skeh
/
MissV
1
0
Fork 0
Code Issues 7 Pull Requests Packages Projects Releases Wiki Activity

hotfix/misskey-forkbomb #8

Merged
skeh merged 0 commits from hotfix/misskey-forkbomb into stage 2022-12-01 07:45:08 +00:00
Conversation 0 Commits - Files Changed -
skeh commented 2022-12-01 07:05:15 +00:00 (Migrated from code.vtopia.live)
Copy Link

What

Limit the amount of side-effects / recursions that a single activity resolution can cause.

Why

A DOS attack is possible by using a specially crafted activitypub server that will serve up an infinite stream of users with featured collections that all reference other users. This occured in the wild on November 30th, 2022 starting sometime around 5PM EST with instances appropriately named misskey-forkbomb.*

Additional info (optional)

The limit (100) was set for no particular reason, and could be modified / paramaterized if neccesary

<!-- ℹ お読みください / README PRありがとうございます! PRを作成する前に、コントリビューションガイドをご確認ください: Thank you for your PR! Before creating a PR, please check the contribution guide: https://github.com/misskey-dev/misskey/blob/develop/CONTRIBUTING.md --> # What <!-- このPRで何をしたのか? どう変わるのか? --> <!-- What did you do with this PR? How will it change things? --> Limit the amount of side-effects / recursions that a single activity resolution can cause. # Why <!-- なぜそうするのか? どういう意図なのか? 何が困っているのか? --> <!-- Why do you do it? What are your intentions? What is the problem? --> A DOS attack is possible by using a specially crafted activitypub server that will serve up an infinite stream of users with featured collections that all reference other users. This occured in the wild on November 30th, 2022 starting sometime around 5PM EST with instances appropriately named `misskey-forkbomb.*` # Additional info (optional) <!-- テスト観点など --> <!-- Test perspective, etc --> The limit (100) was set for no particular reason, and could be modified / paramaterized if neccesary
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
rfc

Requesting community feedback   
bug

Something is not working   
duplicate

This issue or pull request already exists   
enhancement

New feature   
help wanted

Need some help   
invalid

Something is wrong   
question

More information is needed   
wontfix

This won't be fixed
No Label
rfc
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: skeh/MissV#8
No description provided.
Delete Branch "hotfix/misskey-forkbomb"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?