Merge branch 'fix/mediaproxy-bypass-emoji' into 'develop'

Fix profile emojis bypassing mediaproxy and harden CSP Closes #1810 See merge request pleroma/pleroma!2596
2020-05-29 09:46:31 +00:00 · 2020-05-29 09:46:31 +00:00 · a51284b60a
commit a51284b60a
parent a5ccb5b0b1
3 changed files with 73 additions and 31 deletions
--- a/test/web/media_proxy/media_proxy_test.exs
+++ b/test/web/media_proxy/media_proxy_test.exs
@ -125,15 +125,8 @@ defmodule Pleroma.Web.MediaProxyTest do

    test "uses the configured base_url" do
      base_url = Pleroma.Config.get([:media_proxy, :base_url])
-
-      if base_url do
-        on_exit(fn ->
-          Pleroma.Config.put([:media_proxy, :base_url], base_url)
-        end)
-      end
-
      Pleroma.Config.put([:media_proxy, :base_url], "https://cache.pleroma.social")
-
+      on_exit(fn -> Pleroma.Config.put([:media_proxy, :base_url], base_url) end)
      url = "https://pleroma.soykaf.com/static/logo.png"
      encoded = url(url)

@ -213,9 +206,16 @@ defmodule Pleroma.Web.MediaProxyTest do
    end

    test "does not change whitelisted urls" do
+      whitelist = Pleroma.Config.get([:media_proxy, :whitelist])
+      base_url = Pleroma.Config.get([:media_proxy, :base_url])
      Pleroma.Config.put([:media_proxy, :whitelist], ["mycdn.akamai.com"])
      Pleroma.Config.put([:media_proxy, :base_url], "https://cache.pleroma.social")

+      on_exit(fn ->
+        Pleroma.Config.put([:media_proxy, :whitelist], whitelist)
+        Pleroma.Config.put([:media_proxy, :base_url], base_url)
+      end)
+
      media_url = "https://mycdn.akamai.com"

      url = "#{media_url}/static/logo.png"