think I have heat stroke

I hate this heat wave

think I have heat stroke

for context, I made the little "online users" counter include remote users, so instead of just enby.life it shows activity of my entire local bubble. Which is kinda neat!

I introduced a bug by mistake, but I think I like it better this way ​​

oh it also loaded a bunch of fresh bloatware apps, very cool...

we love windows updates that wipe out the entire list of saved wifi credentials /s

Hi friends! ​​

I want to tell you all about a new thing I'm trying, where I'll accept bounties to work on specific features or bug fixes for Sharkey. If there's something you really want implemented, then you can make a donation and I'll prioritize that work over whatever other ticket I was going to work on.

To be clear, this is an agreement to work on a particular project, not a promise to finish it! I'll dedicate a certain amount of time to the work based on the size of the donation, and if I finish the work - then great! If not, I'll upload my progress to branch to either finish later or hand off to another interested party. I may choose to complete the work anyway if it's something that I also want, but that's not a gaurantee!

Pricing is in lose terms because tracking my hours or comtting to deadlines will take all the fun out of everything. Sorry if that's an issue, but I'm not willing to negotiate on this. I will make sure not to "count it" if I don't actually get much work done, so don't worry about picking a bad week and wasting your money. If I don't manage enough work when I initally plan to, then I'll just save my progress and resume when I have more time.

Time slots are broken down like this:
• $20 - I work on my lunch break. This is usually about an hour, so I probably won't complete a whole ticket unless it's something small.
• $30 - I dedicate an evening or two. The exact number of hours varies, but it's usually 2-4 per evening. I'll aim for at least 3 hours in total.
• $50 - It's my weekend project. Again, my availability varies - but sometimes I spend 12+ hours between Saturday and Sunday.
• $100 - This is my focus for the week. I won't devote any more Sharkey time than I would normally, but all of that time is devoted to this work item.

If this sounds like something you'd like, then please reply or send a DM! For this first trial phase, I've picked a curated list of tickets that I'm willing to work on. Assuming everything goes well, I'll add more options and open up the possibility of working on brand new ideas too. I hope this can be a good deal for everyone!

---

Ticket options:

• #499 - enhancement: Context menu button for muting the instance of a post
• #548 - enhancement: Admin feature: Ability to safely reset MFA for end users
• #675 - enhancement: API Endpoint for validating scoped tokens, returning a list of assigned scopes
• #746 - bug: When editing a quote, the "quote" indicator and button are not aligned
• #836 - enhancement: Log IP Address of Registrants
• #910 - enhancement: Allow moderators to set a content warning on any post
• #943 - enhancement: Allow moderators to force a content warning for all posts by an instance
• #953 - enhancement: Investigate a better on-disk structure for drive files
• #997 - enhancement: Increase options for number of poll options
• #1001 - enhancement: Add option to delete all users from remote instance
• #1002 - bug: "Force Content Warning" does not apply to boosts
• #1008 - bug: Search menu does not lookup url containing emoji
• #1034 - enhancement: Multi select for adding notes to clips
• #1039 - enhancement: Add change UI language when logged out
• #1040 - enhancement: Hide alt-text
• #1065 - enhancement: Option to hide note that are replies to a reply of a note
• #1069 - bug: Send abuse reports to contact email
• #1070 - enhancement: Translate Content Warning
• #1071 - enhancement: Translate Alt Text
• #1072 - enhancement: Allow user to specify the source language for translation
• #1076 - enhancement: Support multiple hosts for email delivery
• #1106 - bug: Dont mark post as long for just including certain mfm
• #1110 - enhancement: Allow admins to change bio length limit

---

Clarifications and Disclaimers:

1. As stated above, this is not a promise to complete any work item! I'll put effort in - that's the only gaurantee.
2. This is not a contract of employment or payment for services.
3. If something "important" comes up, then I may pause your work item to focus on that. Think urgent bugs, security issues, or project management responsibilities. This won't count against the promised effort.
4. If multiple donations are made around the same time, then I'll complete them in order of submission.
5. If a work item is completed before I get to your request, then I'll offer the chance to select another ticket instead.
6. You're welcome to ask how long I expect a particular item to take! I may not answer in hours, but I can give a relative estimate of complexity.

