InstanceStatic: Extra-sanitize emoji
This commit is contained in:
Lain Soykaf
parent
b1309bdb40
commit
d9ae9b676c
3 changed files with 50 additions and 18 deletions
|
|
@ -63,15 +63,47 @@ defmodule Pleroma.Web.Plugs.InstanceStaticTest do
|
|||
assert html_response(index, 200) == "<h1>rabbit hugs as a service</h1>"
|
||||
end
|
||||
|
||||
test "sanitizes content-types for potentially dangerous file extensions" do
|
||||
test "does not sanitize dangerous files in general, as there can be html and javascript files legitimately in this folder" do
|
||||
# Create a file with a potentially dangerous extension (.json)
|
||||
# This mimics an attacker trying to serve ActivityPub JSON with a static file
|
||||
File.mkdir!(@dir <> "/static")
|
||||
File.write!(@dir <> "/static/malicious.json", "{\"type\": \"ActivityPub\"}")
|
||||
|
||||
# Request the malicious file
|
||||
conn = get(build_conn(), "/static/malicious.json")
|
||||
|
||||
assert conn.status == 200
|
||||
|
||||
content_type =
|
||||
Enum.find_value(conn.resp_headers, fn
|
||||
{"content-type", value} -> value
|
||||
_ -> nil
|
||||
end)
|
||||
|
||||
assert content_type == "application/json"
|
||||
|
||||
File.write!(@dir <> "/static/safe.jpg", "fake image data")
|
||||
|
||||
conn = get(build_conn(), "/static/safe.jpg")
|
||||
|
||||
assert conn.status == 200
|
||||
|
||||
# Get the content-type
|
||||
content_type =
|
||||
Enum.find_value(conn.resp_headers, fn
|
||||
{"content-type", value} -> value
|
||||
_ -> nil
|
||||
end)
|
||||
|
||||
assert content_type == "image/jpeg"
|
||||
end
|
||||
|
||||
test "always sanitizes emojis to images" do
|
||||
File.mkdir!(@dir <> "/emoji")
|
||||
File.write!(@dir <> "/emoji/malicious.html", "<script>HACKED</script>")
|
||||
|
||||
# Request the malicious file
|
||||
conn = get(build_conn(), "/emoji/malicious.html")
|
||||
|
||||
# Verify the file was served (status 200)
|
||||
assert conn.status == 200
|
||||
|
||||
|
|
@ -87,10 +119,10 @@ defmodule Pleroma.Web.Plugs.InstanceStaticTest do
|
|||
assert content_type == "application/octet-stream"
|
||||
|
||||
# Create a file with an allowed extension (.jpg)
|
||||
File.write!(@dir <> "/static/safe.jpg", "fake image data")
|
||||
File.write!(@dir <> "/emoji/safe.jpg", "fake image data")
|
||||
|
||||
# Request the safe file
|
||||
conn = get(build_conn(), "/static/safe.jpg")
|
||||
conn = get(build_conn(), "/emoji/safe.jpg")
|
||||
|
||||
# Verify the file was served (status 200)
|
||||
assert conn.status == 200
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue