Restrict attachments to only uploaded files only

This commit is contained in:
tusooa 2023-07-18 18:39:59 -04:00
parent 93ad16cca0
commit ea4225a646
No known key found for this signature in database
GPG Key ID: 42AEC43D48433C51
4 changed files with 17 additions and 4 deletions

View File

@ -0,0 +1 @@
Restrict attachments to only uploaded files only

View File

@ -81,4 +81,6 @@ defmodule Pleroma.Constants do
const(mime_regex, const(mime_regex,
do: ~r/^[^[:cntrl:] ()<>@,;:\\"\/\[\]?=]+\/[^[:cntrl:] ()<>@,;:\\"\/\[\]?=]+(; .*)?$/ do: ~r/^[^[:cntrl:] ()<>@,;:\\"\/\[\]?=]+\/[^[:cntrl:] ()<>@,;:\\"\/\[\]?=]+(; .*)?$/
) )
const(upload_object_types, do: ["Document", "Image"])
end end

View File

@ -59,7 +59,12 @@ def attachments_from_ids_descs(ids, descs_str) do
end end
defp get_attachment(media_id) do defp get_attachment(media_id) do
Repo.get(Object, media_id) with %Object{data: data} = object <- Repo.get(Object, media_id),
%{"type" => type} when type in Pleroma.Constants.upload_object_types() <- data do
object
else
_ -> nil
end
end end
@spec get_to_and_cc(ActivityDraft.t()) :: {list(String.t()), list(String.t())} @spec get_to_and_cc(ActivityDraft.t()) :: {list(String.t()), list(String.t())}

View File

@ -592,7 +592,7 @@ test "returns [] when attachment ids is empty" do
end end
test "returns list attachments with desc" do test "returns list attachments with desc" do
object = insert(:note) object = insert(:attachment)
desc = Jason.encode!(%{object.id => "test-desc"}) desc = Jason.encode!(%{object.id => "test-desc"})
assert Utils.attachments_from_ids_descs(["#{object.id}", "34"], desc) == [ assert Utils.attachments_from_ids_descs(["#{object.id}", "34"], desc) == [
@ -603,7 +603,7 @@ test "returns list attachments with desc" do
describe "attachments_from_ids/1" do describe "attachments_from_ids/1" do
test "returns attachments with descs" do test "returns attachments with descs" do
object = insert(:note) object = insert(:attachment)
desc = Jason.encode!(%{object.id => "test-desc"}) desc = Jason.encode!(%{object.id => "test-desc"})
assert Utils.attachments_from_ids(%{ assert Utils.attachments_from_ids(%{
@ -615,13 +615,18 @@ test "returns attachments with descs" do
end end
test "returns attachments without descs" do test "returns attachments without descs" do
object = insert(:note) object = insert(:attachment)
assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}) == [object.data] assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}) == [object.data]
end end
test "returns [] when not pass media_ids" do test "returns [] when not pass media_ids" do
assert Utils.attachments_from_ids(%{}) == [] assert Utils.attachments_from_ids(%{}) == []
end end
test "checks that the object is of upload type" do
object = insert(:note)
assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}) == []
end
end end
describe "maybe_add_list_data/3" do describe "maybe_add_list_data/3" do