hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'origin/develop' into language-detection

Browse source 
Signed-off-by: mkljczk <git@mkljczk.pl>
This commit is contained in:
mkljczk 2025-03-11 20:38:56 +01:00
commit fa76bb66f9
103 changed files with 2747 additions and 917 deletions
Download patch file Download diff file Expand all files Collapse all files

44
CHANGELOG.md
View file

@ -4,6 +4,50 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## 2.9.1
### Security
- Fix authorization checks for C2S Update activities to prevent unauthorized modifications of other users' content.
- Fix content-type spoofing vulnerability that could allow users to upload ActivityPub objects as attachments
- Reject cross-domain redirects when fetching ActivityPub objects to prevent bypassing domain-based security controls.
- Limit emoji shortcodes to alphanumeric, dash, or underscore characters to prevent potential abuse.
- Block attempts to fetch activities from the local instance to prevent spoofing.
- Sanitize Content-Type headers in media proxy to prevent serving malicious ActivityPub content through proxied media.
- Validate Content-Type headers when fetching remote ActivityPub objects to prevent spoofing attacks.
### Changed
- Include `pl-fe` in available frontends
### Fixed
- Remove trailing ` from end of line 75 which caused issues copy-pasting
## 2.9.0
### Security
- Require HTTP signatures (if enabled) for routes used by both C2S and S2S AP API
- Fix several spoofing vectors
### Changed
- Performance: Use 301 (permanent) redirect instead of 302 (temporary) when redirecting small images in media proxy. This allows browsers to cache the redirect response.
### Added
- Include "published" in actor view
- Link to exported outbox/followers/following collections in backup actor.json
- Hashtag following
- Allow to specify post language
### Fixed
- Verify a local Update sent through AP C2S so users can only update their own objects
- Fix Mastodon incoming edits with inlined "likes"
- Allow incoming "Listen" activities
- Fix missing check for domain presence in rich media ignore_host configuration
- Fix Rich Media parsing of TwitterCards/OpenGraph to adhere to the spec and always choose the first image if multiple are provided.
- Fix OpenGraph/TwitterCard meta tag ordering for posts with multiple attachments
- Fix blurhash generation crashes
### Removed
- Retire MRFs DNSRBL, FODirectReply, and QuietReply
## 2.8.0 ## 2.8.0
### Changed ### Changed

1
changelog.d/301-small-image-redirect.change
View file

@ -1 +0,0 @@
Performance: Use 301 (permanent) redirect instead of 302 (temporary) when redirecting small images in media proxy. This allows browsers to cache the redirect response.

1
changelog.d/actor-published-date.add
View file

@ -1 +0,0 @@
Include "published" in actor view

1
changelog.d/backup-links.add
View file

@ -1 +0,0 @@
Link to exported outbox/followers/following collections in backup actor.json

0
changelog.d/ci-builder-skip-arm32.skip
View file

0
changelog.d/description-update-suggestions.skip
View file

1
changelog.d/fix-mastodon-edits.fix
View file

@ -1 +0,0 @@
Fix Mastodon incoming edits with inlined "likes"

0
changelog.d/fix-wrong-config-section.skip
View file

1
changelog.d/follow-hashtags.add
View file

@ -1 +0,0 @@
Hashtag following

0
changelog.d/hexpm-build-images.skip
View file

1
changelog.d/incoming-scrobbles.fix
View file

@ -1 +0,0 @@
Allow incoming "Listen" activities

1
changelog.d/post-languages.add
View file

@ -1 +0,0 @@
Allow to specify post language

1
changelog.d/rich-media-ignore-host.fix
View file

@ -1 +0,0 @@
Fix missing check for domain presence in rich media ignore_host configuration

1
changelog.d/vips-blurhash.fix
View file

@ -1 +0,0 @@
Fix blurhash generation crashes

23
config/config.exs
View file

@ -65,7 +65,8 @@ config :pleroma, Pleroma.Upload,
proxy_remote: false, proxy_remote: false,
filename_display_max_length: 30, filename_display_max_length: 30,
default_description: nil, default_description: nil,
base_url: nil base_url: nil,
allowed_mime_types: ["image", "audio", "video"]
config :pleroma, Pleroma.Uploaders.Local, uploads: "uploads" config :pleroma, Pleroma.Uploaders.Local, uploads: "uploads"
@ -150,7 +151,10 @@ config :mime, :types, %{
"application/xrd+xml" => ["xrd+xml"], "application/xrd+xml" => ["xrd+xml"],
"application/jrd+json" => ["jrd+json"], "application/jrd+json" => ["jrd+json"],
"application/activity+json" => ["activity+json"], "application/activity+json" => ["activity+json"],
"application/ld+json" => ["activity+json"] "application/ld+json" => ["activity+json"],
# Can be removed when bumping MIME past 2.0.5
# see https://akkoma.dev/AkkomaGang/akkoma/issues/657
"image/apng" => ["apng"]
} }
config :tesla, adapter: Tesla.Adapter.Hackney config :tesla, adapter: Tesla.Adapter.Hackney
@ -359,7 +363,8 @@ config :pleroma, :activitypub,
follow_handshake_timeout: 500, follow_handshake_timeout: 500,
note_replies_output_limit: 5, note_replies_output_limit: 5,
sign_object_fetches: true, sign_object_fetches: true,
authorized_fetch_mode: false authorized_fetch_mode: false,
client_api_enabled: false
config :pleroma, :streamer, config :pleroma, :streamer,
workers: 3, workers: 3,
@ -413,11 +418,6 @@ config :pleroma, :mrf_vocabulary,
accept: [], accept: [],
reject: [] reject: []
config :pleroma, :mrf_dnsrbl,
nameserver: "127.0.0.1",
port: 53,
zone: "bl.pleroma.com"
# threshold of 7 days # threshold of 7 days
config :pleroma, :mrf_object_age, config :pleroma, :mrf_object_age,
threshold: 604_800, threshold: 604_800,
@ -807,6 +807,13 @@ config :pleroma, :frontends,
"https://lily-is.land/infra/glitch-lily/-/jobs/artifacts/${ref}/download?job=build", "https://lily-is.land/infra/glitch-lily/-/jobs/artifacts/${ref}/download?job=build",
"ref" => "servant", "ref" => "servant",
"build_dir" => "public" "build_dir" => "public"
},
"pl-fe" => %{
"name" => "pl-fe",
"git" => "https://github.com/mkljczk/pl-fe",
"build_url" => "https://pl.mkljczk.pl/pl-fe.zip",
"ref" => "develop",
"build_dir" => "."
} }
} }

18
config/description.exs
View file

@ -117,6 +117,19 @@ config :pleroma, :config_description, [
key: :filename_display_max_length, key: :filename_display_max_length,
type: :integer, type: :integer,
description: "Set max length of a filename to display. 0 = no limit. Default: 30" description: "Set max length of a filename to display. 0 = no limit. Default: 30"
},
%{
key: :allowed_mime_types,
label: "Allowed MIME types",
type: {:list, :string},
description:
"List of MIME (main) types uploads are allowed to identify themselves with. Other types may still be uploaded, but will identify as a generic binary to clients. WARNING: Loosening this over the defaults can lead to security issues. Removing types is safe, but only add to the list if you are sure you know what you are doing.",
suggestions: [
"image",
"audio",
"video",
"font"
]
} }
] ]
}, },
@ -1772,6 +1785,11 @@ config :pleroma, :config_description, [
type: :integer, type: :integer,
description: "Following handshake timeout", description: "Following handshake timeout",
suggestions: [500] suggestions: [500]
},
%{
key: :client_api_enabled,
type: :boolean,
description: "Allow client to server ActivityPub interactions"
} }
] ]
}, },

