Codeberg/Community
54
325
Fork
You've already forked Community
12

Media proxy #196

Open
opened 2020年06月17日 23:20:48 +02:00 by Ghost · 17 comments

If one were to embed an image into a document that automatically loads (e.g. a README), they could quite easily grab the IPs of targeted users.

GitHub combats this by implementing a media proxy, which is a safer mechanism for preventing these kind of attacks. For example, if an external image is embedded into a README, its request goes through camo.githubusercontent.com.

This prevents the attacker from gaining the IP of victim users. While the external images are still loaded, they are loaded from GitHub's servers, then fed back to the user and into the browser.

upstream issue: https://github.com/go-gitea/gitea/issues/916
upstream pull: https://github.com/go-gitea/gitea/pull/12802
example proxy: https://github.com/cactus/go-camo

If one were to embed an image into a document that automatically loads (e.g. a README), they could quite easily grab the IPs of targeted users. GitHub combats this by implementing a media proxy, which is a safer mechanism for preventing these kind of attacks. For example, if an external image is embedded into a README, its request goes through camo.githubusercontent.com. This prevents the attacker from gaining the IP of victim users. While the external images are still loaded, they are loaded from GitHub's servers, then fed back to the user and into the browser. ---- upstream issue: https://github.com/go-gitea/gitea/issues/916 upstream pull: https://github.com/go-gitea/gitea/pull/12802 example proxy: https://github.com/cactus/go-camo

https://github.com/go-gitea/gitea/issues/916

https://github.com/go-gitea/gitea/issues/916

Another way to solve this and to protect users and visitors of Codeberg other than waiting for the Gitea developers to integrate a proxy would be to modify Gitea to be able to configure a proxy URL and to then set up our own simple proxy server.

In fact, Gitea does something very similar already, as described in my answer to #220

That way, we could also fix the issues with SVG images, as described in #220.

I would also imagine that it can take some load off our servers in comparison to the integrated approach, because in a high-load scenario the proxy could run on another machine.

There are however a few open questions regarding setting up a media proxy (most of them are valid for both approaches):

  • How much additional traffic is to be expected?
  • How to deal with the potential of abuse of our proxy?
  • We would need to make sure to set proper Content-Security-Policy headers for any media returned from our proxy (and preferably test it in practice), to make sure that tracking cannot occur indirectly, for example due to external resources being loaded by an SVG.
  • A simple proxy that isn't build into Gitea would lack authentication and thus could only access content of public repositories and the public Internet. What to do with private repositories?
Another way to solve this and to protect users and visitors of Codeberg other than waiting for the Gitea developers to integrate a proxy would be to modify Gitea to be able to configure a proxy URL and to then set up our own simple proxy server. In fact, Gitea does something very similar already, as described [in my answer to #220](https://codeberg.org/Codeberg/Community/issues/220#issuecomment-69309) That way, we could also fix the issues with SVG images, as described in #220. I would also imagine that it can take some load off our servers in comparison to the integrated approach, because in a high-load scenario the proxy could run on another machine. There are however a few open questions regarding setting up a media proxy (most of them are valid for both approaches): - How much additional traffic is to be expected? - How to deal with the potential of abuse of our proxy? - We would need to make sure to set proper Content-Security-Policy headers for any media returned from our proxy (and preferably test it in practice), to make sure that tracking cannot occur indirectly, for example due to external resources being loaded by an SVG. - A simple proxy that isn't build into Gitea would lack authentication and thus could only access content of public repositories and the public Internet. What to do with private repositories?

How to deal with the potential of abuse of our proxy?

Perhaps it would be wise to add UUID's into the requests (camo and go-camo do this).

The latter should, in theory, be easy to implement. Just add a field to the configuration file that points at an instance of it.

> How to deal with the potential of abuse of our proxy? Perhaps it would be wise to add UUID's into the requests ([camo](https://github.com/atmos/camo) and [go-camo](https://github.com/cactus/go-camo#differences-from-camo) do this). The latter should, in theory, be easy to implement. Just add a field to the configuration file that points at an instance of it.

It would be wise to use an existing, tested implementation, instead of hacking together some nonsense.

