Require the Host header to be present for validating signatures #13

Merged

lambadalambda merged 15 commits from phnt/http_signatures:host-verification into master 2026-05-11 15:48:03 +00:00

Conversation 0 Commits 15 Files changed 6 +329 -28

phnt commented 2026-05-10 18:33:42 +00:00

Member

Copy link

From referenced issue

Pleroma doesn't validate the HOST header when verifying the http signature. This means that on some servers which aren't behind a reverse proxy, or have some other way to bypass it are vulnerable to a replay attack on activitypub endpoints.

Closes pleroma-secteam/pleroma#67

From referenced issue >Pleroma doesn't validate the HOST header when verifying the http signature. This means that on some servers which aren't behind a reverse proxy, or have some other way to bypass it are vulnerable to a replay attack on activitypub endpoints. Closes pleroma-secteam/pleroma#67

phnt added 8 commits 2026-05-10 18:33:44 +00:00

add plug to deps, update dialyxir and min elixir version ... 667d7bc4b6

Minimum Elixir version from Plug.

Add @specs and @docs to functions f898b76cd2

Log error when signature cannot be validated even after refetching key b77c529f3e

Enforce presence of (request-target) and Host headers e8263dd479

Also test split_signature func for sig with headers 9fb1b96f66

use assert true == expression in validation tests ... 599fb11786

The validation function now also can return {:error, atom()}, which when
encountered in an assert will not fail the test unless it is compared
with the intented result.

lint 7411aa0c44

Add Woodpecker CI lint and test pipelines a974132443

phnt added 1 commit 2026-05-10 20:38:56 +00:00

Do not return {:error, reason} tuple on header check failure ... 673b3f7ba2

Due to how Pleroma handles checking whether the signature check failed
or not, returning the error tuple also constitutes as a valid signature.
(Pleroma uses `cond` which matches on the first thing that does not
evaluate to false or nil and {:error, reason} passes that test.)

phnt changed title from WIP: Require the Host header to be present for validating signatures to Require the Host header to be present for validating signatures 2026-05-10 20:46:49 +00:00

lambadalambda added 5 commits 2026-05-11 15:14:04 +00:00

Accept @request-target signatures 9686e49fc2

Fix lint pipeline 0cf792ed39

Fix required header tests ea0ba6420e

Skip refetch for missing signature headers 62b0f209be

Reduce refetch guard nesting 84ff25249c

lambadalambda force-pushed host-verification from 84ff25249c to 673b3f7ba2 2026-05-11 15:16:19 +00:00 Compare

lambadalambda added 5 commits 2026-05-11 15:28:40 +00:00

Accept @request-target signatures 9686e49fc2

Fix lint pipeline 0cf792ed39

Fix required header tests ea0ba6420e

Skip refetch for missing signature headers 62b0f209be

Reduce refetch guard nesting 84ff25249c

lambadalambda added 1 commit 2026-05-11 15:43:53 +00:00

Merge master into host validation 91ffa47634

lambadalambda merged commit 12ad519d3c into master 2026-05-11 15:48:03 +00:00

lambadalambda referenced this pull request from a commit 2026-05-11 15:48:03 +00:00

Merge pull request 'Require the Host header to be present for validating signatures' (#13) from phnt/http_signatures:host-verification into master

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pleroma-elixir-libraries/http_signatures!13

No description provided.