@joeyh posted about two security vulnerabilities he uncovered http://joeyh.name/blog/entry/two_security_holes_and_a_new_library/
Notably the ActivityPub appendix warns about these kinds of security vulnerabilities: don't fetch from uri schemes you don't know (be sure your http lib doesn't accept file://) and don't fetch from localhost (though sadly it's hard not to do this one... "localhost-only" is mostly doomed).
But Joey's post also points out that even if you filter out the scheme and localhost yourself, redirects may bite you
@cwebber localhost only is not good enough, and the full IP blacklist is quite hard (especially considering IPV6, 4-in-6 etc).
Remember the guy who made his garage door respond to GET requests..
@joeyh once again the ocap people are right that "perimeter security is eggshell security"
(This is also why CORS is a failed security model)
@cwebber btw you had some late-nite toots a while ago that got me thinking about this again
@cwebber I was not sure how to really fit that credit in, but thanks for that
@joeyh oh really? Was it the one about bumping into Racket's http lib grabbing stuff from file:// by default? I was wondering if maybe you saw that and it influenced this but figured it was unlikely!
@cwebber yes those
@szbalint @joeyh not sure if you saw the Guile vulnerability that we uncovered a while ago where live hacking sessions listening on localhost were vulnerable to confused deputy attacks through browsers and etc (notably, also activitypub instances that don't heed this advice) that allowed arbitrary code execution https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html
localhost-only ain't
@joeyh If you're an ActivityPub implementor, you should *make sure your software is not vulnerable to these kinds of attacks*. The redirect one is especially tricky.