Can you explain the actual attack surface tho
Webfinger can sometimes be in XML format instead of JSON, and the server will parse it. But I don't see how the results could be rendered to the attacker.
nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 yeah, XXE. Means anything that can submit an XML document that the server parses can read arbitrary files on the server, same as the other issue. Actually worse if this doesn’t require Auth. XXE is fixed by not using a shit and brain-damaged parsers, which nobody should be using. This is straight outta 2004.
Abandon hope, all ye who enter. Pleroma is fucked and was made by retards.
Discussion
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 XXE occurs when the XML parsing library evaluates external entities, often allowing referencing files on the local FS, though it's bad even if it only resolves remote resources (think, AWS metadata endpoints).
https://gist.github.com/Eriner/2118b0ec479c57f980e39d3763195266
In the XML above (sorry for gist, foiled by CF WAF), the external entity reads /etc/passwd and returns it in the response, replacing the evaluation with &xxe
Statuses can be html (xhtml) code as far I know, maybe the backend needs a parser for it?