12
config/test.exs
View file

@ -38,7 +38,10 @@ config :pleroma, :instance,
external_user_synchronization: false, external_user_synchronization: false,
static_dir: "test/instance_static/" static_dir: "test/instance_static/"
config :pleroma, :activitypub, sign_object_fetches: false, follow_handshake_timeout: 0 config :pleroma, :activitypub,
sign_object_fetches: false,
follow_handshake_timeout: 0,
client_api_enabled: true
# Configure your database # Configure your database
config :pleroma, Pleroma.Repo, config :pleroma, Pleroma.Repo,
@ -144,6 +147,7 @@ config :pleroma, Pleroma.Search.Meilisearch, url: "http://127.0.0.1:7700/", priv
config :phoenix, :plug_init_mode, :runtime config :phoenix, :plug_init_mode, :runtime
config :pleroma, :config_impl, Pleroma.UnstubbedConfigMock config :pleroma, :config_impl, Pleroma.UnstubbedConfigMock
config :pleroma, :datetime_impl, Pleroma.DateTimeMock
config :pleroma, Pleroma.PromEx, disabled: true config :pleroma, Pleroma.PromEx, disabled: true
@ -159,6 +163,12 @@ config :pleroma, Pleroma.Uploaders.IPFS, config_impl: Pleroma.UnstubbedConfigMoc
config :pleroma, Pleroma.Web.Plugs.HTTPSecurityPlug, config_impl: Pleroma.StaticStubbedConfigMock config :pleroma, Pleroma.Web.Plugs.HTTPSecurityPlug, config_impl: Pleroma.StaticStubbedConfigMock
config :pleroma, Pleroma.Web.Plugs.HTTPSignaturePlug, config_impl: Pleroma.StaticStubbedConfigMock config :pleroma, Pleroma.Web.Plugs.HTTPSignaturePlug, config_impl: Pleroma.StaticStubbedConfigMock
config :pleroma, Pleroma.Upload.Filter.AnonymizeFilename,
config_impl: Pleroma.StaticStubbedConfigMock
config :pleroma, Pleroma.Upload.Filter.Mogrify, config_impl: Pleroma.StaticStubbedConfigMock
config :pleroma, Pleroma.Upload.Filter.Mogrify, mogrify_impl: Pleroma.MogrifyMock
config :pleroma, Pleroma.Signature, http_signatures_impl: Pleroma.StubbedHTTPSignaturesMock config :pleroma, Pleroma.Signature, http_signatures_impl: Pleroma.StubbedHTTPSignaturesMock
peer_module = peer_module =

2
docs/installation/debian_based_en.md
View file

@ -72,7 +72,7 @@ sudo -Hu pleroma mix deps.get
* Generate the configuration: * Generate the configuration:
```shell ```shell
sudo -Hu pleroma MIX_ENV=prod mix pleroma.instance gen` sudo -Hu pleroma MIX_ENV=prod mix pleroma.instance gen
``` ```
* During this process: * During this process:

15
lib/mix/tasks/pleroma/emoji.ex
View file

@ -93,6 +93,7 @@ defmodule Mix.Tasks.Pleroma.Emoji do
) )
files = fetch_and_decode!(files_loc) files = fetch_and_decode!(files_loc)
files_to_unzip = for({_, f} <- files, do: f)
IO.puts(IO.ANSI.format(["Unpacking ", :bright, pack_name])) IO.puts(IO.ANSI.format(["Unpacking ", :bright, pack_name]))
@ -103,17 +104,7 @@ defmodule Mix.Tasks.Pleroma.Emoji do
pack_name pack_name
]) ])
files_to_unzip = {:ok, _} = Pleroma.SafeZip.unzip_data(binary_archive, pack_path, files_to_unzip)
Enum.map(
files,
fn {_, f} -> to_charlist(f) end
)
{:ok, _} =
:zip.unzip(binary_archive,
cwd: String.to_charlist(pack_path),
file_list: files_to_unzip
)
IO.puts(IO.ANSI.format(["Writing pack.json for ", :bright, pack_name])) IO.puts(IO.ANSI.format(["Writing pack.json for ", :bright, pack_name]))
@ -201,7 +192,7 @@ defmodule Mix.Tasks.Pleroma.Emoji do
tmp_pack_dir = Path.join(System.tmp_dir!(), "emoji-pack-#{name}") tmp_pack_dir = Path.join(System.tmp_dir!(), "emoji-pack-#{name}")
{:ok, _} = :zip.unzip(binary_archive, cwd: String.to_charlist(tmp_pack_dir)) {:ok, _} = Pleroma.SafeZip.unzip_data(binary_archive, tmp_pack_dir)
emoji_map = Pleroma.Emoji.Loader.make_shortcode_to_file_map(tmp_pack_dir, exts) emoji_map = Pleroma.Emoji.Loader.make_shortcode_to_file_map(tmp_pack_dir, exts)

1
lib/pleroma/config.ex
View file

@ -27,6 +27,7 @@ defmodule Pleroma.Config do
Application.get_env(:pleroma, key, default) Application.get_env(:pleroma, key, default)
end end
@impl true
def get!(key) do def get!(key) do
value = get(key, nil) value = get(key, nil)

3
lib/pleroma/config/getting.ex
View file

@ -5,10 +5,13 @@
defmodule Pleroma.Config.Getting do defmodule Pleroma.Config.Getting do
@callback get(any()) :: any() @callback get(any()) :: any()
@callback get(any(), any()) :: any() @callback get(any(), any()) :: any()
@callback get!(any()) :: any()
def get(key), do: get(key, nil) def get(key), do: get(key, nil)
def get(key, default), do: impl().get(key, default) def get(key, default), do: impl().get(key, default)
def get!(key), do: impl().get!(key)
def impl do def impl do
Application.get_env(:pleroma, :config_impl, Pleroma.Config) Application.get_env(:pleroma, :config_impl, Pleroma.Config)
end end

3
lib/pleroma/date_time.ex Normal file
View file

@ -0,0 +1,3 @@
defmodule Pleroma.DateTime do
@callback utc_now() :: NaiveDateTime.t()
end

6
lib/pleroma/date_time/impl.ex Normal file
View file

@ -0,0 +1,6 @@
defmodule Pleroma.DateTime.Impl do
@behaviour Pleroma.DateTime
@impl true
def utc_now, do: NaiveDateTime.utc_now()
end

