more security

2020-03-22 17:47:45 +00:00 · 2020-03-22 17:47:45 +00:00 · 5e582e1990
parent 8d51aae70c
commit 5e582e1990
1 changed files with 27 additions and 9 deletions
--- a/steal_emoji_policy.ex
+++ b/steal_emoji_policy.ex
@ -21,16 +21,34 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
            !has_emojo(installed_emoji, emojo_shortcode) do
          Logger.debug("HANDLING EMOJO")

-          remote_emojo = HTTPoison.get!(emojo_url)
-          with {:ok, current_dir} <- File.cwd() do
-            new_file = current_dir <> "/priv/static/emoji/stolen/" <> emojo_shortcode <> Path.extname(emojo_url)
+          cond do
+            String.contains?(emojo_shortcode, "/") ->
+              Logger.error("BAD EMOJO SHORTCODE: #{emojo_shortcode}")

-            {:ok, file} = File.open(new_file, [:write])
-            IO.binwrite(file, remote_emojo.body)
-            File.close(file)
-            Logger.debug("SAVED EMOJO")
-            new_file
+            String.starts_with?(emojo_url, "https://") ->
+              try do
+                remote_emojo = HTTPoison.get!(emojo_url)
+
+                if remote_emojo.status_code == 200 do
+                  with {:ok, current_dir} <- File.cwd() do
+                    new_file = current_dir <> "/priv/static/emoji/stolen/" <> emojo_shortcode <> Path.extname(emojo_url)
+
+                    {:ok, file} = File.open(new_file, [:write])
+                    IO.binwrite(file, remote_emojo.body)
+                    File.close(file)
+                    Logger.debug("SAVED EMOJO")
+                    new_file
+                  end
+                end
+              rescue
+                e in RuntimeError -> Logger.error("FAILED TO QUERY REMOTE EMOJO #{emojo_url} #{e}")
+              end
+
+            true ->
+              Logger.error("EMOJO COND FAIL #{emojo_shortcode} #{emojo_url}")
          end
+          
+
        end

      Logger.debug("EMOJI FILES: #{inspect(new_files)}")