lib/pleroma/emoji/pack.ex: The tuple {:cwd, tmp_dir} on line 103 is expected to have type :cooked
| :keep_old_files
| :memory
| :verbose
| {:cwd, list(char())}
| {:file_filter, (record(:zip_file) -> boolean())}
| {:file_list, list(:file.name())} but it has type {:cwd, binary()}
The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.
The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.
Reported by: graf@poast.org
Caching can't work in async tests, so for them it is mocked to a
null cache that is always empty. Synchronous tests are stubbed
with the real Cachex, which is emptied after every test.
Closes#2275
As discovered in the issue, captcha used Tesla.get instead of
Pleroma.HTTP. I've also grep'ed the repo and changed the other place
where this was used.