101
lib/pleroma/emoji/pack.ex
View file

@ -24,12 +24,13 @@ defmodule Pleroma.Emoji.Pack do
alias Pleroma.Emoji alias Pleroma.Emoji
alias Pleroma.Emoji.Pack alias Pleroma.Emoji.Pack
alias Pleroma.SafeZip
alias Pleroma.Utils alias Pleroma.Utils
@spec create(String.t()) :: {:ok, t()} | {:error, File.posix()} | {:error, :empty_values} @spec create(String.t()) :: {:ok, t()} | {:error, File.posix()} | {:error, :empty_values}
def create(name) do def create(name) do
with :ok <- validate_not_empty([name]), with :ok <- validate_not_empty([name]),
dir <- Path.join(emoji_path(), name), dir <- path_join_name_safe(emoji_path(), name),
:ok <- File.mkdir(dir) do :ok <- File.mkdir(dir) do
save_pack(%__MODULE__{pack_file: Path.join(dir, "pack.json")}) save_pack(%__MODULE__{pack_file: Path.join(dir, "pack.json")})
end end
@ -65,43 +66,21 @@ defmodule Pleroma.Emoji.Pack do
{:ok, [binary()]} | {:error, File.posix(), binary()} | {:error, :empty_values} {:ok, [binary()]} | {:error, File.posix(), binary()} | {:error, :empty_values}
def delete(name) do def delete(name) do
with :ok <- validate_not_empty([name]), with :ok <- validate_not_empty([name]),
pack_path <- Path.join(emoji_path(), name) do pack_path <- path_join_name_safe(emoji_path(), name) do
File.rm_rf(pack_path) File.rm_rf(pack_path)
end end
end end
@spec unpack_zip_emojies(list(tuple())) :: list(map())
defp unpack_zip_emojies(zip_files) do
Enum.reduce(zip_files, [], fn
{_, path, s, _, _, _}, acc when elem(s, 2) == :regular ->
with(
filename <- Path.basename(path),
shortcode <- Path.basename(filename, Path.extname(filename)),
false <- Emoji.exist?(shortcode)
) do
[%{path: path, filename: path, shortcode: shortcode} | acc]
else
_ -> acc
end
_, acc ->
acc
end)
end
@spec add_file(t(), String.t(), Path.t(), Plug.Upload.t()) :: @spec add_file(t(), String.t(), Path.t(), Plug.Upload.t()) ::
{:ok, t()} {:ok, t()}
| {:error, File.posix() | atom()} | {:error, File.posix() | atom()}
def add_file(%Pack{} = pack, _, _, %Plug.Upload{content_type: "application/zip"} = file) do def add_file(%Pack{} = pack, _, _, %Plug.Upload{content_type: "application/zip"} = file) do
with {:ok, zip_files} <- :zip.table(to_charlist(file.path)), with {:ok, zip_files} <- SafeZip.list_dir_file(file.path),
[_ | _] = emojies <- unpack_zip_emojies(zip_files), [_ | _] = emojies <- map_zip_emojies(zip_files),
{:ok, tmp_dir} <- Utils.tmp_dir("emoji") do {:ok, tmp_dir} <- Utils.tmp_dir("emoji") do
try do try do
{:ok, _emoji_files} = {:ok, _emoji_files} =
:zip.unzip( SafeZip.unzip_file(file.path, tmp_dir, Enum.map(emojies, & &1[:path]))
to_charlist(file.path),
[{:file_list, Enum.map(emojies, & &1[:path])}, {:cwd, String.to_charlist(tmp_dir)}]
)
{_, updated_pack} = {_, updated_pack} =
Enum.map_reduce(emojies, pack, fn item, emoji_pack -> Enum.map_reduce(emojies, pack, fn item, emoji_pack ->
@ -292,7 +271,7 @@ defmodule Pleroma.Emoji.Pack do
@spec load_pack(String.t()) :: {:ok, t()} | {:error, :file.posix()} @spec load_pack(String.t()) :: {:ok, t()} | {:error, :file.posix()}
def load_pack(name) do def load_pack(name) do
name = Path.basename(name) name = Path.basename(name)
pack_file = Path.join([emoji_path(), name, "pack.json"]) pack_file = path_join_name_safe(emoji_path(), name) |> Path.join("pack.json")
with {:ok, _} <- File.stat(pack_file), with {:ok, _} <- File.stat(pack_file),
{:ok, pack_data} <- File.read(pack_file) do {:ok, pack_data} <- File.read(pack_file) do
@ -416,10 +395,9 @@ defmodule Pleroma.Emoji.Pack do
end end
defp create_archive_and_cache(pack, hash) do defp create_archive_and_cache(pack, hash) do
files = [~c"pack.json" | Enum.map(pack.files, fn {_, file} -> to_charlist(file) end)] pack_file_list = Enum.into(pack.files, [], fn {_, f} -> f end)
files = ["pack.json" | pack_file_list]
{:ok, {_, result}} = {:ok, {_, result}} = SafeZip.zip("#{pack.name}.zip", files, pack.path, true)
:zip.zip(~c"#{pack.name}.zip", files, [:memory, cwd: to_charlist(pack.path)])
ttl_per_file = Pleroma.Config.get!([:emoji, :shared_pack_cache_seconds_per_file]) ttl_per_file = Pleroma.Config.get!([:emoji, :shared_pack_cache_seconds_per_file])
overall_ttl = :timer.seconds(ttl_per_file * Enum.count(files)) overall_ttl = :timer.seconds(ttl_per_file * Enum.count(files))
@ -478,7 +456,7 @@ defmodule Pleroma.Emoji.Pack do
end end
defp save_file(%Plug.Upload{path: upload_path}, pack, filename) do defp save_file(%Plug.Upload{path: upload_path}, pack, filename) do
file_path = Path.join(pack.path, filename) file_path = path_join_safe(pack.path, filename)
create_subdirs(file_path) create_subdirs(file_path)
with {:ok, _} <- File.copy(upload_path, file_path) do with {:ok, _} <- File.copy(upload_path, file_path) do
@ -497,8 +475,8 @@ defmodule Pleroma.Emoji.Pack do
end end
defp rename_file(pack, filename, new_filename) do defp rename_file(pack, filename, new_filename) do
old_path = Path.join(pack.path, filename) old_path = path_join_safe(pack.path, filename)
new_path = Path.join(pack.path, new_filename) new_path = path_join_safe(pack.path, new_filename)
create_subdirs(new_path) create_subdirs(new_path)
with :ok <- File.rename(old_path, new_path) do with :ok <- File.rename(old_path, new_path) do
@ -516,7 +494,7 @@ defmodule Pleroma.Emoji.Pack do
defp remove_file(pack, shortcode) do defp remove_file(pack, shortcode) do
with {:ok, filename} <- get_filename(pack, shortcode), with {:ok, filename} <- get_filename(pack, shortcode),
emoji <- Path.join(pack.path, filename), emoji <- path_join_safe(pack.path, filename),
:ok <- File.rm(emoji) do :ok <- File.rm(emoji) do
remove_dir_if_empty(emoji, filename) remove_dir_if_empty(emoji, filename)
end end
@ -534,7 +512,7 @@ defmodule Pleroma.Emoji.Pack do
defp get_filename(pack, shortcode) do defp get_filename(pack, shortcode) do
with %{^shortcode => filename} when is_binary(filename) <- pack.files, with %{^shortcode => filename} when is_binary(filename) <- pack.files,
file_path <- Path.join(pack.path, filename), file_path <- path_join_safe(pack.path, filename),
{:ok, _} <- File.stat(file_path) do {:ok, _} <- File.stat(file_path) do
{:ok, filename} {:ok, filename}
else else
@ -584,11 +562,10 @@ defmodule Pleroma.Emoji.Pack do
defp unzip(archive, pack_info, remote_pack, local_pack) do defp unzip(archive, pack_info, remote_pack, local_pack) do
with :ok <- File.mkdir_p!(local_pack.path) do with :ok <- File.mkdir_p!(local_pack.path) do
files = Enum.map(remote_pack["files"], fn {_, path} -> to_charlist(path) end) files = Enum.map(remote_pack["files"], fn {_, path} -> path end)
# Fallback cannot contain a pack.json file # Fallback cannot contain a pack.json file
files = if pack_info[:fallback], do: files, else: [~c"pack.json" | files] files = if pack_info[:fallback], do: files, else: ["pack.json" | files]
SafeZip.unzip_data(archive, local_pack.path, files)
:zip.unzip(archive, cwd: to_charlist(local_pack.path), file_list: files)
end end
end end
@ -649,13 +626,43 @@ defmodule Pleroma.Emoji.Pack do
end end
defp validate_has_all_files(pack, zip) do defp validate_has_all_files(pack, zip) do
with {:ok, f_list} <- :zip.unzip(zip, [:memory]) do # Check if all files from the pack.json are in the archive
# Check if all files from the pack.json are in the archive eset =
pack.files Enum.reduce(pack.files, MapSet.new(), fn
|> Enum.all?(fn {_, from_manifest} -> {_, file}, s -> MapSet.put(s, to_charlist(file))
List.keyfind(f_list, to_charlist(from_manifest), 0)
end) end)
|> if(do: :ok, else: {:error, :incomplete})
if SafeZip.contains_all_data?(zip, eset),
do: :ok,
else: {:error, :incomplete}
end
defp path_join_name_safe(dir, name) do
if to_string(name) != Path.basename(name) or name in ["..", ".", ""] do
raise "Invalid or malicious pack name: #{name}"
else
Path.join(dir, name)
end end
end end
defp path_join_safe(dir, path) do
{:ok, safe_path} = Path.safe_relative(path)
Path.join(dir, safe_path)
end
defp map_zip_emojies(zip_files) do
Enum.reduce(zip_files, [], fn path, acc ->
with(
filename <- Path.basename(path),
shortcode <- Path.basename(filename, Path.extname(filename)),
# note: this only checks the shortcode, if an emoji already exists on the same path, but
# with a different shortcode, the existing one will be degraded to an alias of the new
false <- Emoji.exist?(shortcode)
) do
[%{path: path, filename: path, shortcode: shortcode} | acc]
else
_ -> acc
end
end)
end
end end

