzda89QyPu3dUbmyPFfi2LI+C26b04u966yUCeXE3Y4QzeiNQCldbltLKt86y26UfnqzTb7o6W/i4A2luBh4x5cD/TrjNIw=="}}

Answer 1 · 2023-02-10T22:07:00.000Z

Yeah, deletes are something that confuse me. I see hundreds of them a day on my instance which can’t be validated because they are signed with the credentials of the person who’s been deleted.

Thank you for raising this, I’ll have a think about it

Answer 2 · 2023-02-11T07:50:54.000Z

Yep, I get a lot of such requests and it looks like those requests are time sensitive. I was able to fetch the key when pub got the delete account request.

Looking in the Mastodon https://github.com/mastodon/mastodon/blob/e7b81d7d9625893b1323e12215a2a98c0f19f58f/app/lib/activitypub/activity/delete.rb#L3-L10, they process delete actor action only if object.uri equals actor.uri. pub currently processes it when object is any string.

Answer 3 · 2023-02-11T08:23:48.000Z

I’m sure I can make that improvement quickly.