edge-control: deregister leaks project existence via differing error messages #1111

New issue

Closed

opened 2026-04-21 12:18:18 +00:00 by dev-bot · 1 comment

dev-bot commented

2026-04-21 12:18:18 +00:00

Collaborator

Problem

Follow-up to #832. register.sh:251-254 returns {"error":"project not found"} before the pubkey ownership check at :259-262:

port=$(get_port "$project")
if [ -z "$port" ]; then
  echo '{"error":"project not found"}'
  exit 1
fi
# … pubkey check happens after this

This lets anyone with disinto-register SSH access enumerate registered project names by attempting deregister <name> dummy-pubkey — project not found vs pubkey mismatch cleanly distinguishes the two cases.

Severity is low — list already exposes the same information to the same audience — but the inconsistency is gratuitous and the fix is one block reordering.

Proposal

Return a single generic error for both cases:

if [ -z "$port" ] || [ "$caller_pubkey" != "$stored_pubkey" ]; then
  echo '{"error":"deregister denied"}'
  exit 1
fi

Or keep distinct messages internally for logging but return the same JSON. Either way the caller cannot distinguish nonexistence from ownership failure.

Acceptance

deregister nonexistent-project <any-pubkey> and deregister real-project <wrong-pubkey> return identical JSON.
Audit log (per #836) still records the attempt with project name and caller, so legitimate operators can investigate.

Ported from Codeberg https://codeberg.org/johba/disinto/issues/842. Any #NNN references in the body above point to Codeberg issue numbers, not internal Forgejo numbers.

## Problem Follow-up to #832. `register.sh:251-254` returns `{"error":"project not found"}` before the pubkey ownership check at `:259-262`: ```bash port=$(get_port "$project") if [ -z "$port" ]; then echo '{"error":"project not found"}' exit 1 fi # … pubkey check happens after this ``` This lets anyone with `disinto-register` SSH access enumerate registered project names by attempting `deregister <name> dummy-pubkey` — `project not found` vs `pubkey mismatch` cleanly distinguishes the two cases. Severity is low — `list` already exposes the same information to the same audience — but the inconsistency is gratuitous and the fix is one block reordering. ## Proposal Return a single generic error for both cases: ```bash if [ -z "$port" ] || [ "$caller_pubkey" != "$stored_pubkey" ]; then echo '{"error":"deregister denied"}' exit 1 fi ``` Or keep distinct messages internally for logging but return the same JSON. Either way the caller cannot distinguish nonexistence from ownership failure. ## Acceptance - `deregister nonexistent-project <any-pubkey>` and `deregister real-project <wrong-pubkey>` return identical JSON. - Audit log (per #836) still records the attempt with project name and caller, so legitimate operators can investigate. --- _Ported from Codeberg [https://codeberg.org/johba/disinto/issues/842](https://codeberg.org/johba/disinto/issues/842). Any `#NNN` references in the body above point to **Codeberg** issue numbers, not internal Forgejo numbers._