Question re: Origin Based Security Model (FEP-fe34)
-
I received a security vulnerability report regarding NodeBB’s handling of
UpdateandDeleteactivities.tl;dr
- NodeBB implementes FEP fe34, and treats
UpdateandDeleteactivities as valid if the activity’sactorand the object’sattributedTodiffer but the origins are identical. - e.g.
@alice@example.orgis allowed to federateDelete(Note)on@bob@example.org’sNote. - The origin-based security model allows for moderator-style actions (third-party post editing and deletions) in the absence of explicit moderator claims.
- The reporter disagrees that this should be allowed.
Are they right?
I responded that FEP fe34 allows for this behaviour because we do not have ready access to an instance’s admin or moderator list. By conducting same-origin checks and allowing
UpdateandDeletethrough for same-origin (but different identifier), we allow for moderators to federate their actions across instances.Their response:
> I respectfully disagree that FEP-fe34 permits this behavior. Below are direct quotes from the specification that contradict your assessment.
>
> 1. ActivityPub spec (quoted in FEP-fe34 Rationale, Section 7.3 Update Activity):
>
> ▎ “The receiving server MUST take care to be sure that the Update is authorized to modify its object. At minimum, this may be done by ensuring that the Update and its object are of same origin.”
>
> Note: “at minimum” means same-origin is the floor, not the ceiling. Authorization must still be verified.
>2. FEP-fe34 — Authorization > Ownership:
>
> ▎ “The actor that creates an object MUST be its owner.”
> ▎ “The owner of an object is permitted to modify and delete it.”
> ▎ “Update and Delete activities, and objects indicated by their object property are expected to have the same owner.”
>
> “Same owner” means the same specific actor — not any actor on the same domain.I responded back with the following:
> “The actor that creates an object MUST be its owner.”
>
>
> Correct, the creator must be an owner, no impersonation allowed.
>
>
> “The owner of an object is permitted to modify and delete it.”
>
>
> A strict reading of this does not preclude the ability of a same-origin moderator to modify and delete the object. This is my argument.
>
>
> “Update and Delete activities, and objects indicated by their object property are expected to have the same owner.”
>
>
> Again, “expected to” does not rise to the level of MUST.
>
> I agree out of principle that the security implications exist, but if you follow through with the exploit, it requires a non-compliant server to allow users to publish Update and Delete for other users on the same instance, and even then the exposure is limited to users of that origin only (e.g. your server cannot arbitrarily delete my posts). This is the foundation of the Origin-based security model.So we are at an impasse as to whether my strict reading of the FEP is adherent to the spirit of the FEP itself. Here’s where you come in… do you agree with me, or the reporter?
Directly tagging @silverpill@mitra.social (as FEP author), @trwnh@mastodon.social and @evan@cosocial.ca (both subject matter experts) for their thoughts.
- NodeBB implementes FEP fe34, and treats
-
I received a security vulnerability report regarding NodeBB’s handling of
UpdateandDeleteactivities.tl;dr
- NodeBB implementes FEP fe34, and treats
UpdateandDeleteactivities as valid if the activity’sactorand the object’sattributedTodiffer but the origins are identical. - e.g.
@alice@example.orgis allowed to federateDelete(Note)on@bob@example.org’sNote. - The origin-based security model allows for moderator-style actions (third-party post editing and deletions) in the absence of explicit moderator claims.
- The reporter disagrees that this should be allowed.
Are they right?
I responded that FEP fe34 allows for this behaviour because we do not have ready access to an instance’s admin or moderator list. By conducting same-origin checks and allowing
UpdateandDeletethrough for same-origin (but different identifier), we allow for moderators to federate their actions across instances.Their response:
> I respectfully disagree that FEP-fe34 permits this behavior. Below are direct quotes from the specification that contradict your assessment.
>
> 1. ActivityPub spec (quoted in FEP-fe34 Rationale, Section 7.3 Update Activity):
>
> ▎ “The receiving server MUST take care to be sure that the Update is authorized to modify its object. At minimum, this may be done by ensuring that the Update and its object are of same origin.”
>
> Note: “at minimum” means same-origin is the floor, not the ceiling. Authorization must still be verified.
>2. FEP-fe34 — Authorization > Ownership:
>
> ▎ “The actor that creates an object MUST be its owner.”
> ▎ “The owner of an object is permitted to modify and delete it.”
> ▎ “Update and Delete activities, and objects indicated by their object property are expected to have the same owner.”
>
> “Same owner” means the same specific actor — not any actor on the same domain.I responded back with the following:
> “The actor that creates an object MUST be its owner.”
>
>
> Correct, the creator must be an owner, no impersonation allowed.
>
>
> “The owner of an object is permitted to modify and delete it.”
>
>
> A strict reading of this does not preclude the ability of a same-origin moderator to modify and delete the object. This is my argument.
>
>
> “Update and Delete activities, and objects indicated by their object property are expected to have the same owner.”
>
>
> Again, “expected to” does not rise to the level of MUST.
>
> I agree out of principle that the security implications exist, but if you follow through with the exploit, it requires a non-compliant server to allow users to publish Update and Delete for other users on the same instance, and even then the exposure is limited to users of that origin only (e.g. your server cannot arbitrarily delete my posts). This is the foundation of the Origin-based security model.So we are at an impasse as to whether my strict reading of the FEP is adherent to the spirit of the FEP itself. Here’s where you come in… do you agree with me, or the reporter?
Directly tagging @silverpill@mitra.social (as FEP author), @trwnh@mastodon.social and @evan@cosocial.ca (both subject matter experts) for their thoughts.
My thoughts:
I don’t necessarily think FEP fe34 is strict enough to be a guiding principle for security across federated instances. The reporter said:
> “at minimum” means same-origin is the floor, not the ceiling.
… and he’s right, there’s more you should do to verify that only the owner or a designated moderator can update and delete an object.
However we don’t have a widely-used ability to determine who the moderators or admins are for any given instance. Mastodon may have an endpoint (in their API), threadiverse software use their own (as directed by 1b12, and even then it’s optional), other software <img class=“not-responsive emoji” src=“https://activitypub.space/assets/plugins/nodebb-plugin-emoji/emoji/android/1f937.png?v=f187f9278b7” title=“
” /> ?So we fall back to origin-based security model and hand off the responsibility of determining who can and cannot alter somebody else’s objects to the sending server.
That’s a risk we take with this model. Not sure if there is more that can be done to tighten this up.
- NodeBB implementes FEP fe34, and treats
-
N nodebb@fosstodon.org shared this topic