22
lib/pleroma/frontend.ex
View file

@ -65,24 +65,12 @@ defmodule Pleroma.Frontend do
end end
def unzip(zip, dest) do def unzip(zip, dest) do
with {:ok, unzipped} <- :zip.unzip(zip, [:memory]) do File.rm_rf!(dest)
File.rm_rf!(dest) File.mkdir_p!(dest)
File.mkdir_p!(dest)
Enum.each(unzipped, fn {filename, data} -> case Pleroma.SafeZip.unzip_data(zip, dest) do
path = filename {:ok, _} -> :ok
error -> error
new_file_path = Path.join(dest, path)
path
|> Path.dirname()
|> then(&Path.join(dest, &1))
|> File.mkdir_p!()
if not File.dir?(new_file_path) do
File.write!(new_file_path, data)
end
end)
end end
end end

15
lib/pleroma/mogrify_behaviour.ex Normal file
View file

@ -0,0 +1,15 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.MogrifyBehaviour do
@moduledoc """
Behaviour for Mogrify operations.
This module defines the interface for Mogrify operations that can be mocked in tests.
"""
@callback open(binary()) :: map()
@callback custom(map(), binary()) :: map()
@callback custom(map(), binary(), binary()) :: map()
@callback save(map(), keyword()) :: map()
end

30
lib/pleroma/mogrify_wrapper.ex Normal file
View file

@ -0,0 +1,30 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.MogrifyWrapper do
@moduledoc """
Default implementation of MogrifyBehaviour that delegates to Mogrify.
"""
@behaviour Pleroma.MogrifyBehaviour
@impl true
def open(file) do
Mogrify.open(file)
end
@impl true
def custom(image, action) do
Mogrify.custom(image, action)
end
@impl true
def custom(image, action, options) do
Mogrify.custom(image, action, options)
end
@impl true
def save(image, opts) do
Mogrify.save(image, opts)
end
end

13
lib/pleroma/object/containment.ex
View file

@ -47,6 +47,19 @@ defmodule Pleroma.Object.Containment do
defp compare_uris(%URI{host: host} = _id_uri, %URI{host: host} = _other_uri), do: :ok defp compare_uris(%URI{host: host} = _id_uri, %URI{host: host} = _other_uri), do: :ok
defp compare_uris(_id_uri, _other_uri), do: :error defp compare_uris(_id_uri, _other_uri), do: :error
@doc """
Checks whether an URL to fetch from is from the local server.
We never want to fetch from ourselves; if it's not in the database
it can't be authentic and must be a counterfeit.
"""
def contain_local_fetch(id) do
case compare_uris(URI.parse(id), Pleroma.Web.Endpoint.struct_url()) do
:ok -> :error
_ -> :ok
end
end
@doc """ @doc """
Checks that an imported AP object's actor matches the host it came from. Checks that an imported AP object's actor matches the host it came from.
""" """

62
lib/pleroma/object/fetcher.ex
View file

@ -19,6 +19,8 @@ defmodule Pleroma.Object.Fetcher do
require Logger require Logger
require Pleroma.Constants require Pleroma.Constants
@mix_env Mix.env()
@spec reinject_object(struct(), map()) :: {:ok, Object.t()} | {:error, any()} @spec reinject_object(struct(), map()) :: {:ok, Object.t()} | {:error, any()}
defp reinject_object(%Object{data: %{}} = object, new_data) do defp reinject_object(%Object{data: %{}} = object, new_data) do
Logger.debug("Reinjecting object #{new_data["id"]}") Logger.debug("Reinjecting object #{new_data["id"]}")
@ -146,6 +148,7 @@ defmodule Pleroma.Object.Fetcher do
with {:scheme, true} <- {:scheme, String.starts_with?(id, "http")}, with {:scheme, true} <- {:scheme, String.starts_with?(id, "http")},
{_, true} <- {:mrf, MRF.id_filter(id)}, {_, true} <- {:mrf, MRF.id_filter(id)},
{_, :ok} <- {:local_fetch, Containment.contain_local_fetch(id)},
{:ok, body} <- get_object(id), {:ok, body} <- get_object(id),
{:ok, data} <- safe_json_decode(body), {:ok, data} <- safe_json_decode(body),
:ok <- Containment.contain_origin_from_id(id, data) do :ok <- Containment.contain_origin_from_id(id, data) do
@ -158,6 +161,9 @@ defmodule Pleroma.Object.Fetcher do
{:scheme, _} -> {:scheme, _} ->
{:error, "Unsupported URI scheme"} {:error, "Unsupported URI scheme"}
{:local_fetch, _} ->
{:error, "Trying to fetch local resource"}
{:error, e} -> {:error, e} ->
{:error, e} {:error, e}
@ -172,6 +178,19 @@ defmodule Pleroma.Object.Fetcher do
def fetch_and_contain_remote_object_from_id(_id), def fetch_and_contain_remote_object_from_id(_id),
do: {:error, "id must be a string"} do: {:error, "id must be a string"}
defp check_crossdomain_redirect(final_host, original_url)
# Handle the common case in tests where responses don't include URLs
if @mix_env == :test do
defp check_crossdomain_redirect(nil, _) do
{:cross_domain_redirect, false}
end
end
defp check_crossdomain_redirect(final_host, original_url) do
{:cross_domain_redirect, final_host != URI.parse(original_url).host}
end
defp get_object(id) do defp get_object(id) do
date = Pleroma.Signature.signed_date() date = Pleroma.Signature.signed_date()
@ -181,19 +200,29 @@ defmodule Pleroma.Object.Fetcher do
|> sign_fetch(id, date) |> sign_fetch(id, date)
case HTTP.get(id, headers) do case HTTP.get(id, headers) do
{:ok, %{body: body, status: code, headers: headers, url: final_url}}
when code in 200..299 ->
remote_host = if final_url, do: URI.parse(final_url).host, else: nil
with {:cross_domain_redirect, false} <- check_crossdomain_redirect(remote_host, id),
{_, content_type} <- List.keyfind(headers, "content-type", 0),
{:ok, _media_type} <- verify_content_type(content_type) do
{:ok, body}
else
{:cross_domain_redirect, true} ->
{:error, {:cross_domain_redirect, true}}
error ->
error
end
# Handle the case where URL is not in the response (older HTTP library versions)
{:ok, %{body: body, status: code, headers: headers}} when code in 200..299 -> {:ok, %{body: body, status: code, headers: headers}} when code in 200..299 ->
case List.keyfind(headers, "content-type", 0) do case List.keyfind(headers, "content-type", 0) do
{_, content_type} -> {_, content_type} ->
case Plug.Conn.Utils.media_type(content_type) do case verify_content_type(content_type) do
{:ok, "application", "activity+json", _} -> {:ok, _} -> {:ok, body}
{:ok, body} error -> error
{:ok, "application", "ld+json",
%{"profile" => "https://www.w3.org/ns/activitystreams"}} ->
{:ok, body}
_ ->
{:error, {:content_type, content_type}}
end end
_ -> _ ->
@ -216,4 +245,17 @@ defmodule Pleroma.Object.Fetcher do
defp safe_json_decode(nil), do: {:ok, nil} defp safe_json_decode(nil), do: {:ok, nil}
defp safe_json_decode(json), do: Jason.decode(json) defp safe_json_decode(json), do: Jason.decode(json)
defp verify_content_type(content_type) do
case Plug.Conn.Utils.media_type(content_type) do
{:ok, "application", "activity+json", _} ->
{:ok, :activity_json}
{:ok, "application", "ld+json", %{"profile" => "https://www.w3.org/ns/activitystreams"}} ->
{:ok, :ld_json}
_ ->
{:error, {:content_type, content_type}}
end
end
end end

