diff --git a/prosody-modules/mod_muc_peertubelivechat_announcements/README.markdown b/prosody-modules/mod_muc_peertubelivechat_announcements/README.markdown new file mode 100644 index 00000000..cd4fea72 --- /dev/null +++ b/prosody-modules/mod_muc_peertubelivechat_announcements/README.markdown @@ -0,0 +1,11 @@ + + +# mod_muc_peertubelivechat_announcements + +This modules performs some security check related to the Peertube livechat announcements. + +This module is part of peertube-plugin-livechat, and is under the same LICENSE. diff --git a/prosody-modules/mod_muc_peertubelivechat_announcements/mod_muc_peertubelivechat_announcements.lua b/prosody-modules/mod_muc_peertubelivechat_announcements/mod_muc_peertubelivechat_announcements.lua new file mode 100644 index 00000000..e1a54b9a --- /dev/null +++ b/prosody-modules/mod_muc_peertubelivechat_announcements/mod_muc_peertubelivechat_announcements.lua @@ -0,0 +1,44 @@ +-- mod_muc_peertubelivechat_announcements +-- +-- SPDX-FileCopyrightText: 2024 John Livingston +-- SPDX-License-Identifier: AGPL-3.0-only +-- +-- This file is AGPL-v3 licensed. +-- Please see the Peertube livechat plugin copyright information. +-- https://livingston.frama.io/peertube-plugin-livechat/credits/ +-- + +local st = require "util.stanza"; +local jid_bare = require "util.jid".bare; + +-- security check: only MUC owner/admin can add the x-livechat-announcement-type attribute on the body. +function handle_groupchat(event) + local origin, stanza = event.origin, event.stanza; + local room = event.room; + local body = stanza:get_child("body") + if not body or not body.attr then + return; + end + if not body.attr["x-livechat-announcement-type"] then + return; + end + + local from = stanza.attr.from; + local from_affiliation = room:get_affiliation(from); + if (from_affiliation == "owner" or from_affiliation == "admin") then + return; + end + + module:log("info", "Someone tried to spoof x-livechat-announcement-type, bouncing the message."); + local reply = st.error_reply( + stanza, + -- error_type = 'modify' (see descriptions in RFC 6120 https://xmpp.org/rfcs/rfc6120.html#stanzas-error-syntax) + "modify", + -- error_condition = 'policy-violation' (see RFC 6120 Defined Error Conditions https://xmpp.org/rfcs/rfc6120.html#stanzas-error-conditions) + "policy-violation", + "Only owner and admin can send announcements." + ); + origin.send(reply); + return true; -- stoping propagation +end +module:hook("muc-occupant-groupchat", handle_groupchat, 500); diff --git a/server/lib/prosody/config/content.ts b/server/lib/prosody/config/content.ts index 9944d590..6126f2ff 100644 --- a/server/lib/prosody/config/content.ts +++ b/server/lib/prosody/config/content.ts @@ -246,6 +246,7 @@ class ProsodyConfigContent { this.muc.add('modules_enabled', 'pubsub_peertubelivechat') this.muc.add('modules_enabled', 'muc_peertubelivechat_roles') + this.muc.add('modules_enabled', 'muc_peertubelivechat_announcements') this.muc.add('modules_enabled', 'muc_peertubelivechat_terms') this.muc.set('muc_terms_service_nickname', 'Peertube')