From fa483cd7c211ba7d755d307f095bde31efdb81d4 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Mon, 29 Oct 2018 16:29:46 +0000 Subject: [PATCH 1/5] upload: add new optional argument designating an upload size limit --- lib/pleroma/upload.ex | 107 ++++++++++++++++++++++++------------------ 1 file changed, 61 insertions(+), 46 deletions(-) diff --git a/lib/pleroma/upload.ex b/lib/pleroma/upload.ex index f188a5f32..2293ff54e 100644 --- a/lib/pleroma/upload.ex +++ b/lib/pleroma/upload.ex @@ -4,61 +4,76 @@ defmodule Pleroma.Upload do @storage_backend Application.get_env(:pleroma, Pleroma.Upload) |> Keyword.fetch!(:uploader) - def store(%Plug.Upload{} = file, should_dedupe) do - content_type = get_content_type(file.path) + def check_file_size(path, nil), do: true - uuid = get_uuid(file, should_dedupe) - name = get_name(file, uuid, content_type, should_dedupe) - - strip_exif_data(content_type, file.path) - - {:ok, url_path} = - @storage_backend.put_file(name, uuid, file.path, content_type, should_dedupe) - - %{ - "type" => "Document", - "url" => [ - %{ - "type" => "Link", - "mediaType" => content_type, - "href" => url_path - } - ], - "name" => name - } + def check_file_size(path, size_limit) do + {:ok, %{size: size}} = File.stat(path) + size <= size_limit end - def store(%{"img" => "data:image/" <> image_data}, should_dedupe) do + def store(file, should_dedupe, size_limit \\ nil) + + def store(%Plug.Upload{} = file, should_dedupe, size_limit) do + content_type = get_content_type(file.path) + + with uuid <- get_uuid(file, should_dedupe), + name <- get_name(file, uuid, content_type, should_dedupe), + true <- check_file_size(file.path, size_limit) do + strip_exif_data(content_type, file.path) + + {:ok, url_path} = + @storage_backend.put_file(name, uuid, file.path, content_type, should_dedupe) + + %{ + "type" => "Document", + "url" => [ + %{ + "type" => "Link", + "mediaType" => content_type, + "href" => url_path + } + ], + "name" => name + } + else + _e -> nil + end + end + + def store(%{"img" => "data:image/" <> image_data}, should_dedupe, size_limit) do parsed = Regex.named_captures(~r/(?jpeg|png|gif);base64,(?.*)/, image_data) data = Base.decode64!(parsed["data"], ignore: :whitespace) - tmp_path = tempfile_for_image(data) + with tmp_path <- tempfile_for_image(data), + uuid <- UUID.generate(), + true <- check_file_size(tmp_path, size_limit) do + content_type = get_content_type(tmp_path) + strip_exif_data(content_type, tmp_path) - uuid = UUID.generate() + name = + create_name( + String.downcase(Base.encode16(:crypto.hash(:sha256, data))), + parsed["filetype"], + content_type + ) - content_type = get_content_type(tmp_path) - strip_exif_data(content_type, tmp_path) + {:ok, url_path} = + @storage_backend.put_file(name, uuid, tmp_path, content_type, should_dedupe) - name = - create_name( - String.downcase(Base.encode16(:crypto.hash(:sha256, data))), - parsed["filetype"], - content_type - ) - - {:ok, url_path} = @storage_backend.put_file(name, uuid, tmp_path, content_type, should_dedupe) - - %{ - "type" => "Image", - "url" => [ - %{ - "type" => "Link", - "mediaType" => content_type, - "href" => url_path - } - ], - "name" => name - } + %{ + "type" => "Image", + "url" => [ + %{ + "type" => "Link", + "mediaType" => content_type, + "href" => url_path + } + ], + "name" => name + } + else + _e -> nil + end end @doc """ From 167d3789a5a334859dfb9bf1612bdfc993032667 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Mon, 29 Oct 2018 16:30:12 +0000 Subject: [PATCH 2/5] activitypub: upload: pass through an upload limit if one is provided --- config/config.exs | 3 +++ lib/pleroma/web/activity_pub/activity_pub.ex | 9 ++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/config/config.exs b/config/config.exs index 2d2cdda45..3abb6e695 100644 --- a/config/config.exs +++ b/config/config.exs @@ -84,6 +84,9 @@ description: "A Pleroma instance, an alternative fediverse server", limit: 5000, upload_limit: 16_000_000, + avatar_upload_limit: 2_000_000, + background_upload_limit: 4_000_000, + banner_upload_limit: 4_000_000, registrations_open: true, federating: true, allow_relay: true, diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 4b8b6eb52..537b99f31 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -575,9 +575,12 @@ def fetch_activities_bounded(recipients_to, recipients_cc, opts \\ %{}) do |> Enum.reverse() end - def upload(file) do - data = Upload.store(file, Application.get_env(:pleroma, :instance)[:dedupe_media]) - Repo.insert(%Object{data: data}) + def upload(file, size_limit \\ nil) do + with data <- + Upload.store(file, Application.get_env(:pleroma, :instance)[:dedupe_media], size_limit), + false <- is_nil(data) do + Repo.insert(%Object{data: data}) + end end def user_data_from_user_object(data) do