diff --git a/changelog.d/host-header-verification.security b/changelog.d/host-header-verification.security
new file mode 100644
index 000000000..11a0784b2
--- /dev/null
+++ b/changelog.d/host-header-verification.security
@@ -0,0 +1 @@
+Ensure Host header is present and matches instance URI
diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
index 2bfff6968..3d1875599 100644
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -303,7 +303,12 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
end
end
- def inbox(%{assigns: %{valid_signature: true}} = conn, %{"nickname" => nickname} = params) do
+ def inbox(
+ %{
+ assigns: %{valid_signature: true, valid_host_header: true}
+ } = conn,
+ %{"nickname" => nickname} = params
+ ) do
with {:recipient_exists, %User{} = recipient} <-
{:recipient_exists, User.get_cached_by_nickname(nickname)},
{:sender_exists, {:ok, %User{} = actor}} <-
@@ -342,7 +347,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
end
end
- def inbox(%{assigns: %{valid_signature: true}} = conn, params) do
+ def inbox(%{assigns: %{valid_signature: true, valid_host_header: true}} = conn, params) do
Federator.incoming_ap_doc(params)
json(conn, "ok")
end
diff --git a/lib/pleroma/web/plugs/ensure_host_matches_plug.ex b/lib/pleroma/web/plugs/ensure_host_matches_plug.ex
new file mode 100644
index 000000000..ab2129f9e
--- /dev/null
+++ b/lib/pleroma/web/plugs/ensure_host_matches_plug.ex
@@ -0,0 +1,63 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2026 Pleroma Authors
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.Plugs.EnsureHostMatchesPlug do
+ @moduledoc "Ensures Host header matches instance"
+
+ alias Pleroma.Web.Endpoint
+
+ import Plug.Conn
+
+ def init(options), do: options
+
+ @spec call(Plug.Conn.t(), Plug.opts()) :: Plug.Conn.t()
+ def call(%Plug.Conn{assigns: %{valid_signature: true}} = conn, _opts) do
+ # Host header is scheme-less, URI.parse needs the //
+ host_header = get_req_header(conn, "host")
+ host_uri = URI.parse("//#{host_header}")
+ instance_uri = URI.parse(Endpoint.url())
+
+ case host_header do
+ [host] ->
+ cond do
+ host == "" ->
+ resp(conn, 400, "Host header not provided") |> halt()
+
+ true ->
+ if host_matches?(host_uri, instance_uri),
+ do: assign(conn, :valid_host_header, true),
+ else: resp(conn, 400, "Host header does not match this instance") |> halt()
+ end
+
+ [_head | _rest] ->
+ conn
+ |> resp(400, "More than one Host header provided")
+ |> halt()
+
+ [] ->
+ conn
+ |> resp(400, "Host header not provided")
+ |> halt()
+ end
+ end
+
+ # Host header may not be provided, but signature verification failed anyway
+ def call(conn, _opts), do: conn
+
+ defp case_insensitive_compare(checked, authority) do
+ String.downcase(checked) == String.downcase(authority)
+ end
+
+ # Host header did not provide port
+ # Host header is scheme-less, URI.parse does not provide default port
+ defp host_matches?(%URI{host: req_host, port: nil}, %URI{host: instance_host}),
+ do: case_insensitive_compare(req_host, instance_host)
+
+ # Host header provided a port
+ # Any port specified in the Endpoint url configuration is valid here
+ defp host_matches?(%URI{host: req_host, port: port}, %URI{host: instance_host, port: port}),
+ do: case_insensitive_compare(req_host, instance_host)
+
+ defp host_matches?(_, _), do: false
+end
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index c91ca8c97..813c5c482 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -216,6 +216,7 @@ defmodule Pleroma.Web.Router do
pipeline :http_signature do
plug(Pleroma.Web.Plugs.HTTPSignaturePlug)
plug(Pleroma.Web.Plugs.MappedSignatureToIdentityPlug)
+ plug(Pleroma.Web.Plugs.EnsureHostMatchesPlug)
end
pipeline :inbox_guard do
diff --git a/lib/pleroma/workers/signature_retry_worker.ex b/lib/pleroma/workers/signature_retry_worker.ex
index 2c4c097dd..28958faff 100644
--- a/lib/pleroma/workers/signature_retry_worker.ex
+++ b/lib/pleroma/workers/signature_retry_worker.ex
@@ -8,6 +8,7 @@ defmodule Pleroma.Workers.SignatureRetryWorker do
alias Pleroma.User
alias Pleroma.Web.ActivityPub.Utils
alias Pleroma.Web.Federator
+ alias Pleroma.Web.Plugs.EnsureHostMatchesPlug
alias Pleroma.Web.Plugs.MappedSignatureToIdentityPlug
require Logger
@@ -48,6 +49,7 @@ defmodule Pleroma.Workers.SignatureRetryWorker do
{:ok, _public_key} <- Signature.refetch_public_key(conn_data),
{:signature, true} <- {:signature, validate_signature(conn_data)},
{:same_actor, true} <- {:same_actor, validate_same_actor(conn_data)},
+ {:host_header, true} <- {:host_header, validate_host_header(conn_data)},
{:ok, res} <- Federator.perform(:incoming_ap_doc, params) do
unless Instances.reachable?(params["actor"]) do
domain = URI.parse(params["actor"]).host
@@ -103,6 +105,16 @@ defmodule Pleroma.Workers.SignatureRetryWorker do
end
end
+ defp validate_host_header(conn_data) do
+ case EnsureHostMatchesPlug.call(conn_data, []) do
+ %Plug.Conn{assigns: %{valid_signature: true, valid_host_header: true}} ->
+ true
+
+ _ ->
+ false
+ end
+ end
+
defp validate_same_actor(conn_data) do
case MappedSignatureToIdentityPlug.call(conn_data, []) do
%Plug.Conn{assigns: %{valid_signature: true}} ->
@@ -170,6 +182,10 @@ defmodule Pleroma.Workers.SignatureRetryWorker do
{:same_actor, false} ->
{:cancel, :actor_signature_mismatch}
+ # Host header from request not for us
+ {:host_header, false} ->
+ {:cancel, :host_header_mismatch}
+
# Origin / URL validation failed somewhere possibly due to spoofing
{:error, :origin_containment_failed} ->
{:cancel, :origin_containment_failed}
@@ -234,6 +250,7 @@ defmodule Pleroma.Workers.SignatureRetryWorker do
defp log_signature_retry_rejection({:cancel, reason}, context)
when reason in [
:actor_signature_mismatch,
+ :host_header_mismatch,
:invalid_signature,
:invalid_signature_retry_metadata,
:missing_signature_retry_metadata,
diff --git a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
index 3988c3912..68e39b3a0 100644
--- a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
@@ -950,6 +950,50 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
refute Activity.get_by_ap_id(data["id"])
end
+ test "does not process post with Host header not for us", %{conn: conn} do
+ alice = insert(:user, local: false, ap_id: "https://one.com/users/alice")
+ object_id = "https://one.com/objects/inbox-forged-note"
+
+ data = %{
+ "type" => "Create",
+ "actor" => alice.ap_id,
+ "id" => "https://one.com/activities/inbox-forged-create",
+ "context" => "https://one.com/contexts/inbox-forged-create",
+ "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+ "cc" => [],
+ "object" => %{
+ "type" => "Note",
+ "id" => object_id,
+ "actor" => alice.ap_id,
+ "attributedTo" => alice.ap_id,
+ "context" => "https://one.com/contexts/inbox-forged-create",
+ "content" => "forged post",
+ "published" => "2024-07-25T13:33:31Z",
+ "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+ "cc" => []
+ }
+ }
+
+ # Plug will complain when replacing raw host header with put_req_header.
+ # The Plug way is updating conn.host, but that isn't the raw header
+ # and that isn't used in the EnsureHostMatchesPlug, because it doesn't include the port.
+ conn =
+ conn
+ |> assign_valid_signature_for_actor(alice)
+ |> delete_req_header("host")
+ |> put_req_header("content-type", "application/activity+json")
+
+ conn = %{conn | req_headers: conn.req_headers ++ [{"host", "invalid.example.com"}]}
+ conn = post(conn, "/inbox", data)
+
+ assert "Host header does not match this instance" == conn.resp_body
+ assert 400 == conn.status
+ assert true == conn.halted
+
+ refute Activity.get_by_ap_id(data["id"])
+ refute Object.get_by_ap_id(object_id)
+ end
+
test "accept follow activity", %{conn: conn} do
clear_config([:instance, :federating], true)
relay = Relay.get_actor()
diff --git a/test/pleroma/web/plugs/ensure_host_matches_plug_test.exs b/test/pleroma/web/plugs/ensure_host_matches_plug_test.exs
new file mode 100644
index 000000000..8ace74dfb
--- /dev/null
+++ b/test/pleroma/web/plugs/ensure_host_matches_plug_test.exs
@@ -0,0 +1,121 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2026 Pleroma Authors
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.Plugs.EnsureHostMatchesPlugTest do
+ use Pleroma.Web.ConnCase
+
+ alias Pleroma.Web.Endpoint
+ alias Pleroma.Web.Plugs.EnsureHostMatchesPlug
+
+ import Plug.Conn
+ import Tesla.Mock
+
+ setup do
+ mock(fn env -> apply(HttpRequestMock, :request, [env]) end)
+ :ok
+ end
+
+ defp set_host(conn, host), do: %{conn | req_headers: conn.req_headers ++ [{"host", host}]}
+
+ describe "EnsureHostMatchesPlug" do
+ setup do
+ conn = build_conn(:post, "/cofe") |> assign(:valid_signature, true)
+ [conn: conn]
+ end
+
+ test "gracefully handles no Host header", %{conn: conn} do
+ conn = EnsureHostMatchesPlug.call(conn, %{})
+
+ assert conn.status == 400
+ assert conn.halted == true
+ assert conn.resp_body == "Host header not provided"
+ end
+
+ test "gracefully handles empty Host header", %{conn: conn} do
+ conn =
+ conn
+ |> set_host("")
+ |> EnsureHostMatchesPlug.call(%{})
+
+ assert conn.status == 400
+ assert conn.halted == true
+ assert conn.resp_body == "Host header not provided"
+ end
+
+ test "it rejects Host header not matching Endpoint URL", %{conn: conn} do
+ conn =
+ conn
+ |> set_host("invalid.example.com")
+ |> EnsureHostMatchesPlug.call(%{})
+
+ assert conn.status == 400
+ assert conn.halted == true
+ assert conn.resp_body == "Host header does not match this instance"
+ end
+
+ test "it rejects Host header not matching Endpoint with port", %{conn: conn} do
+ endpoint = URI.parse(Endpoint.url())
+
+ conn =
+ conn
+ |> set_host("invalid.example.com:#{endpoint.port}")
+ |> EnsureHostMatchesPlug.call(%{})
+
+ assert conn.status == 400
+ assert conn.halted == true
+ assert conn.resp_body == "Host header does not match this instance"
+ end
+
+ test "it rejects Host header not matching Endpoint port", %{conn: conn} do
+ endpoint = URI.parse(Endpoint.url())
+
+ conn =
+ conn
+ |> set_host("#{endpoint.host}:25")
+ |> EnsureHostMatchesPlug.call(%{})
+
+ assert conn.status == 400
+ assert conn.halted == true
+ assert conn.resp_body == "Host header does not match this instance"
+ end
+
+ test "it rejects multiple Host headers", %{conn: conn} do
+ conn =
+ conn
+ |> set_host("host1.example.com")
+ |> set_host("host2.example.com")
+ |> EnsureHostMatchesPlug.call(%{})
+
+ assert conn.status == 400
+ assert conn.halted == true
+ assert conn.resp_body == "More than one Host header provided"
+ end
+
+ test "it works for Host header without port", %{conn: conn} do
+ endpoint = URI.parse(Endpoint.url())
+
+ conn =
+ conn
+ |> set_host("#{endpoint.host}")
+ |> EnsureHostMatchesPlug.call(%{})
+
+ assert conn.halted == false
+ assert Map.get(conn.assigns, :valid_host_header, nil)
+ end
+
+ test "it works for Host header with port same as Endpoint", %{
+ conn: conn
+ } do
+ endpoint = URI.parse(Endpoint.url())
+
+ conn =
+ conn
+ |> set_host("#{endpoint.host}:#{endpoint.port}")
+ |> EnsureHostMatchesPlug.call(%{})
+
