Validate Host header matches expected value before allowing access to Uploads

2023-05-29 14:16:03 -04:00 · 2023-05-29 14:16:03 -04:00 · a60dd0d92d
parent 843fcca5b4
commit a60dd0d92d
2 changed files with 24 additions and 1 deletions
--- a/lib/pleroma/web/plugs/uploaded_media.ex
+++ b/lib/pleroma/web/plugs/uploaded_media.ex
@ -46,12 +46,21 @@ def call(%{request_path: <<"/", @path, "/", file::binary>>} = conn, opts) do

    config = Pleroma.Config.get(Pleroma.Upload)

-    with uploader <- Keyword.fetch!(config, :uploader),
+    media_host = Pleroma.Upload.base_url() |> URI.parse() |> Map.get(:host)
+
+    with {:valid_host, true} <- {:valid_host, match?(^media_host, conn.host)},
+         uploader <- Keyword.fetch!(config, :uploader),
         proxy_remote = Keyword.get(config, :proxy_remote, false),
         {:ok, get_method} <- uploader.get_file(file),
         false <- media_is_banned(conn, get_method) do
      get_media(conn, get_method, proxy_remote, opts)
    else
+      {:valid_host, false} ->
+        conn
+
+        send_resp(conn, 400, Plug.Conn.Status.reason_phrase(400))
+        |> halt()
+
      _ ->
        conn
        |> send_resp(:internal_server_error, dgettext("errors", "Failed"))
--- a/test/pleroma/web/plugs/uploaded_media_plug_test.exs
+++ b/test/pleroma/web/plugs/uploaded_media_plug_test.exs
@ -40,4 +40,18 @@ test "sends Content-Disposition header when name param is set", %{
             &(&1 == {"content-disposition", ~s[inline; filename="\\"cofe\\".gif"]})
           )
  end
+
+  test "denies access to media if wrong Host", %{
+    attachment_url: attachment_url
+  } do
+    conn = get(build_conn(), attachment_url)
+
+    assert conn.status == 200
+
+    clear_config([Pleroma.Upload, :base_url], "http://media.localhost/")
+
+    conn = get(build_conn(), attachment_url)
+
+    assert conn.status == 400
+  end
 end