I'm the author of this issue. I did email Codeberg about this, but they think it's a small security risk. Of course, I disagree. The user does not have to consent to their browser loading embedded images, which makes this effectively a click-and-grab attack: the user won't be aware of their IP being leaked.

I'm surprised this big security risk hasn't been paired up with an IP logger, yet. Just a matter of time...

It would be wise to use an existing, tested implementation, instead of hacking together some nonsense. --- I'm the author of this issue. I did email Codeberg about this, but they think it's a small security risk. Of course, I disagree. The user does not have to consent to their browser loading embedded images, which makes this effectively a click-and-grab attack: the user won't be aware of their IP being leaked. I'm surprised this big security risk hasn't been paired up with an IP logger, yet. Just a matter of time...
Member
Copy link

please stay fair and considerate.

Analysis and proposals above and in #220 are well-founded and productive, many if not all of these options might evolve as viable solutions. As discussed in email communication, this issue is definitely not a security risk endangering operations, but surely a privacy improvement we all encourage. All help and PR welcome, please be invited to contribute!

camo/go-camo integration with gitea is surely a good point to start with. Relevant repos are http://codeberg.org/codeberg/gitea/ and http://codeberg.org/codeberg/build-deploy-gitea/ -- likely a lot of this work will be valuable to upstream gitea.

please stay fair and considerate. Analysis and proposals above and in #220 are well-founded and productive, many if not all of these options might evolve as viable solutions. As discussed in email communication, this issue is definitely not a security risk endangering operations, but surely a privacy improvement we all encourage. All help and PR welcome, please be invited to contribute! camo/go-camo integration with gitea is surely a good point to start with. Relevant repos are http://codeberg.org/codeberg/gitea/ and http://codeberg.org/codeberg/build-deploy-gitea/ -- likely a lot of this work will be valuable to upstream gitea.

please stay fair and considerate.

Oh, I thought I was. I'm sorry, but are upstream doing anything about this? I don't know where we stand.

Analysis and proposals above and in #220 are well-founded and productive, many if not all of these options might evolve as viable solutions.

Nice.

As discussed in email communication, this issue is definitely not a security risk endangering operations, but surely a privacy improvement we all encourage. All help and PR welcome, please be invited to contribute!

Well, to be rather frank, I now wonder if this issue should be here at all. It's more of a general issue with Gitea.

camo/go-camo integration with gitea is surely a good point to start with.

Of course it is. I mentioned the Go variant for a reason :-)

> please stay fair and considerate. Oh, I thought I was. I'm sorry, but are upstream doing anything about this? I don't know where we stand. > Analysis and proposals above and in #220 are well-founded and productive, many if not all of these options might evolve as viable solutions. Nice. > As discussed in email communication, this issue is definitely not a security risk endangering operations, but surely a privacy improvement we all encourage. All help and PR welcome, please be invited to contribute! Well, to be rather frank, I now wonder if this issue should be here at all. It's more of a general issue with Gitea. > camo/go-camo integration with gitea is surely a good point to start with. Of course it is. I mentioned the Go variant for a reason :-)

I can have a closer look at go-camo once I can spare some more time. Right now, my focus lies mainly on Codeberg Documentation though. Everyone willing to help with research and/or implementation for this issue is invited to do so :)

@resynth1943 Could you elaborate on how the UUID approach would address the risk of abuse?

I can have a closer look at go-camo once I can spare some more time. Right now, my focus lies mainly on Codeberg Documentation though. Everyone willing to help with research and/or implementation for this issue is invited to do so :) @resynth1943 Could you elaborate on how the UUID approach would address the risk of abuse?

The latter should, in theory, be easy to implement. Just add a field to the configuration file that points at an instance of it.

If you mean implementing a media proxy not by integrating it into Gitea but by giving a proxy URL, please refer to my answer in #220, as modifying Gitea to use an external proxy URL would need a bit more refactoring. Just changing the config file won't do, I'm afraid.

> The latter should, in theory, be easy to implement. Just add a field to the configuration file that points at an instance of it. If you mean implementing a media proxy not by integrating it into Gitea but by giving a proxy URL, please refer to [my answer in #220](https://codeberg.org/Codeberg/Community/issues/220#issuecomment-69309), as modifying Gitea to use an external proxy URL would need a bit more refactoring. Just changing the config file won't do, I'm afraid.

