Merge branch 'feature/1922-media-proxy-whitelist' into 'develop'
Support for hosts with scheme in MediaProxy whitelist setting Closes #1922 See merge request pleroma/pleroma!2754
This commit is contained in:
feld
commit
3f65f2ea79
11 changed files with 282 additions and 199 deletions
|
|
@ -54,6 +54,7 @@ defmodule Pleroma.Config.DeprecationWarnings do
|
|||
check_hellthread_threshold()
|
||||
mrf_user_allowlist()
|
||||
check_old_mrf_config()
|
||||
check_media_proxy_whitelist_config()
|
||||
end
|
||||
|
||||
def check_old_mrf_config do
|
||||
|
|
@ -65,7 +66,7 @@ defmodule Pleroma.Config.DeprecationWarnings do
|
|||
move_namespace_and_warn(@mrf_config_map, warning_preface)
|
||||
end
|
||||
|
||||
@spec move_namespace_and_warn([config_map()], String.t()) :: :ok
|
||||
@spec move_namespace_and_warn([config_map()], String.t()) :: :ok | nil
|
||||
def move_namespace_and_warn(config_map, warning_preface) do
|
||||
warning =
|
||||
Enum.reduce(config_map, "", fn
|
||||
|
|
@ -84,4 +85,16 @@ defmodule Pleroma.Config.DeprecationWarnings do
|
|||
Logger.warn(warning_preface <> warning)
|
||||
end
|
||||
end
|
||||
|
||||
@spec check_media_proxy_whitelist_config() :: :ok | nil
|
||||
def check_media_proxy_whitelist_config do
|
||||
whitelist = Config.get([:media_proxy, :whitelist])
|
||||
|
||||
if Enum.any?(whitelist, &(not String.starts_with?(&1, "http"))) do
|
||||
Logger.warn("""
|
||||
!!!DEPRECATION WARNING!!!
|
||||
Your config is using old format (only domain) for MediaProxy whitelist option. Setting should work for now, but you are advised to change format to scheme with port to prevent possible issues later.
|
||||
""")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -108,31 +108,48 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
|
|||
|> :erlang.iolist_to_binary()
|
||||
end
|
||||
|
||||
defp build_csp_from_whitelist([], acc), do: acc
|
||||
|
||||
defp build_csp_from_whitelist([last], acc) do
|
||||
[build_csp_param_from_whitelist(last) | acc]
|
||||
end
|
||||
|
||||
defp build_csp_from_whitelist([head | tail], acc) do
|
||||
build_csp_from_whitelist(tail, [[?\s, build_csp_param_from_whitelist(head)] | acc])
|
||||
end
|
||||
|
||||
# TODO: use `build_csp_param/1` after removing support bare domains for media proxy whitelist
|
||||
defp build_csp_param_from_whitelist("http" <> _ = url) do
|
||||
build_csp_param(url)
|
||||
end
|
||||
|
||||
defp build_csp_param_from_whitelist(url), do: url
|
||||
|
||||
defp build_csp_multimedia_source_list do
|
||||
media_proxy_whitelist =
|
||||
Enum.reduce(Config.get([:media_proxy, :whitelist]), [], fn host, acc ->
|
||||
add_source(acc, host)
|
||||
end)
|
||||
|
||||
media_proxy_base_url = build_csp_param(Config.get([:media_proxy, :base_url]))
|
||||
|
||||
upload_base_url = build_csp_param(Config.get([Pleroma.Upload, :base_url]))
|
||||
|
||||
s3_endpoint = build_csp_param(Config.get([Pleroma.Uploaders.S3, :public_endpoint]))
|
||||
[:media_proxy, :whitelist]
|
||||
|> Config.get()
|
||||
|> build_csp_from_whitelist([])
|
||||
|
||||
captcha_method = Config.get([Pleroma.Captcha, :method])
|
||||
captcha_endpoint = Config.get([captcha_method, :endpoint])
|
||||
|
||||
captcha_endpoint = build_csp_param(Config.get([captcha_method, :endpoint]))
|
||||
base_endpoints =
|
||||
[
|
||||
[:media_proxy, :base_url],
|
||||
[Pleroma.Upload, :base_url],
|
||||
[Pleroma.Uploaders.S3, :public_endpoint]
|
||||
]
|
||||
|> Enum.map(&Config.get/1)
|
||||
|
||||
[]
|
||||
|> add_source(media_proxy_base_url)
|
||||
|> add_source(upload_base_url)
|
||||
|> add_source(s3_endpoint)
|
||||
[captcha_endpoint | base_endpoints]
|
||||
|> Enum.map(&build_csp_param/1)
|
||||
|> Enum.reduce([], &add_source(&2, &1))
|
||||
|> add_source(media_proxy_whitelist)
|
||||
|> add_source(captcha_endpoint)
|
||||
end
|
||||
|
||||
defp add_source(iodata, nil), do: iodata
|
||||
defp add_source(iodata, []), do: iodata
|
||||
defp add_source(iodata, source), do: [[?\s, source] | iodata]
|
||||
|
||||
defp add_csp_param(csp_iodata, nil), do: csp_iodata
|
||||
|
|
|
|||
|
|
@ -60,22 +60,28 @@ defmodule Pleroma.Web.MediaProxy do
|
|||
defp whitelisted?(url) do
|
||||
%{host: domain} = URI.parse(url)
|
||||
|
||||
mediaproxy_whitelist = Config.get([:media_proxy, :whitelist])
|
||||
mediaproxy_whitelist_domains =
|
||||
[:media_proxy, :whitelist]
|
||||
|> Config.get()
|
||||
|> Enum.map(&maybe_get_domain_from_url/1)
|
||||
|
||||
upload_base_url_domain =
|
||||
if !is_nil(Config.get([Upload, :base_url])) do
|
||||
[URI.parse(Config.get([Upload, :base_url])).host]
|
||||
whitelist_domains =
|
||||
if base_url = Config.get([Upload, :base_url]) do
|
||||
%{host: base_domain} = URI.parse(base_url)
|
||||
[base_domain | mediaproxy_whitelist_domains]
|
||||
else
|
||||
[]
|
||||
mediaproxy_whitelist_domains
|
||||
end
|
||||
|
||||
whitelist = mediaproxy_whitelist ++ upload_base_url_domain
|
||||
|
||||
Enum.any?(whitelist, fn pattern ->
|
||||
String.equivalent?(domain, pattern)
|
||||
end)
|
||||
domain in whitelist_domains
|
||||
end
|
||||
|
||||
defp maybe_get_domain_from_url("http" <> _ = url) do
|
||||
URI.parse(url).host
|
||||
end
|
||||
|
||||
defp maybe_get_domain_from_url(domain), do: domain
|
||||
|
||||
def encode_url(url) do
|
||||
base64 = Base.url_encode64(url, @base64_opts)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue