mirror of
https://codeberg.org/forgejo/forgejo
synced 2024-11-26 11:46:09 +01:00
4.1 KiB
4.1 KiB
Threat analysis for the federated star activity
Technical Background
Control Flow
sequenceDiagram
participant fs as foreign_repository_server
participant os as our_repository_server
fs ->> os: post /api/activitypub/repository-id/1/inbox {Start-Activity}
activate os
os ->> os: validate request inputs
activate repository
os ->> repository: validate
repository ->> repository: search for reop with object-id
deactivate repository
activate person
os ->> person: validate
person ->> person: search for ser with actor-id
person ->> fs: get /api/activitypub/user-id/{id from actor}
person ->> person: create user from response
deactivate person
os ->> repository: execute star action
os -->> fs: 200 ok
deactivate os
Data transfered
# edn notation
{@context [
"as": "https://www.w3.org/ns/activitystreams#",
"forge": "https://forgefed.org/ns#",],
::as/id "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1/outbox/12345",
::as/type "Star",
::forge/source "forgejo",
::as/actor "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1",
::as/object "https://codeberg.org/api/v1/activitypub/repository-id/12"
}
# json notation
{"id": "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1/outbox/12345",
"type": "Star",
"source": "forgejo",
"actor": "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1",
"object": "https://codeberg.org/api/v1/activitypub/repository-id/1"
}
Data Flow
flowchart TD
A(User) --> |stars a federated repository| B(foreign repository server)
B --> |Star Activity| C(our repository server)
C --> |get repository localy| D(our repos database)
C --> |get Person Actor| B
C --> |create federated user localy| D
C --> |add star to repo localy| D
Analysis
Assets
- Service Availability: The availability of our or foreign servers.
- Reputation: Our standing against freinds and others.
Actors
- Script Kiddies: Boored teens, willing to do some illigal without deep knowlege of tech details but broad knowlege across internet discussions. Able to do some bash / python scripting.
- Experienced Hacker: Hacker with deep knowlege.
Threat
- Script Kiddi sends a Star Activity containing an attack actor url
http://attacked.target/very/special/path
in place of actor. Our repository server sends anget Person Actor
request to this url. The attacked target gets DenialdOffServices. We loose CPU & reputation. - Experienced hacker sends a Star Activity containing an actor url pointing to an evil forgejo instance. Our repository server sends an
get Person Actor
request to this instance and get a person having sth. like; drop database;
in its name. If our server tries to create a new user out of this persion, the db might be droped.
DREAD-Score
Threat | Damage | Reproducibility | Exploitability | Affected Users | Discoverability | Mitigations |
---|---|---|---|---|---|---|
1. | ... tbd | |||||
2. | ... tbd |
Bewertet wird mit Schulnoten von 1 - 6
- Damage – wie groß wäre der Schaden, wenn der Angriff erfolgreich ist? 6 ist ein sehr schlimmer Schaden.
- Reproducibility – wie einfach wäre der Angriff reproduzierbar? 6 ist sehr einfach zu reproduzieren.
- Exploitability – wieviel Zeit, Aufwand und Erfahrung sind notwendig, um die Bedrohung auszunutzen? 6 ist sehr einfach zu machen.
- Affected Users – wenn eine Bedrohung ausgenutzt werden würde, wieviel Prozent der Benutzer wären betroffen?
- Discoverability – Wie einfach lässt sich ein Angriff entdecken? Muss der Angreifer Strafverfolgung erwarten? 6 ist sehr schwer zu entdecken / ist gar nicht illegal