#Sharkey #FediDevs #FediDev #SoftwareDev

@natty@astolfo.social @monkee@other.li @monkee@forum.other.li This is actually a well-known problem with ActivityPub, which is why all decent implementations have a filter for private IP ranges.

@natty@astolfo.social @monkee@other.li @monkee@forum.other.li sorry I forgot the word lol

@natty@astolfo.social @monkee@other.li @monkee@forum.other.li yes, it's a type of SSRF

@monkee@other.li @monkee@forum.other.li there's also a related attack that allows an attacker to make POST requests to a private IP range, but it's substantially harder to pull off and is unlikely to work except in contrived cases. I'm not even sure how to write an example for it.

@monkee@other.li @monkee@forum.other.li Sorry, I'm not great at explaining things. Let me lay it out like this, maybe it will make more sense:

- Alice (victim) has an instance alice.com. Located on the same machine is her personal file store, which has a web interface. The web interface is unauthenticated, so it listens on http://localhost:8080 and a reverse-proxy handles authentication.
- Mal (attacker) wants access to Alice's files. She already has an instance mal.com, so she adds a DNS A record for evil.mal.com which resolves to 127.0.0.1.
- Mal sends an ActivityPub Create(Note) activity to https://alice.com/inbox, making sure to include a media attachment with URL http://evil.mal.com:8080/api/list-files.
- Alice's instance processes the activity and finds the attachment URL. The media proxy component takes the media URL and resolves the domain, checking the returned 127.0.0.1 against the value of allowedPrivateAddresses. This check passes because 127.0.0.1/32 is included in the list, so media proxy makes a GET request to http://127.0.0.1:8080/api/list-files. This of course hits the API endpoint, returning some JSON with the file index. No authentication is required because this bypasses the reverse-proxy.
- The media server reads the Content-Type header and determines that application/json should be attached as a binary file, thus preserving it unmodified. The JSON is copied to Sharkey's local file store and given a UUID. The saved API response is then publicly accessible under the URL https://alice.com/files/{uuid}.
- Mal still doesn't know the file UUID, but that's easy to discover. She accesses https://alice.com/@mal@mal.com and scrolls to her latest post, which will include https://alice.com/files/{uuid} as the attachment URL. She downloads it and receives the file index.
- Now having a list of all files and exact URLs, she repeats the attack N times but with /api/list-files replaced with /media/{id}. Each activity she sends will then leak up to 16 media files, which allows her to quickly scrape Alice's entire file collection.

Note: this is described in terms of Sharkey instances, but works against any ActivityPub server where the private IP check is either missing or disabled by the admin.

@monkee@other.li @monkee@forum.other.li no worries! Please feel free to reach out if you have more questions. I (fortunately / unfortunately) have a lot of experience with Sharkey's security model and requirements

@monkee@other.li @monkee@forum.other.li yes, but it exposes the entire machine. An attacker can set a DNS record that resolves to your private IP range, and then reference that domain as a media attachment. Then they federate the post to your instance and the media server downloads that URL (which resolves to the internal IP) and attaches it to the post. Finally, they go to the copy of the post your instance and download the attachment, which contains whatever private data was there.

The impact is less severe when it's only the one IP, but you should still take the time to make sure nothing sensitive is accessible over localhost.

@monkee@other.li @monkee@forum.other.li ohh yeah, that one again. FYI, changing that value can open you up to security issues if you have anything sensitive on the same network.

@monkee@other.li @monkee@forum.other.li huh, what a strange bug! What ended up being the cause?

@monkee@other.li @monkee@forum.other.li ah, gotcha. I'm glad you got it working!

@monkee@other.li @monkee@forum.other.li is this still a problem? I'm able to load the other account from my Sharkey instance (running latest dev build).

Huge thanks to @Cosmix@mastodon.art for a lovely drawing of Maple, my OC! Go check out her profile for more awesome art, and maybe drop a like or follow!
(I've been meaning to post this for a while, but kept getting distracted. So sorry about that!)

#Art #FoxGirl