18
lib/pleroma/reverse_proxy.ex
View file

@ -17,6 +17,8 @@ defmodule Pleroma.ReverseProxy do
@failed_request_ttl :timer.seconds(60) @failed_request_ttl :timer.seconds(60)
@methods ~w(GET HEAD) @methods ~w(GET HEAD)
@allowed_mime_types Pleroma.Config.get([Pleroma.Upload, :allowed_mime_types], [])
@cachex Pleroma.Config.get([:cachex, :provider], Cachex) @cachex Pleroma.Config.get([:cachex, :provider], Cachex)
def max_read_duration_default, do: @max_read_duration def max_read_duration_default, do: @max_read_duration
@ -301,10 +303,26 @@ defmodule Pleroma.ReverseProxy do
headers headers
|> Enum.filter(fn {k, _} -> k in @keep_resp_headers end) |> Enum.filter(fn {k, _} -> k in @keep_resp_headers end)
|> build_resp_cache_headers(opts) |> build_resp_cache_headers(opts)
|> sanitise_content_type()
|> build_resp_content_disposition_header(opts) |> build_resp_content_disposition_header(opts)
|> Keyword.merge(Keyword.get(opts, :resp_headers, [])) |> Keyword.merge(Keyword.get(opts, :resp_headers, []))
end end
defp sanitise_content_type(headers) do
original_ct = get_content_type(headers)
safe_ct =
Pleroma.Web.Plugs.Utils.get_safe_mime_type(
%{allowed_mime_types: @allowed_mime_types},
original_ct
)
[
{"content-type", safe_ct}
| Enum.filter(headers, fn {k, _v} -> k != "content-type" end)
]
end
defp build_resp_cache_headers(headers, _opts) do defp build_resp_cache_headers(headers, _opts) do
has_cache? = Enum.any?(headers, fn {k, _} -> k in @resp_cache_headers end) has_cache? = Enum.any?(headers, fn {k, _} -> k in @resp_cache_headers end)

216
lib/pleroma/safe_zip.ex Normal file
View file

@ -0,0 +1,216 @@
# Akkoma: Magically expressive social media
# Copyright © 2024 Akkoma Authors <https://akkoma.dev/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.SafeZip do
@moduledoc """
Wraps the subset of Erlang's zip module wed like to use
but enforces path-traversal safety everywhere and other checks.
For convenience almost all functions accept both elixir strings and charlists,
but output elixir strings themselves. However, this means the input parameter type
can no longer be used to distinguish archive file paths from archive binary data in memory,
thus where needed both a _data and _file variant are provided.
"""
@type text() :: String.t() | [char()]
defp safe_path?(path) do
# Path accepts elixirs chardata()
case Path.safe_relative(path) do
{:ok, _} -> true
_ -> false
end
end
defp safe_type?(file_type) do
if file_type in [:regular, :directory] do
true
else
false
end
end
defp maybe_add_file(_type, _path_charlist, nil), do: nil
defp maybe_add_file(:regular, path_charlist, file_list),
do: [to_string(path_charlist) | file_list]
defp maybe_add_file(_type, _path_charlist, file_list), do: file_list
@spec check_safe_archive_and_maybe_list_files(binary() | [char()], [term()], boolean()) ::
{:ok, [String.t()]} | {:error, reason :: term()}
defp check_safe_archive_and_maybe_list_files(archive, opts, list) do
acc = if list, do: [], else: nil
with {:ok, table} <- :zip.table(archive, opts) do
Enum.reduce_while(table, {:ok, acc}, fn
# ZIP comment
{:zip_comment, _}, acc ->
{:cont, acc}
# File entry
{:zip_file, path, info, _comment, _offset, _comp_size}, {:ok, fl} ->
with {_, type} <- {:get_type, elem(info, 2)},
{_, true} <- {:type, safe_type?(type)},
{_, true} <- {:safe_path, safe_path?(path)} do
{:cont, {:ok, maybe_add_file(type, path, fl)}}
else
{:get_type, e} ->
{:halt,
{:error, "Couldn't determine file type of ZIP entry at #{path} (#{inspect(e)})"}}
{:type, _} ->
{:halt, {:error, "Potentially unsafe file type in ZIP at: #{path}"}}
{:safe_path, _} ->
{:halt, {:error, "Unsafe path in ZIP: #{path}"}}
end
# new OTP version?
_, _acc ->
{:halt, {:error, "Unknown ZIP record type"}}
end)
end
end
@spec check_safe_archive_and_list_files(binary() | [char()], [term()]) ::
{:ok, [String.t()]} | {:error, reason :: term()}
defp check_safe_archive_and_list_files(archive, opts \\ []) do
check_safe_archive_and_maybe_list_files(archive, opts, true)
end
@spec check_safe_archive(binary() | [char()], [term()]) :: :ok | {:error, reason :: term()}
defp check_safe_archive(archive, opts \\ []) do
case check_safe_archive_and_maybe_list_files(archive, opts, false) do
{:ok, _} -> :ok
error -> error
end
end
@spec check_safe_file_list([text()], text()) :: :ok | {:error, term()}
defp check_safe_file_list([], _), do: :ok
defp check_safe_file_list([path | tail], cwd) do
with {_, true} <- {:path, safe_path?(path)},
{_, {:ok, fstat}} <- {:stat, File.stat(Path.expand(path, cwd))},
{_, true} <- {:type, safe_type?(fstat.type)} do
check_safe_file_list(tail, cwd)
else
{:path, _} ->
{:error, "Unsafe path escaping cwd: #{path}"}
{:stat, e} ->
{:error, "Unable to check file type of #{path}: #{inspect(e)}"}
{:type, _} ->
{:error, "Unsafe type at #{path}"}
end
end
defp check_safe_file_list(_, _), do: {:error, "Malformed file_list"}
@doc """
Checks whether the archive data contais file entries for all paths from fset
Note this really only accepts entries corresponding to regular _files_,
if a path is contained as for example an directory, this does not count as a match.
"""
@spec contains_all_data?(binary(), MapSet.t()) :: true | false
def contains_all_data?(archive_data, fset) do
with {:ok, table} <- :zip.table(archive_data) do
remaining =
Enum.reduce(table, fset, fn
{:zip_file, path, info, _comment, _offset, _comp_size}, fset ->
if elem(info, 2) == :regular do
MapSet.delete(fset, path)
else
fset
end
_, _ ->
fset
end)
|> MapSet.size()
if remaining == 0, do: true, else: false
else
_ -> false
end
end
@doc """
List all file entries in ZIP, or error if invalid or unsafe.
Note this really only lists regular files, no directories, ZIP comments or other types!
"""
@spec list_dir_file(text()) :: {:ok, [String.t()]} | {:error, reason :: term()}
def list_dir_file(archive) do
path = to_charlist(archive)
check_safe_archive_and_list_files(path)
end
defp stringify_zip({:ok, {fname, data}}), do: {:ok, {to_string(fname), data}}
defp stringify_zip({:ok, fname}), do: {:ok, to_string(fname)}
defp stringify_zip(ret), do: ret
@spec zip(text(), text(), [text()], boolean()) ::
{:ok, file_name :: String.t()}
| {:ok, {file_name :: String.t(), file_data :: binary()}}
| {:error, reason :: term()}
def zip(name, file_list, cwd, memory \\ false) do
opts = [{:cwd, to_charlist(cwd)}]
opts = if memory, do: [:memory | opts], else: opts
with :ok <- check_safe_file_list(file_list, cwd) do
file_list = for f <- file_list, do: to_charlist(f)
name = to_charlist(name)
stringify_zip(:zip.zip(name, file_list, opts))
end
end
@spec unzip_file(text(), text(), [text()] | nil) ::
{:ok, [String.t()]}
| {:error, reason :: term()}
| {:error, {name :: text(), reason :: term()}}
def unzip_file(archive, target_dir, file_list \\ nil) do
do_unzip(to_charlist(archive), to_charlist(target_dir), file_list)
end
@spec unzip_data(binary(), text(), [text()] | nil) ::
{:ok, [String.t()]}
| {:error, reason :: term()}
| {:error, {name :: text(), reason :: term()}}
def unzip_data(archive, target_dir, file_list \\ nil) do
do_unzip(archive, to_charlist(target_dir), file_list)
end
defp stringify_unzip({:ok, [{_fname, _data} | _] = filebinlist}),
do: {:ok, Enum.map(filebinlist, fn {fname, data} -> {to_string(fname), data} end)}
defp stringify_unzip({:ok, [_fname | _] = filelist}),
do: {:ok, Enum.map(filelist, fn fname -> to_string(fname) end)}
defp stringify_unzip({:error, {fname, term}}), do: {:error, {to_string(fname), term}}
defp stringify_unzip(ret), do: ret
@spec do_unzip(binary() | [char()], text(), [text()] | nil) ::
{:ok, [String.t()]}
| {:error, reason :: term()}
| {:error, {name :: text(), reason :: term()}}
defp do_unzip(archive, target_dir, file_list) do
opts =
if file_list != nil do
[
file_list: for(f <- file_list, do: to_charlist(f)),
cwd: target_dir
]
else
[cwd: target_dir]
end
with :ok <- check_safe_archive(archive) do
stringify_unzip(:zip.unzip(archive, opts))
end
end
end