Could you elaborate on how the UUID approach would address the risk of abuse?

Can't speak too much about the technique, as I'm not too familiar with it. From what I can see though, the server signs the target URL with HMAC, which then is added to the URL. Morty does this, and it prevents Morty instances from being used as open proxies.

> Could you elaborate on how the UUID approach would address the risk of abuse? Can't speak too much about the technique, as I'm not too familiar with it. From what I can see though, the server signs the target URL with HMAC, which then is added to the URL. [Morty](https://github.com/asciimoo/morty) does this, and it prevents Morty instances from being used as open proxies.

If you mean implementing a media proxy not by integrating it into Gitea but by giving a proxy URL, please refer to my answer in #220, as modifying Gitea to use an external proxy URL would need a bit more refactoring.

Haha, well maybe that's a good thing 😛 Might open the door to other future additions.

> If you mean implementing a media proxy not by integrating it into Gitea but by giving a proxy URL, please refer to my answer in #220, as modifying Gitea to use an external proxy URL would need a bit more refactoring. Haha, well maybe that's a good thing 😛 Might open the door to other future additions.

OK I've made a very basic attempt to do this:

https://github.com/go-gitea/gitea/pull/12802

OK I've made a very basic attempt to do this: https://github.com/go-gitea/gitea/pull/12802

backported ... Codeberg/gitea@4964756816

backported ... https://codeberg.org/Codeberg/gitea/commit/49647568169140fd128d3a816ba043aee1cb7b91

finally... no more repos connecting to shields.io directly!

finally... no more repos connecting to shields.io directly!
Owner
Copy link

How can this be closed, we didn't do any config change IIRC? And it's not enabled by default? And all places I know still directly link external sources?!

How can this be closed, we didn't do any config change IIRC? And it's not enabled by default? And all places I know still directly link external sources?!

this is now a configuration issue only ...

this is now a configuration issue only ...
6543 removed their assignment 2024年01月19日 00:29:49 +01:00

This issue is still here to this day. Hopefully this issue gets fixed as this is a privacy concern not only for me but also for everyone else.

This issue is still here to this day. Hopefully this issue gets fixed as this is a privacy concern not only for me but also for everyone else.
Owner
Copy link

Freel free to step up and setup and maintain the media proxy.

Freel free to step up and setup and maintain the media proxy.
Sign in to join this conversation.
No Branch/Tag specified
main
No results found.
Labels
Clear labels
accessibility

Reduces accessibility and is thus a "bug" for certain user groups on Codeberg.
bug

Something is not working the way it should. Does not concern outages.
bug
infrastructure
Errors evidently caused by infrastructure malfunctions or outages
Codeberg

This issue involves Codeberg's downstream modifications and settings and/or Codeberg's structures.
contributions welcome

Please join the discussion and consider contributing a PR!
docs

No bug, but an improvement to the docs or UI description will help
duplicate

This issue or pull request already exists
enhancement

New feature
infrastructure

Involves changes to the server setups, use `bug/infrastructure` for infrastructure-related user errors.
legal

An issue directly involving legal compliance
licence / ToS

involving questions about the ToS, especially licencing compliance
please chill
we are volunteers
Please consider editing your posts and remember that there is a human on the other side. We get that you are frustrated, but it's harder for us to help you this way.
public relations

Things related to Codeberg's external communication
question

More information is needed
question
user support
This issue contains a clearly stated problem. However, it is not clear whether we have to fix anything on Codeberg's end, but we're helping them fix it and/or find the cause.
s/Forgejo

Related to Forgejo. Please also check Forgejo's issue tracker.
s/Forgejo/migration

Migration related issues in Forgejo
s/Pages

Issues related to the Codeberg Pages feature
s/Weblate

Issue is related to the Weblate instance at https://translate.codeberg.org
s/Woodpecker

Woodpecker CI related issue
security

involves improvements to the sites security
service

Add a new service to the Codeberg ecosystem (instead of implementing into Gitea)
upstream

An open issue or pull request to an upstream repository to fix this issue (partially or completely) exists (i.e. Gitea, Forgejo, etc.)
wontfix

Codeberg's current set of contributors are not planning to spend time on delegating this issue.
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
9 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks
Reference
Codeberg/Community#196
Reference in a new issue
Codeberg/Community
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?