search

nanos / FediFetcher

FediFetcher is a tool for Mastodon that automatically fetches missing replies and posts from other fediverse instances, and adds them to your own Mastodon instance.
https://blog.thms.uk/fedifetcher?utm_source=github
MIT License
310 stars 230 forks source link

Security issues #98

Closed lnlyssg closed 6 months ago

lnlyssg commented 7 months ago

FYI I enabled Dependabot on my fork of the repo and it found some issues you may wish to address:

Screenshot 2024-02-06 at 18 00 37
Teqed commented 7 months ago

Hi, By default, Dependabot will notify people with write, maintain, or admin permissions in the affected repositories about new Dependabot alerts. GitHub never publicly discloses insecure dependencies for any repository, since opening potentially critical security concerns as GitHub issues contradicts responsible disclosure. Essentially, code analysis tools that search for vulnerabilities can be used by attackers to identify attack vectors, and it's responsible to give the authors of community software a chance to address the vulnerability before potential attackers, usually by email.

Furthermore, each Dependabot alert should be individually examined to see if its affected usages intersects with the actual usage of the project. These four alerts belong to the Python packages certifi, urllib3, and requests. For GHSA-g4mx-q9vg-27p4 , we're not submitting sensitive information in the HTTP request body. For GHSA-j8r2-6x86-q33q, we're not proxying requests with credentials supplied in URL user information components. For GHSA-v845-jxx5-vc9f, we're not using the Cookie header on requests. For GHSA-xqr8-7jwr-rhp7, if the e-Tugra root certificate is compromised it still won't make it past Mastodon's own TLS host identification.

Finally, the most relevant aspect of any advisory is the patches, remediations and workarounds available. For these, the answer in every scenario is to update the Python packages in requirements.txt to a patched version (or the most recent compatible version, whenever possible). It can sometimes be helpful to update these packages on your fork, test the project to make sure it still works correctly, and then submit a PR with the patched versions in requirements.txt.

I don't think there's any breaking changes with these upgrades, so they'll probably be updated eventually, but until then these particular issues shouldn't pose any security hazards for users of this project.

nanos commented 7 months ago

Thanks @Teqed for the detailed write up.

I had a brief look at the screenshot @lnlyssg shared, and based on the titles didn't actually think that any of these sounded like issues that actually impacted this repo, so sort of mentally de-prioritised this issue.

I'm very happy to accept a PR with updated dependencies though, so if either of you want to file this, I'll be grateful.

lnlyssg commented 7 months ago

Apologies for posting publicly, I wasn't really thinking about responsible disclosure when I made the post but that's no excuse.

nanos commented 7 months ago

I don't think you did anything wrong here, to be honest.

nanos commented 6 months ago

I have now enabled dependabot myself and merged all it's PRs so consider this fixed.