4
lib/pleroma/upload/filter/anonymize_filename.ex
View file

@ -10,7 +10,7 @@ defmodule Pleroma.Upload.Filter.AnonymizeFilename do
""" """
@behaviour Pleroma.Upload.Filter @behaviour Pleroma.Upload.Filter
alias Pleroma.Config @config_impl Application.compile_env(:pleroma, [__MODULE__, :config_impl], Pleroma.Config)
alias Pleroma.Upload alias Pleroma.Upload
def filter(%Upload{name: name} = upload) do def filter(%Upload{name: name} = upload) do
@ -23,7 +23,7 @@ defmodule Pleroma.Upload.Filter.AnonymizeFilename do
@spec predefined_name(String.t()) :: String.t() | nil @spec predefined_name(String.t()) :: String.t() | nil
defp predefined_name(extension) do defp predefined_name(extension) do
with name when not is_nil(name) <- Config.get([__MODULE__, :text]), with name when not is_nil(name) <- @config_impl.get([__MODULE__, :text]),
do: String.replace(name, "{extension}", extension) do: String.replace(name, "{extension}", extension)
end end

17
lib/pleroma/upload/filter/mogrify.ex
View file

@ -8,9 +8,16 @@ defmodule Pleroma.Upload.Filter.Mogrify do
@type conversion :: action :: String.t() | {action :: String.t(), opts :: String.t()} @type conversion :: action :: String.t() | {action :: String.t(), opts :: String.t()}
@type conversions :: conversion() | [conversion()] @type conversions :: conversion() | [conversion()]
@config_impl Application.compile_env(:pleroma, [__MODULE__, :config_impl], Pleroma.Config)
@mogrify_impl Application.compile_env(
:pleroma,
[__MODULE__, :mogrify_impl],
Pleroma.MogrifyWrapper
)
def filter(%Pleroma.Upload{tempfile: file, content_type: "image" <> _}) do def filter(%Pleroma.Upload{tempfile: file, content_type: "image" <> _}) do
try do try do
do_filter(file, Pleroma.Config.get!([__MODULE__, :args])) do_filter(file, @config_impl.get!([__MODULE__, :args]))
{:ok, :filtered} {:ok, :filtered}
rescue rescue
e in ErlangError -> e in ErlangError ->
@ -22,9 +29,9 @@ defmodule Pleroma.Upload.Filter.Mogrify do
def do_filter(file, filters) do def do_filter(file, filters) do
file file
|> Mogrify.open() |> @mogrify_impl.open()
|> mogrify_filter(filters) |> mogrify_filter(filters)
|> Mogrify.save(in_place: true) |> @mogrify_impl.save(in_place: true)
end end
defp mogrify_filter(mogrify, nil), do: mogrify defp mogrify_filter(mogrify, nil), do: mogrify
@ -38,10 +45,10 @@ defmodule Pleroma.Upload.Filter.Mogrify do
defp mogrify_filter(mogrify, []), do: mogrify defp mogrify_filter(mogrify, []), do: mogrify
defp mogrify_filter(mogrify, {action, options}) do defp mogrify_filter(mogrify, {action, options}) do
Mogrify.custom(mogrify, action, options) @mogrify_impl.custom(mogrify, action, options)
end end
defp mogrify_filter(mogrify, action) when is_binary(action) do defp mogrify_filter(mogrify, action) when is_binary(action) do
Mogrify.custom(mogrify, action) @mogrify_impl.custom(mogrify, action)
end end
end end

15
lib/pleroma/user/backup.ex
View file

@ -16,6 +16,7 @@ defmodule Pleroma.User.Backup do
alias Pleroma.Bookmark alias Pleroma.Bookmark
alias Pleroma.Config alias Pleroma.Config
alias Pleroma.Repo alias Pleroma.Repo
alias Pleroma.SafeZip
alias Pleroma.Uploaders.Uploader alias Pleroma.Uploaders.Uploader
alias Pleroma.User alias Pleroma.User
alias Pleroma.Web.ActivityPub.ActivityPub alias Pleroma.Web.ActivityPub.ActivityPub
@ -179,12 +180,12 @@ defmodule Pleroma.User.Backup do
end end
@files [ @files [
~c"actor.json", "actor.json",
~c"outbox.json", "outbox.json",
~c"likes.json", "likes.json",
~c"bookmarks.json", "bookmarks.json",
~c"followers.json", "followers.json",
~c"following.json" "following.json"
] ]
@spec run(t()) :: {:ok, t()} | {:error, :failed} @spec run(t()) :: {:ok, t()} | {:error, :failed}
@ -200,7 +201,7 @@ defmodule Pleroma.User.Backup do
{_, :ok} <- {:followers, followers(backup.tempdir, backup.user)}, {_, :ok} <- {:followers, followers(backup.tempdir, backup.user)},
{_, :ok} <- {:following, following(backup.tempdir, backup.user)}, {_, :ok} <- {:following, following(backup.tempdir, backup.user)},
{_, {:ok, _zip_path}} <- {_, {:ok, _zip_path}} <-
{:zip, :zip.create(to_charlist(tempfile), @files, cwd: to_charlist(backup.tempdir))}, {:zip, SafeZip.zip(tempfile, @files, backup.tempdir)},
{_, {:ok, %File.Stat{size: zip_size}}} <- {:filestat, File.stat(tempfile)}, {_, {:ok, %File.Stat{size: zip_size}}} <- {:filestat, File.stat(tempfile)},
{:ok, updated_backup} <- update_record(backup, %{file_size: zip_size}) do {:ok, updated_backup} <- update_record(backup, %{file_size: zip_size}) do
{:ok, updated_backup} {:ok, updated_backup}

10
lib/pleroma/user_relationship.ex
View file

@ -55,9 +55,13 @@ defmodule Pleroma.UserRelationship do
def user_relationship_mappings, do: Pleroma.UserRelationship.Type.__enum_map__() def user_relationship_mappings, do: Pleroma.UserRelationship.Type.__enum_map__()
def datetime_impl do
Application.get_env(:pleroma, :datetime_impl, Pleroma.DateTime.Impl)
end
def changeset(%UserRelationship{} = user_relationship, params \\ %{}) do def changeset(%UserRelationship{} = user_relationship, params \\ %{}) do
user_relationship user_relationship
|> cast(params, [:relationship_type, :source_id, :target_id, :expires_at]) |> cast(params, [:relationship_type, :source_id, :target_id, :expires_at, :inserted_at])
|> validate_required([:relationship_type, :source_id, :target_id]) |> validate_required([:relationship_type, :source_id, :target_id])
|> unique_constraint(:relationship_type, |> unique_constraint(:relationship_type,
name: :user_relationships_source_id_relationship_type_target_id_index name: :user_relationships_source_id_relationship_type_target_id_index
@ -65,6 +69,7 @@ defmodule Pleroma.UserRelationship do
|> validate_not_self_relationship() |> validate_not_self_relationship()
end end
@spec exists?(any(), Pleroma.User.t(), Pleroma.User.t()) :: boolean()
def exists?(relationship_type, %User{} = source, %User{} = target) do def exists?(relationship_type, %User{} = source, %User{} = target) do
UserRelationship UserRelationship
|> where(relationship_type: ^relationship_type, source_id: ^source.id, target_id: ^target.id) |> where(relationship_type: ^relationship_type, source_id: ^source.id, target_id: ^target.id)
@ -90,7 +95,8 @@ defmodule Pleroma.UserRelationship do
relationship_type: relationship_type, relationship_type: relationship_type,
source_id: source.id, source_id: source.id,
target_id: target.id, target_id: target.id,
expires_at: expires_at expires_at: expires_at,
inserted_at: datetime_impl().utc_now()
}) })
|> Repo.insert( |> Repo.insert(
on_conflict: {:replace_all_except, [:id, :inserted_at]}, on_conflict: {:replace_all_except, [:id, :inserted_at]},

