OAuth2 security fixes: redirect URI validation, "Mastodon-Local" security breach fix
Prior to this fix, POST /api/v1/apps
could create "Mastodon-Local" app wth any redirect_uris
(creator received client_secret
in response) — this action doesn't require any authentication.
E.g.
curl --data "client_name=Mastodon-Local" --data "redirect_uris=https://hackyou.com" --data "scopes=read,write,follow" http://pleroma.dev:4000/api/v1/apps
{"website":null,"redirect_uri":"https://hackyou.com","name":"Mastodon-Local","id":"16","client_secret":"xz41G1Je49vpM5o5BfSzm9MxkGafHAWZ7cGsmDwurgo=","client_id":"9RMzL5ldu3r4o58PgL94VKia5C7kvE7wAp400XsJHUA="}
If the above happened before /web/login
is accessed for the first time then Pleroma used this externally created record assuming the following: it's internally created, the redirect_uris
is .
, client_secret
is not exposed (all in fact false in above scenario).
If the above happened after /web/login
is accessed for the first, it will (just) break the bundled Mastodon FE since the code expects exactly one record with client_name: "Mastodon-Local"
.
This MR:
- prohibits creation of apps with name
Mastodon-Local
viaPOST /api/v1/apps
. - ensures that redirect uri coming from params to
Pleroma.Web.OAuth.OAuthController.create_authorization
is one of the URIs listed inredirect_uris
of app record (assuming whitespace-delimited entries in this string field), as this check is a mandatory part of OAuth2.
Edited by Ivan Tashkinov