From 8b8b8599e9359ea5c1212144c50ab406025016c5 Mon Sep 17 00:00:00 2001
From: Egor Kislitsyn <>
Date: Tue, 9 Jun 2020 21:49:24 +0400
Subject: [PATCH] Fix atom leak in Rich Media Parser

 .../web/mastodon_api/views/status_view.ex     | 14 ++--
 lib/pleroma/web/rich_media/helpers.ex         |  6 +-
 lib/pleroma/web/rich_media/parser.ex          | 12 +--
 .../rich_media/parsers/meta_tags_parser.ex    |  8 +-
 .../web/rich_media/parsers/oembed_parser.ex   | 18 ++---
 test/web/rich_media/parser_test.exs           | 75 ++++++++++---------
 .../rich_media/parsers/twitter_card_test.exs  | 60 +++++++--------
 7 files changed, 91 insertions(+), 102 deletions(-)

diff --git a/lib/pleroma/web/mastodon_api/views/status_view.ex b/lib/pleroma/web/mastodon_api/views/status_view.ex
index a042075f5..f0bdb49c3 100644
--- a/lib/pleroma/web/mastodon_api/views/status_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/status_view.ex
@@ -307,8 +307,8 @@ def render("card.json", %{rich_media: rich_media, page_url: page_url}) do
     page_url_data = URI.parse(page_url)
     page_url_data =
-      if rich_media[:url] != nil do
-        URI.merge(page_url_data, URI.parse(rich_media[:url]))
+      if is_binary(rich_media["url"]) do
+        URI.merge(page_url_data, URI.parse(rich_media["url"]))
@@ -316,11 +316,9 @@ def render("card.json", %{rich_media: rich_media, page_url: page_url}) do
     page_url = page_url_data |> to_string
     image_url =
-      if rich_media[:image] != nil do
-        URI.merge(page_url_data, URI.parse(rich_media[:image]))
+      if is_binary(rich_media["image"]) do
+        URI.merge(page_url_data, URI.parse(rich_media["image"]))
         |> to_string
-      else
-        nil
@@ -329,8 +327,8 @@ def render("card.json", %{rich_media: rich_media, page_url: page_url}) do
       provider_url: page_url_data.scheme <> "://" <>,
       url: page_url,
       image: image_url |> MediaProxy.url(),
-      title: rich_media[:title] || "",
-      description: rich_media[:description] || "",
+      title: rich_media["title"] || "",
+      description: rich_media["description"] || "",
       pleroma: %{
         opengraph: rich_media
diff --git a/lib/pleroma/web/rich_media/helpers.ex b/lib/pleroma/web/rich_media/helpers.ex
index 9d3d7f978..1729141e9 100644
--- a/lib/pleroma/web/rich_media/helpers.ex
+++ b/lib/pleroma/web/rich_media/helpers.ex
@@ -9,7 +9,7 @@ defmodule Pleroma.Web.RichMedia.Helpers do
   alias Pleroma.Object
   alias Pleroma.Web.RichMedia.Parser
-  @spec validate_page_url(any()) :: :ok | :error
+  @spec validate_page_url(URI.t() | binary()) :: :ok | :error
   defp validate_page_url(page_url) when is_binary(page_url) do
     validate_tld = Application.get_env(:auto_linker, :opts)[:validate_tld]
@@ -18,8 +18,8 @@ defp validate_page_url(page_url) when is_binary(page_url) do
     |> parse_uri(page_url)
-  defp validate_page_url(%URI{host: host, scheme: scheme, authority: authority})
-       when scheme == "https" and not is_nil(authority) do
+  defp validate_page_url(%URI{host: host, scheme: "https", authority: authority})
+       when is_binary(authority) do
     cond do
       host in Config.get([:rich_media, :ignore_hosts], []) ->
diff --git a/lib/pleroma/web/rich_media/parser.ex b/lib/pleroma/web/rich_media/parser.ex
index 0779065ee..7b45ecb9c 100644
--- a/lib/pleroma/web/rich_media/parser.ex
+++ b/lib/pleroma/web/rich_media/parser.ex
@@ -83,7 +83,7 @@ defp parse_url(url) do
       |> parse_html()
       |> maybe_parse()
-      |> Map.put(:url, url)
+      |> Map.put("url", url)
       |> clean_parsed_data()
       |> check_parsed_data()
@@ -103,8 +103,8 @@ defp maybe_parse(html) do
-  defp check_parsed_data(%{title: title} = data)
-       when is_binary(title) and byte_size(title) > 0 do
+  defp check_parsed_data(%{"title" => title} = data)
+       when is_binary(title) and title != "" do
     {:ok, data}
@@ -115,11 +115,7 @@ defp check_parsed_data(data) do
   defp clean_parsed_data(data) do
     |> Enum.reject(fn {key, val} ->
-      with {:ok, _} <- Jason.encode(%{key => val}) do
-        false
-      else
-        _ -> true
-      end
+      not match?({:ok, _}, Jason.encode(%{key => val}))
diff --git a/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex b/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex
index ae0f36702..2762b5902 100644
--- a/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex
+++ b/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex
@@ -29,19 +29,19 @@ defp normalize_attributes(html_node, prefix, key_name, value_name) do
     {_tag, attributes, _children} = html_node
     data =
-      Enum.into(attributes, %{}, fn {name, value} ->
+, fn {name, value} ->
         {name, String.trim_leading(value, "#{prefix}:")}
-    %{String.to_atom(data[key_name]) => data[value_name]}
+    %{data[key_name] => data[value_name]}
-  defp maybe_put_title(%{title: _} = meta, _), do: meta