146
lib/pleroma/web/activity_pub/mrf/dnsrbl_policy.ex
View file

@ -1,146 +0,0 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2024 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.ActivityPub.MRF.DNSRBLPolicy do
@moduledoc """
Dynamic activity filtering based on an RBL database
This MRF makes queries to a custom DNS server which will
respond with values indicating the classification of the domain
the activity originated from. This method has been widely used
in the email anti-spam industry for very fast reputation checks.
e.g., if the DNS response is 127.0.0.1 or empty, the domain is OK
Other values such as 127.0.0.2 may be used for specific classifications.
Information for why the host is blocked can be stored in a corresponding TXT record.
This method is fail-open so if the queries fail the activites are accepted.
An example of software meant for this purpsoe is rbldnsd which can be found
at http://www.corpit.ru/mjt/rbldnsd.html or mirrored at
https://git.pleroma.social/feld/rbldnsd
It is highly recommended that you run your own copy of rbldnsd and use an
external mechanism to sync/share the contents of the zone file. This is
important to keep the latency on the queries as low as possible and prevent
your DNS server from being attacked so it fails and content is permitted.
"""
@behaviour Pleroma.Web.ActivityPub.MRF.Policy
alias Pleroma.Config
require Logger
@query_retries 1
@query_timeout 500
@impl true
def filter(%{"actor" => actor} = activity) do
actor_info = URI.parse(actor)
with {:ok, activity} <- check_rbl(actor_info, activity) do
{:ok, activity}
else
_ -> {:reject, "[DNSRBLPolicy]"}
end
end
@impl true
def filter(activity), do: {:ok, activity}
@impl true
def describe do
mrf_dnsrbl =
Config.get(:mrf_dnsrbl)
|> Enum.into(%{})
{:ok, %{mrf_dnsrbl: mrf_dnsrbl}}
end
@impl true
def config_description do
%{
key: :mrf_dnsrbl,
related_policy: "Pleroma.Web.ActivityPub.MRF.DNSRBLPolicy",
label: "MRF DNSRBL",
description: "DNS RealTime Blackhole Policy",
children: [
%{
key: :nameserver,
type: {:string},
description: "DNSRBL Nameserver to Query (IP or hostame)",
suggestions: ["127.0.0.1"]
},
%{
key: :port,
type: {:string},
description: "Nameserver port",
suggestions: ["53"]
},
%{
key: :zone,
type: {:string},
description: "Root zone for querying",
suggestions: ["bl.pleroma.com"]
}
]
}
end
defp check_rbl(%{host: actor_host}, activity) do
with false <- match?(^actor_host, Pleroma.Web.Endpoint.host()),
zone when not is_nil(zone) <- Keyword.get(Config.get([:mrf_dnsrbl]), :zone) do
query =
Enum.join([actor_host, zone], ".")
|> String.to_charlist()
rbl_response = rblquery(query)
if Enum.empty?(rbl_response) do
{:ok, activity}
else
Task.start(fn ->
reason =
case rblquery(query, :txt) do
[[result]] -> result
_ -> "undefined"
end
Logger.warning(
"DNSRBL Rejected activity from #{actor_host} for reason: #{inspect(reason)}"
)
end)
:error
end
else
_ -> {:ok, activity}
end
end
defp get_rblhost_ip(rblhost) do
case rblhost |> String.to_charlist() |> :inet_parse.address() do
{:ok, _} -> rblhost |> String.to_charlist() |> :inet_parse.address()
_ -> {:ok, rblhost |> String.to_charlist() |> :inet_res.lookup(:in, :a) |> Enum.random()}
end
end
defp rblquery(query, type \\ :a) do
config = Config.get([:mrf_dnsrbl])
case get_rblhost_ip(config[:nameserver]) do
{:ok, rblnsip} ->
:inet_res.lookup(query, :in, type,
nameservers: [{rblnsip, config[:port]}],
timeout: @query_timeout,
retry: @query_retries
)
_ ->
[]
end
end
end

53
lib/pleroma/web/activity_pub/mrf/fo_direct_reply.ex
View file

@ -1,53 +0,0 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2024 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.ActivityPub.MRF.FODirectReply do
@moduledoc """
FODirectReply alters the scope of replies to activities which are Followers Only to be Direct. The purpose of this policy is to prevent broken threads for followers of the reply author because their response was to a user that they are not also following.
"""
alias Pleroma.Object
alias Pleroma.User
alias Pleroma.Web.ActivityPub.Visibility
@behaviour Pleroma.Web.ActivityPub.MRF.Policy
@impl true
def filter(
%{
"type" => "Create",
"to" => to,
"object" => %{
"actor" => actor,
"type" => "Note",
"inReplyTo" => in_reply_to
}
} = activity
) do
with true <- is_binary(in_reply_to),
%User{follower_address: followers_collection, local: true} <- User.get_by_ap_id(actor),
%Object{} = in_reply_to_object <- Object.get_by_ap_id(in_reply_to),
"private" <- Visibility.get_visibility(in_reply_to_object) do
direct_to = to -- [followers_collection]
updated_activity =
activity
|> Map.put("cc", [])
|> Map.put("to", direct_to)
|> Map.put("directMessage", true)
|> put_in(["object", "cc"], [])
|> put_in(["object", "to"], direct_to)
{:ok, updated_activity}
else
_ -> {:ok, activity}
end
end
@impl true
def filter(activity), do: {:ok, activity}
@impl true
def describe, do: {:ok, %{}}
end

60
lib/pleroma/web/activity_pub/mrf/quiet_reply.ex
View file

@ -1,60 +0,0 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2023 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.ActivityPub.MRF.QuietReply do
@moduledoc """
QuietReply alters the scope of activities from local users when replying by enforcing them to be "Unlisted" or "Quiet Public". This delivers the activity to all the expected recipients and instances, but it will not be published in the Federated / The Whole Known Network timelines. It will still be published to the Home timelines of the user's followers and visible to anyone who opens the thread.
"""
require Pleroma.Constants
alias Pleroma.User
@behaviour Pleroma.Web.ActivityPub.MRF.Policy
@impl true
def history_awareness, do: :auto
@impl true
def filter(
%{
"type" => "Create",
"to" => to,
"cc" => cc,
"object" => %{
"actor" => actor,
"type" => "Note",
"inReplyTo" => in_reply_to
}
} = activity
) do
with true <- is_binary(in_reply_to),
false <- match?([], cc),
%User{follower_address: followers_collection, local: true} <-
User.get_by_ap_id(actor) do
updated_to =
to
|> Kernel.++([followers_collection])
|> Kernel.--([Pleroma.Constants.as_public()])
updated_cc = [Pleroma.Constants.as_public()]
updated_activity =
activity
|> Map.put("to", updated_to)
|> Map.put("cc", updated_cc)
|> put_in(["object", "to"], updated_to)
|> put_in(["object", "cc"], updated_cc)
{:ok, updated_activity}
else
_ -> {:ok, activity}
end
end
@impl true
def filter(activity), do: {:ok, activity}
@impl true
def describe, do: {:ok, %{}}
end

