Skip to content

OAuth2 security fixes: redirect URI validation, "Mastodon-Local" security breach fix

Ivan Tashkinov requested to merge i1t/pleroma:oauth2_strengthening into develop

Prior to this fix, POST /api/v1/apps could create "Mastodon-Local" app wth any redirect_uris (creator received client_secret in response) — this action doesn't require any authentication.


curl --data "client_name=Mastodon-Local" --data "redirect_uris=" --data "scopes=read,write,follow"


If the above happened before /web/login is accessed for the first time then Pleroma used this externally created record assuming the following: it's internally created, the redirect_uris is ., client_secret is not exposed (all in fact false in above scenario).

If the above happened after /web/login is accessed for the first, it will (just) break the bundled Mastodon FE since the code expects exactly one record with client_name: "Mastodon-Local".

This MR:

  • prohibits creation of apps with name Mastodon-Local via POST /api/v1/apps.
  • ensures that redirect uri coming from params to Pleroma.Web.OAuth.OAuthController.create_authorization is one of the URIs listed in redirect_uris of app record (assuming whitespace-delimited entries in this string field), as this check is a mandatory part of OAuth2.
Edited by Ivan Tashkinov

Merge request reports