+ assert conn.halted == false
+ assert Map.get(conn.assigns, :valid_host_header, nil)
+ end
+ end
+end
diff --git a/test/pleroma/workers/signature_retry_worker_test.exs b/test/pleroma/workers/signature_retry_worker_test.exs
index 94dd5f6c1..3806ecac9 100644
--- a/test/pleroma/workers/signature_retry_worker_test.exs
+++ b/test/pleroma/workers/signature_retry_worker_test.exs
@@ -16,12 +16,13 @@ defmodule Pleroma.Workers.SignatureRetryWorkerTest do
alias Pleroma.Signature
alias Pleroma.User
alias Pleroma.Web.ActivityPub.UserView
+ alias Pleroma.Web.Endpoint
alias Pleroma.Web.Federator
alias Pleroma.Workers.SignatureRetryWorker
defp signature_headers_for(%User{} = signer) do
[
- {"host", "local.test"},
+ {"host", "#{URI.parse(Endpoint.url()).host}"},
{"date", "Thu, 25 Jul 2024 13:33:31 GMT"},
{"digest", "SHA-256=fake-digest"},
{"content-type", "application/activity+json"},
@@ -245,6 +246,66 @@ defmodule Pleroma.Workers.SignatureRetryWorkerTest do
refute Activity.get_by_ap_id(create["id"])
end
+ test "cancels when the Host header does not match Endpoint" do
+ alice = insert(:user, local: false, ap_id: "https://one.com/users/alice")
+
+ create = %{
+ "type" => "Create",
+ "actor" => alice.ap_id,
+ "id" => "https://one.com/activities/invalid-signature-create",
+ "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+ "cc" => [],
+ "object" => %{
+ "type" => "Note",
+ "id" => "https://one.com/objects/invalid-signature-note",
+ "actor" => alice.ap_id,
+ "attributedTo" => alice.ap_id,
+ "content" => "forged post",
+ "published" => "2024-07-25T13:33:31Z",
+ "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+ "cc" => []
+ }
+ }
+
+ expect_signature_from(alice)
+
+ headers =
+ [
+ {"host", "invalid.example.com"},
+ {"date", "Thu, 25 Jul 2024 13:33:31 GMT"},
+ {"digest", "SHA-256=fake-digest"},
+ {"content-type", "application/activity+json"},
+ {
+ "signature",
+ "keyId=\"#{alice.ap_id}#main-key\",algorithm=\"rsa-sha256\",headers=\"(request-target) host date digest content-type\",signature=\"fake-signature\""
+ }
+ ]
+
+ assert {:ok, oban_job} =
+ Federator.incoming_failed_signature_ap_doc(%{
+ method: "POST",
+ req_headers: headers,
+ request_path: "/inbox",
+ params: create,
+ query_string: ""
+ })
+
+ log =
+ capture_log([level: :warning], fn ->
+ assert {:cancel, :host_header_mismatch} = SignatureRetryWorker.perform(oban_job)
+ end)
+
+ assert log =~ "Failed-signature inbox retry rejected"
+ assert log =~ "reason=:host_header_mismatch"
+ assert log =~ "payload_actor=\"https://one.com/users/alice\""
+ assert log =~ "signature_actor=\"https://one.com/users/alice\""
+ assert log =~ "activity_id=\"https://one.com/activities/invalid-signature-create\""
+ assert log =~ "type=\"Create\""
+ assert log =~ "request_path=\"/inbox\""
+
+ refute Activity.get_by_ap_id(create["id"])
+ end
+
test "processes the activity after refetching a valid matching signature" do
alice = insert(:user, local: false, ap_id: "https://one.com/users/alice")
@@ -309,11 +370,11 @@ defmodule Pleroma.Workers.SignatureRetryWorkerTest do
"content-type" => "application/activity+json",
date: date,
digest: digest,
- host: "local.test"
+ host: "#{URI.parse(Endpoint.url()).host}"
})
req_headers = [
- ["host", "local.test"],
+ ["host", "#{URI.parse(Endpoint.url()).host}"],
["date", date],
["digest", digest],
["content-type", "application/activity+json"],
diff --git a/test/support/conn_case.ex b/test/support/conn_case.ex
index f010fec33..c01516169 100644
--- a/test/support/conn_case.ex
+++ b/test/support/conn_case.ex
@@ -119,7 +119,10 @@ defmodule Pleroma.Web.ConnCase do
DataCase.stub_pipeline()
Mox.verify_on_exit!()
+ endpoint = URI.parse(Pleroma.Web.Endpoint.url())
+ conn = Phoenix.ConnTest.build_conn()
+ conn = %{conn | req_headers: [{"host", "#{endpoint.host}:#{endpoint.port}"}]}
- {:ok, conn: Phoenix.ConnTest.build_conn()}
+ {:ok, conn: conn}
end
end