+  defp maybe_put_title(%{"title" => _} = meta, _), do: meta
   defp maybe_put_title(meta, html) when meta != %{} do
     case get_page_title(html) do
       "" -> meta
-      title -> Map.put_new(meta, :title, title)
+      title -> Map.put_new(meta, "title", title)
diff --git a/lib/pleroma/web/rich_media/parsers/oembed_parser.ex b/lib/pleroma/web/rich_media/parsers/oembed_parser.ex
index 8f32bf91b..db8ccf15d 100644
--- a/lib/pleroma/web/rich_media/parsers/oembed_parser.ex
+++ b/lib/pleroma/web/rich_media/parsers/oembed_parser.ex
@@ -5,7 +5,7 @@
 defmodule Pleroma.Web.RichMedia.Parsers.OEmbed do
   def parse(html, _data) do
     with elements = [_ | _] <- get_discovery_data(html),
-         {:ok, oembed_url} <- get_oembed_url(elements),
+         oembed_url when is_binary(oembed_url) <- get_oembed_url(elements),
          {:ok, oembed_data} <- get_oembed_data(oembed_url) do
       {:ok, oembed_data}
@@ -17,19 +17,13 @@ defp get_discovery_data(html) do
     html |> Floki.find("link[type='application/json+oembed']")
-  defp get_oembed_url(nodes) do
-    {"link", attributes, _children} = nodes |> hd()
-    {:ok, Enum.into(attributes, %{})["href"]}
+  defp get_oembed_url([{"link", attributes, _children} | _]) do
+    Enum.find_value(attributes, fn {k, v} -> if k == "href", do: v end)
   defp get_oembed_data(url) do
-    {:ok, %Tesla.Env{body: json}} = Pleroma.HTTP.get(url, [], adapter: [pool: :media])
-    {:ok, data} = Jason.decode(json)
-    data = data |> {k, v} -> {String.to_atom(k), v} end)
-    {:ok, data}
+    with {:ok, %Tesla.Env{body: json}} <- Pleroma.HTTP.get(url, [], adapter: [pool: :media]) do
+      Jason.decode(json)
+    end
diff --git a/test/web/rich_media/parser_test.exs b/test/web/rich_media/parser_test.exs
index e54a13bc8..420a612c6 100644
--- a/test/web/rich_media/parser_test.exs
+++ b/test/web/rich_media/parser_test.exs
@@ -60,19 +60,19 @@ test "returns error when no metadata present" do
   test "doesn't just add a title" do
     assert Pleroma.Web.RichMedia.Parser.parse("") ==
-              "Found metadata was invalid or incomplete: %{url: \"\"}"}
+              "Found metadata was invalid or incomplete: %{\"url\" => \"\"}"}
   test "parses ogp" do
     assert Pleroma.Web.RichMedia.Parser.parse("") ==
-                image: "",
-                title: "The Rock",
-                description:
+                "image" => "",
+                "title" => "The Rock",
+                "description" =>
                   "Directed by Michael Bay. With Sean Connery, Nicolas Cage, Ed Harris, John Spencer.",
-                type: "",
-                url: ""
+                "type" => "",
+                "url" => ""
@@ -80,12 +80,12 @@ test "falls back to <title> when ogp:title is missing" do
     assert Pleroma.Web.RichMedia.Parser.parse("") ==
-                image: "",
-                title: "The Rock (1996)",
-                description:
+                "image" => "",
+                "title" => "The Rock (1996)",
+                "description" =>
                   "Directed by Michael Bay. With Sean Connery, Nicolas Cage, Ed Harris, John Spencer.",
-                type: "",
-                url: ""
+                "type" => "",
+                "url" => ""
@@ -93,12 +93,12 @@ test "parses twitter card" do
     assert Pleroma.Web.RichMedia.Parser.parse("") ==
-                card: "summary",
-                site: "@flickr",
-                image: "",
-                title: "Small Island Developing States Photo Submission",
-                description: "View the album on Flickr.",
-                url: ""
+                "card" => "summary",
+                "site" => "@flickr",
+                "image" => "",
+                "title" => "Small Island Developing States Photo Submission",
+                "description" => "View the album on Flickr.",
+                "url" => ""
@@ -106,27 +106,28 @@ test "parses OEmbed" do
     assert Pleroma.Web.RichMedia.Parser.parse("") ==
-                author_name: "‮‭‬bees‬",
-                author_url: "",
-                cache_age: 3600,
-                flickr_type: "photo",
-                height: "768",
-                html:
+                "author_name" => "‮‭‬bees‬",
+                "author_url" => "",
+                "cache_age" => 3600,
+                "flickr_type" => "photo",
+                "height" => "768",
+                "html" =>
                   "<a data-flickr-embed=\"true\" href=\"\" title=\"Bacon Lollys by ‮‭‬bees‬, on Flickr\"><img src=\"\" width=\"1024\" height=\"768\" alt=\"Bacon Lollys\"></a><script async src=\"\" charset=\"utf-8\"></script>",
-                license: "All Rights Reserved",
-                license_id: 0,
-                provider_name: "Flickr",
-                provider_url: "",
-                thumbnail_height: 150,
-                thumbnail_url: "",
-                thumbnail_width: 150,
