forgejo-docs/docs/developer/threat-analysis/threat-analysis-remote-login-propagation.md at 98dac9cb1fa05c9f5048f6083660f5a3cacfb614

mirror of https://codeberg.org/forgejo/docs.git synced 2025-04-25 21:20:59 +03:00

Michael Jerger 98dac9cb1f Documentation for federated-star (#639 )

Preview:

* https://forgejo.codeberg.page/@docs_pull_639/docs/next/developer/federation-architecture/
* https://forgejo.codeberg.page/@docs_pull_639/docs/next/developer/threat-analysis/
* https://forgejo.codeberg.page/@docs_pull_639/docs/next/developer/adr/

Co-authored-by: patdyn <erik.seiert@meissa-gmbh.de>
Co-authored-by: Clemens <clemens.geibel@meissa-gmbh.de.de>
Reviewed-on: https://codeberg.org/forgejo/docs/pulls/639
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Panagiotis "Ivory" Vasilopoulos <git@n0toose.net>
Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Co-committed-by: Michael Jerger <michael.jerger@meissa-gmbh.de>

2024-06-29 16:47:25 +00:00

3.4 KiB

Raw Blame History

title	license
Threat Analysis: Remote Login Propagation	CC-BY-SA-4.0

See also blog: geballte sicherheit for getting an idea about the analysis.

Technical Background

Control Flow

Data transferred

# NodeInfoWellKnown
{"links":[
  {"href":"https://federated-repo.prod.meissa.de/api/v1/nodeinfo",
  "rel":"http://nodeinfo.diaspora.software/ns/schema/2.1"}]}

# NodeInfo
{"version":"2.1",
 "software":{"name":"gitea",
 ...}}

# LikeActivity
{"id": "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1/outbox/12345",
  "type": "Like",
  "actor": "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1",
  "object": "https://codeberg.org/api/v1/activitypub/repository-id/12"
  "startTime": "2014-12-31T23:00:00-08:00"
}

# Person
{"id":"https://federated-repo.prod.meissa.de/api/v1/activitypub/user-id/10",
 "type":"Person",
 "preferredUsername":"stargoose9",
 "name": "goose going to star the repo",
 "publicKey":{"id":"https://federated-repo.prod.meissa.de/api/v1/activitypub/user-id/10#main-key",
		"owner":"https://federated-repo.prod.meissa.de/api/v1/activitypub/user-id/10",
		"publicKeyPem":"-----BEGIN PUBLIC KEY-----\nMIIBoj...XAgMBAAE=\n-----END PUBLIC KEY-----\n"}}

Data Flow

Analysis

Assets

Service Availability: The availability of our or foreign servers.
Instance Reputation: We hope our project does not live on a spam instance.
Project Reputation: The reputation of an individual project.

Actors

Script Kiddies: Boored teens, willing to do some illegal stuff without deep knowledge of tech details but broad knowledge across internet discussions. Able to do some bash / python scripting.
Experienced Hacker: Hacker with deep knowledge.
Hacker: Hacker with some knowledge.
Malicious Fediverse Member: Malicious Members of the fediverse, able to operate malicious forge instances.
Malicious Forge Admin: Admin of good reputation forge instance in the fediverse.
Federated User: Members of good reputation forge instance in the fediverse.

Threat

Mitigations

DREAD-Score

Threat	Damage	Reproducibility	Exploitability	Affected Users	Discoverability	Mitigations
1.	... tbd
2.	... tbd

Threat Score with values between 1 - 6

Damage – how severe would the damage be if the attack is successful? 6 is a very bad damage.
Reproducibility – how easy would the attack be reproducible? 6 is very easy to reproduce.
Exploitability – How much time, effort and experience are necessary to exploit the threat? 6 is very easy to make.
Affected Users – if a threat were exploited, how many percentage of users would be affected?
Discoverability – How easy can an attack be discovered? Does the attacker have to expect prosecution? 6 is very hard to discover / is not illegal

3.4 KiB

Raw Blame History

Technical Background

Control Flow

Data transferred

Data Flow

Analysis

Assets

Actors

Threat

Mitigations

DREAD-Score

Contributors

Reference

3.4 KiB Raw Blame History Unescape Escape

Technical Background

Control Flow

Data transferred

Data Flow

Analysis

Assets

Actors

Threat

Mitigations

DREAD-Score

Contributors

Reference

3.4 KiB

Raw Blame History