From e12489e2fee6d757e432aadf2c49dbd10c70eef2 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Mon, 29 Oct 2018 16:36:51 +0000 Subject: [PATCH 3/5] twitter api: enforce upload limits for avatars, banners and backgrounds --- .../web/twitter_api/twitter_api_controller.ex | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex index 4fc32b50c..7153a2bd6 100644 --- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex +++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex @@ -263,7 +263,11 @@ def register(conn, params) do end def update_avatar(%{assigns: %{user: user}} = conn, params) do - {:ok, object} = ActivityPub.upload(params) + upload_limit = + Application.get_env(:pleroma, :instance) + |> Keyword.fetch(:avatar_upload_limit) + + {:ok, object} = ActivityPub.upload(params, upload_limit) change = Changeset.change(user, %{avatar: object.data}) {:ok, user} = User.update_and_set_cache(change) CommonAPI.update(user) @@ -272,7 +276,11 @@ def update_avatar(%{assigns: %{user: user}} = conn, params) do end def update_banner(%{assigns: %{user: user}} = conn, params) do - with {:ok, object} <- ActivityPub.upload(%{"img" => params["banner"]}), + upload_limit = + Application.get_env(:pleroma, :instance) + |> Keyword.fetch(:banner_upload_limit) + + with {:ok, object} <- ActivityPub.upload(%{"img" => params["banner"]}, upload_limit), new_info <- Map.put(user.info, "banner", object.data), change <- User.info_changeset(user, %{info: new_info}), {:ok, user} <- User.update_and_set_cache(change) do @@ -286,7 +294,11 @@ def update_banner(%{assigns: %{user: user}} = conn, params) do end def update_background(%{assigns: %{user: user}} = conn, params) do - with {:ok, object} <- ActivityPub.upload(params), + upload_limit = + Application.get_env(:pleroma, :instance) + |> Keyword.fetch(:background_upload_limit) + + with {:ok, object} <- ActivityPub.upload(params, upload_limit), new_info <- Map.put(user.info, "background", object.data), change <- User.info_changeset(user, %{info: new_info}), {:ok, _user} <- User.update_and_set_cache(change) do From 181f3bb56a0bc0211ddd2e8f215d93973222b405 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Mon, 29 Oct 2018 16:39:00 +0000 Subject: [PATCH 4/5] mastodon api: enforce upload limits for avatars and banners --- .../web/mastodon_api/mastodon_api_controller.ex | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex index bc7558cb8..e03027be7 100644 --- a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex +++ b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex @@ -35,6 +35,14 @@ def create_app(conn, params) do def update_credentials(%{assigns: %{user: user}} = conn, params) do original_user = user + avatar_upload_limit = + Application.get_env(:pleroma, :instance) + |> Keyword.fetch(:avatar_upload_limit) + + banner_upload_limit = + Application.get_env(:pleroma, :instance) + |> Keyword.fetch(:banner_upload_limit) + params = if bio = params["note"] do Map.put(params, "bio", bio) @@ -52,7 +60,7 @@ def update_credentials(%{assigns: %{user: user}} = conn, params) do user = if avatar = params["avatar"] do with %Plug.Upload{} <- avatar, - {:ok, object} <- ActivityPub.upload(avatar), + {:ok, object} <- ActivityPub.upload(avatar, avatar_upload_limit), change = Ecto.Changeset.change(user, %{avatar: object.data}), {:ok, user} = User.update_and_set_cache(change) do user @@ -66,7 +74,7 @@ def update_credentials(%{assigns: %{user: user}} = conn, params) do user = if banner = params["header"] do with %Plug.Upload{} <- banner, - {:ok, object} <- ActivityPub.upload(banner), + {:ok, object} <- ActivityPub.upload(banner, banner_upload_limit), new_info <- Map.put(user.info, "banner", object.data), change <- User.info_changeset(user, %{info: new_info}), {:ok, user} <- User.update_and_set_cache(change) do From 676c97b8c7c79c6f96fce1366fc79c73a251ec4f Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Mon, 29 Oct 2018 20:07:52 +0000 Subject: [PATCH 5/5] nodeinfo: expose configured upload limits --- lib/pleroma/web/nodeinfo/nodeinfo_controller.ex | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/pleroma/web/nodeinfo/nodeinfo_controller.ex b/lib/pleroma/web/nodeinfo/nodeinfo_controller.ex index 59b0ce3e1..5446179cb 100644 --- a/lib/pleroma/web/nodeinfo/nodeinfo_controller.ex +++ b/lib/pleroma/web/nodeinfo/nodeinfo_controller.ex @@ -113,6 +113,12 @@ def nodeinfo(conn, %{"version" => "2.0"}) do staffAccounts: staff_accounts, federation: federation_response, postFormats: Keyword.get(instance, :allowed_post_formats), + uploadLimits: %{ + general: Keyword.get(instance, :upload_limit), + avatar: Keyword.get(instance, :avatar_upload_limit), + banner: Keyword.get(instance, :banner_upload_limit), + background: Keyword.get(instance, :background_upload_limit) + }, features: features } }