-                title: "Bacon Lollys",
-                type: "photo",
-                url: "",
-                version: "1.0",
-                web_page: "",
-                web_page_short_url: "",
-                width: "1024"
+                "license" => "All Rights Reserved",
+                "license_id" => 0,
+                "provider_name" => "Flickr",
+                "provider_url" => "",
+                "thumbnail_height" => 150,
+                "thumbnail_url" =>
+                  "",
+                "thumbnail_width" => 150,
+                "title" => "Bacon Lollys",
+                "type" => "photo",
+                "url" => "",
+                "version" => "1.0",
+                "web_page" => "",
+                "web_page_short_url" => "",
+                "width" => "1024"
diff --git a/test/web/rich_media/parsers/twitter_card_test.exs b/test/web/rich_media/parsers/twitter_card_test.exs
index 87c767c15..847623535 100644
--- a/test/web/rich_media/parsers/twitter_card_test.exs
+++ b/test/web/rich_media/parsers/twitter_card_test.exs
@@ -19,11 +19,11 @@ test "parses twitter card with only name attributes" do
     assert TwitterCard.parse(html, %{}) ==
-                "app:id:googleplay": "",
-                "app:name:googleplay": "NYTimes",
-                "app:url:googleplay": "nytimes://reader/id/100000006583622",
-                site: nil,
-                title:
+                "app:id:googleplay" => "",
+                "app:name:googleplay" => "NYTimes",
+                "app:url:googleplay" => "nytimes://reader/id/100000006583622",
+                "site" => nil,
+                "title" =>
                   "She Was Arrested at 14. Then Her Photo Went to a Facial Recognition Database. - The New York Times"
@@ -36,15 +36,15 @@ test "parses twitter card with only property attributes" do
     assert TwitterCard.parse(html, %{}) ==
-                card: "summary_large_image",
-                description:
+                "card" => "summary_large_image",
+                "description" =>
                   "With little oversight, the N.Y.P.D. has been using powerful surveillance technology on photos of children and teenagers.",
-                image:
+                "image" =>
-                "image:alt": "",
-                title:
+                "image:alt" => "",
+                "title" =>
                   "She Was Arrested at 14. Then Her Photo Went to a Facial Recognition Database.",
-                url:
+                "url" =>
@@ -57,19 +57,19 @@ test "parses twitter card with name & property attributes" do
     assert TwitterCard.parse(html, %{}) ==
-                "app:id:googleplay": "",
-                "app:name:googleplay": "NYTimes",
-                "app:url:googleplay": "nytimes://reader/id/100000006583622",
-                card: "summary_large_image",
-                description:
+                "app:id:googleplay" => "",
+                "app:name:googleplay" => "NYTimes",
+                "app:url:googleplay" => "nytimes://reader/id/100000006583622",
+                "card" => "summary_large_image",
+                "description" =>
                   "With little oversight, the N.Y.P.D. has been using powerful surveillance technology on photos of children and teenagers.",
-                image:
+                "image" =>
-                "image:alt": "",
-                site: nil,
-                title:
+                "image:alt" => "",
+                "site" => nil,
+                "title" =>
                   "She Was Arrested at 14. Then Her Photo Went to a Facial Recognition Database.",
-                url:
+                "url" =>
@@ -86,11 +86,11 @@ test "respect only first title tag on the page" do
     assert TwitterCard.parse(html, %{}) ==
-                site: "@atlasobscura",
-                title:
+                "site" => "@atlasobscura",
+                "title" =>
                   "The Missing Grave of Margaret Corbin, Revolutionary War Veteran - Atlas Obscura",
-                card: "summary_large_image",
-                image: image_path
+                "card" => "summary_large_image",
+                "image" => image_path
@@ -102,12 +102,12 @@ test "takes first founded title in html head if there is html markup error" do
     assert TwitterCard.parse(html, %{}) ==
-                site: nil,
-                title:
+                "site" => nil,
+                "title" =>
                   "She Was Arrested at 14. Then Her Photo Went to a Facial Recognition Database. - The New York Times",
-                "app:id:googleplay": "",
-                "app:name:googleplay": "NYTimes",
-                "app:url:googleplay": "nytimes://reader/id/100000006583622"
+                "app:id:googleplay" => "",
+                "app:name:googleplay" => "NYTimes",
+                "app:url:googleplay" => "nytimes://reader/id/100000006583622"