~tsileo/microblog.pub#155: 
communication with flohmarkt doesn't work

microblog.pub version 2.0.0+ynh1.

The communication with the software flohmarkt doesn't work: lookup of users or notes is not possible.

Issue at flohmarkt can be found here.

I'll provide more information later - if someone cares to try a list of flohmarkt instances can be found here.

The instance I tried to contact is located at https://flohmarkt.ween.de/.

Status
REPORTED
Submitter
~chrichri
Assigned to
No-one
Submitted
10 months ago
Updated
10 months ago
Labels
No labels applied.

~chrichri 10 months ago

My microblog.pub runs on the same host as the nginx https server for flohmarkt.ween.de .

Looking at the logs I found that in ./app/utils/url.py in def is_url_valid there is a check ipaddress.ip_address(ip_address).is_private that makes my URL fail, because the IP is 127.0.0.1.

I circumvented this for now by adding a block to allow my local url like this:

def is_url_valid(url: str) -> bool:
    """Implements basic SSRF protection."""
    parsed = urlparse(url)
    if parsed.scheme not in ["http", "https"]:
        logger.warning(f"{parsed.scheme} is not http(s)")
        return False

    # XXX in debug mode, we want to allow requests to localhost to test the
    # federation with local instances
    if DEBUG:  # pragma: no cover
        return True

    if not parsed.hostname or parsed.hostname.lower() in ["flohmarkt.ween.de"]:
        logger.warning(f"{parsed.hostname} is my local flohmarkt")
        return True

To solve this on dns/network basis would be quite complicated.

The same issue may arrise if on the same host a different ActivityPub software is running, like e.g. mastodon.

My suggestion to solve this problem would be to read a configuration that includes a list of local fqdns that are allowed to resolve to 127.0.0.1 or a private IP.

I'd appreciate any thoughts on this before I'd try to provide a PR for my suggestion.

Register here or Log in to comment, or comment via email.