StealEmojiPolicy: Sanitize shortcodes

Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3245
This commit is contained in:
Haelwenn (lanodan) Monnier 2024-02-20 08:45:48 +01:00
parent 6722b7f395
commit ac977bdb1c
No known key found for this signature in database
2 changed files with 28 additions and 0 deletions

View File

@ -34,6 +34,7 @@ defp steal_emoji({shortcode, url}, emoji_dir_path) do
|> Path.basename()
|> Path.extname()
shortcode = Path.basename(shortcode)
file_path = Path.join(emoji_dir_path, shortcode <> (extension || ".png"))
case File.write(file_path, response.body) do
@ -76,6 +77,7 @@ def filter(%{"object" => %{"emoji" => foreign_emojis, "actor" => actor}} = messa
new_emojis =
foreign_emojis
|> Enum.reject(fn {shortcode, _url} -> shortcode in installed_emoji end)
|> Enum.reject(fn {shortcode, _url} -> String.contains?(shortcode, ["/", "\\"]) end)
|> Enum.filter(fn {shortcode, _url} ->
reject_emoji? =
[:mrf_steal_emoji, :rejected_shortcodes]

View File

@ -60,6 +60,32 @@ test "Steals emoji on unknown shortcode from allowed remote host", %{
|> File.exists?()
end
test "rejects invalid shortcodes", %{path: path} do
message = %{
"type" => "Create",
"object" => %{
"emoji" => [{"fired/fox", "https://example.org/emoji/firedfox"}],
"actor" => "https://example.org/users/admin"
}
}
fullpath = Path.join(path, "fired/fox.png")
Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox"} ->
%Tesla.Env{status: 200, body: File.read!("test/fixtures/image.jpg")}
end)
clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)
refute "firedfox" in installed()
refute File.exists?(path)
assert {:ok, _message} = StealEmojiPolicy.filter(message)
refute "fired/fox" in installed()
refute File.exists?(fullpath)
end
test "reject regex shortcode", %{message: message} do
refute "firedfox" in installed()