Check for people posting their private keys, presumably by accident

2024-02-17 13:48:40 +00:00 · 2024-02-17 13:48:40 +00:00 · 58fe90f823
parent 7334370acd
commit 58fe90f823
3 changed files with 26 additions and 0 deletions
--- a/inbox.py
+++ b/inbox.py
@ -40,6 +40,7 @@ from utils import domain_permitted
 from utils import is_group_account
 from utils import is_system_account
 from utils import invalid_ciphertext
+from utils import contains_private_key
 from utils import remove_html
 from utils import file_last_modified
 from utils import has_object_string
@ -1555,6 +1556,11 @@ def _valid_post_content(base_dir: str, nickname: str, domain: str,
                    print('REJECT: reply to post which does not ' +
                          'allow comments: ' + original_post_id)
                    return False
+    if contains_private_key(message_json['object']['content']):
+        print('REJECT: someone posted their private key ' +
+              message_json['object']['id'] + ' ' +
+              message_json['object']['content'])
+        return False
    if invalid_ciphertext(message_json['object']['content']):
        print('REJECT: malformed ciphertext in content ' +
              message_json['object']['id'] + ' ' +
--- a/posts.py
+++ b/posts.py
@ -34,6 +34,7 @@ from webfinger import webfinger_handle
 from httpsig import create_signed_header
 from siteactive import site_is_active
 from languages import understood_post_language
+from utils import contains_private_key
 from utils import get_url_from_post
 from utils import date_from_string_format
 from utils import date_epoch
@ -6049,6 +6050,13 @@ def download_announce(session, base_dir: str, http_prefix: str,
                             base_dir, nickname, domain, post_id,
                             recent_posts_cache)
            return None
+        if contains_private_key(content_str):
+            print("WARN: announced post contains someone's private key " +
+                  str(announced_json))
+            _reject_announce(announce_filename,
+                             base_dir, nickname, domain, post_id,
+                             recent_posts_cache)
+            return None
        if invalid_ciphertext(content_str):
            print('WARN: announced post contains invalid ciphertext ' +
                  str(announced_json))
--- a/utils.py
+++ b/utils.py
@ -3664,6 +3664,18 @@ def contains_pgp_public_key(content: str) -> bool:
    return False


+def contains_private_key(content: str) -> bool:
+    """Returns true if the given content contains a PGP private key
+    """
+    if '--BEGIN PGP PRIVATE KEY BLOCK--' in content:
+        if '--END PGP PRIVATE KEY BLOCK--' in content:
+            return True
+    if '--BEGIN RSA PRIVATE KEY--' in content:
+        if '--END RSA PRIVATE KEY--' in content:
+            return True
+    return False
+
+
 def is_pgp_encrypted(content: str) -> bool:
    """Returns true if the given content is PGP encrypted
    """