Merge branch 'security/digest-signature-validation' into 'develop'

digest signature validation

See merge request pleroma/pleroma!260

2 files changed, 9 insertions, 2 deletions

diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex
index 464832a1e..90a39ce69 100644
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@@ -641,8 +641,14 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
     Logger.info("Federating #{id} to #{inbox}")
     host = URI.parse(inbox).host
 
+    digest = "SHA-256=" <> (:crypto.hash(:sha256, json) |> Base.encode64())
+
     signature =
-      Pleroma.Web.HTTPSignatures.sign(actor, %{host: host, "content-length": byte_size(json)})
+      Pleroma.Web.HTTPSignatures.sign(actor, %{
+        host: host,
+        "content-length": byte_size(json),
+        digest: digest
+      })
 
     @httpoison.post(
       inbox,
diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex
index 1a012c1b4..cbedca004 100644
--- a/lib/pleroma/web/endpoint.ex
+++ b/lib/pleroma/web/endpoint.ex
@@ -35,7 +35,8 @@ defmodule Pleroma.Web.Endpoint do
     parsers: [:urlencoded, :multipart, :json],
     pass: ["*/*"],
     json_decoder: Jason,
-    length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit)
+    length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit),
+    body_reader: {Pleroma.Web.Plugs.DigestPlug, :read_body, []}
   )
 
   plug(Plug.MethodOverride)