24
lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex
View file

@ -20,6 +20,19 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
String.match?(shortcode, pattern) String.match?(shortcode, pattern)
end end
defp reject_emoji?({shortcode, _url}, installed_emoji) do
valid_shortcode? = String.match?(shortcode, ~r/^[a-zA-Z0-9_-]+$/)
rejected_shortcode? =
[:mrf_steal_emoji, :rejected_shortcodes]
|> Config.get([])
|> Enum.any?(fn pattern -> shortcode_matches?(shortcode, pattern) end)
emoji_installed? = Enum.member?(installed_emoji, shortcode)
!valid_shortcode? or rejected_shortcode? or emoji_installed?
end
defp steal_emoji({shortcode, url}, emoji_dir_path) do defp steal_emoji({shortcode, url}, emoji_dir_path) do
url = Pleroma.Web.MediaProxy.url(url) url = Pleroma.Web.MediaProxy.url(url)
@ -78,16 +91,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
new_emojis = new_emojis =
foreign_emojis foreign_emojis
|> Enum.reject(fn {shortcode, _url} -> shortcode in installed_emoji end) |> Enum.reject(&reject_emoji?(&1, installed_emoji))
|> Enum.reject(fn {shortcode, _url} -> String.contains?(shortcode, ["/", "\\"]) end)
|> Enum.filter(fn {shortcode, _url} ->
reject_emoji? =
[:mrf_steal_emoji, :rejected_shortcodes]
|> Config.get([])
|> Enum.find(false, fn pattern -> shortcode_matches?(shortcode, pattern) end)
!reject_emoji?
end)
|> Enum.map(&steal_emoji(&1, emoji_dir_path)) |> Enum.map(&steal_emoji(&1, emoji_dir_path))
|> Enum.filter(& &1) |> Enum.filter(& &1)

185
lib/pleroma/web/activity_pub/transmogrifier.ex
View file

@ -43,6 +43,38 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
|> fix_content_map() |> fix_content_map()
|> fix_addressing() |> fix_addressing()
|> fix_summary() |> fix_summary()
|> fix_history(&fix_object/1)
end
defp maybe_fix_object(%{"attributedTo" => _} = object), do: fix_object(object)
defp maybe_fix_object(object), do: object
defp fix_history(%{"formerRepresentations" => %{"orderedItems" => list}} = obj, fix_fun)
when is_list(list) do
update_in(obj["formerRepresentations"]["orderedItems"], fn h -> Enum.map(h, fix_fun) end)
end
defp fix_history(obj, _), do: obj
defp fix_recursive(obj, fun) do
# unlike Erlang, Elixir does not support recursive inline functions
# which would allow us to avoid reconstructing this on every recursion
rec_fun = fn
obj when is_map(obj) -> fix_recursive(obj, fun)
# there may be simple AP IDs in history (or object field)
obj -> obj
end
obj
|> fun.()
|> fix_history(rec_fun)
|> then(fn
%{"object" => object} = doc when is_map(object) ->
update_in(doc["object"], rec_fun)
apdoc ->
apdoc
end)
end end
def fix_summary(%{"summary" => nil} = object) do def fix_summary(%{"summary" => nil} = object) do
@ -375,11 +407,18 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
end) end)
end end
def handle_incoming(data, options \\ []) def handle_incoming(data, options \\ []) do
data
|> fix_recursive(&strip_internal_fields/1)
|> handle_incoming_normalized(options)
end
# Flag objects are placed ahead of the ID check because Mastodon 2.8 and earlier send them # Flag objects are placed ahead of the ID check because Mastodon 2.8 and earlier send them
# with nil ID. # with nil ID.
def handle_incoming(%{"type" => "Flag", "object" => objects, "actor" => actor} = data, _options) do defp handle_incoming_normalized(
%{"type" => "Flag", "object" => objects, "actor" => actor} = data,
_options
) do
with context <- data["context"] || Utils.generate_context_id(), with context <- data["context"] || Utils.generate_context_id(),
content <- data["content"] || "", content <- data["content"] || "",
%User{} = actor <- User.get_cached_by_ap_id(actor), %User{} = actor <- User.get_cached_by_ap_id(actor),
@ -400,16 +439,17 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
end end
# disallow objects with bogus IDs # disallow objects with bogus IDs
def handle_incoming(%{"id" => nil}, _options), do: :error defp handle_incoming_normalized(%{"id" => nil}, _options), do: :error
def handle_incoming(%{"id" => ""}, _options), do: :error defp handle_incoming_normalized(%{"id" => ""}, _options), do: :error
# length of https:// = 8, should validate better, but good enough for now. # length of https:// = 8, should validate better, but good enough for now.
def handle_incoming(%{"id" => id}, _options) when is_binary(id) and byte_size(id) < 8, defp handle_incoming_normalized(%{"id" => id}, _options)
do: :error when is_binary(id) and byte_size(id) < 8,
do: :error
def handle_incoming( defp handle_incoming_normalized(
%{"type" => "Listen", "object" => %{"type" => "Audio"} = object} = data, %{"type" => "Listen", "object" => %{"type" => "Audio"} = object} = data,
options options
) do ) do
actor = Containment.get_actor(data) actor = Containment.get_actor(data)
data = data =
@ -451,25 +491,25 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
"star" => "" "star" => ""
} }
@doc "Rewrite misskey likes into EmojiReacts" # Rewrite misskey likes into EmojiReacts
def handle_incoming( defp handle_incoming_normalized(
%{ %{
"type" => "Like", "type" => "Like",
"_misskey_reaction" => reaction "_misskey_reaction" => reaction
} = data, } = data,
options options
) do ) do
data data
|> Map.put("type", "EmojiReact") |> Map.put("type", "EmojiReact")
|> Map.put("content", @misskey_reactions[reaction] || reaction) |> Map.put("content", @misskey_reactions[reaction] || reaction)
|> handle_incoming(options) |> handle_incoming_normalized(options)
end end
def handle_incoming( defp handle_incoming_normalized(
%{"type" => "Create", "object" => %{"type" => objtype, "id" => obj_id}} = data, %{"type" => "Create", "object" => %{"type" => objtype, "id" => obj_id}} = data,
options options
) )
when objtype in ~w{Question Answer ChatMessage Audio Video Event Article Note Page Image} do when objtype in ~w{Question Answer ChatMessage Audio Video Event Article Note Page Image} do
fetch_options = Keyword.put(options, :depth, (options[:depth] || 0) + 1) fetch_options = Keyword.put(options, :depth, (options[:depth] || 0) + 1)
object = object =
@ -492,8 +532,8 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
end end
end end
def handle_incoming(%{"type" => type} = data, _options) defp handle_incoming_normalized(%{"type" => type} = data, _options)
when type in ~w{Like EmojiReact Announce Add Remove} do when type in ~w{Like EmojiReact Announce Add Remove} do
with :ok <- ObjectValidator.fetch_actor_and_object(data), with :ok <- ObjectValidator.fetch_actor_and_object(data),
{:ok, activity, _meta} <- {:ok, activity, _meta} <-
Pipeline.common_pipeline(data, local: false) do Pipeline.common_pipeline(data, local: false) do
@ -503,11 +543,14 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
end end
end end
def handle_incoming( defp handle_incoming_normalized(
%{"type" => type} = data, %{"type" => type} = data,
_options _options
) )
when type in ~w{Update Block Follow Accept Reject} do when type in ~w{Update Block Follow Accept Reject} do
fixed_obj = maybe_fix_object(data["object"])
data = if fixed_obj != nil, do: %{data | "object" => fixed_obj}, else: data
with {:ok, %User{}} <- ObjectValidator.fetch_actor(data), with {:ok, %User{}} <- ObjectValidator.fetch_actor(data),
{:ok, activity, _} <- {:ok, activity, _} <-
Pipeline.common_pipeline(data, local: false) do Pipeline.common_pipeline(data, local: false) do
@ -515,10 +558,10 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
end end
end end
def handle_incoming( defp handle_incoming_normalized(
%{"type" => "Delete"} = data, %{"type" => "Delete"} = data,
_options _options
) do ) do
with {:ok, activity, _} <- with {:ok, activity, _} <-
Pipeline.common_pipeline(data, local: false) do Pipeline.common_pipeline(data, local: false) do
{:ok, activity} {:ok, activity}
@ -541,15 +584,15 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
end end
end end
def handle_incoming( defp handle_incoming_normalized(
%{ %{
"type" => "Undo", "type" => "Undo",
"object" => %{"type" => "Follow", "object" => followed}, "object" => %{"type" => "Follow", "object" => followed},
"actor" => follower, "actor" => follower,
"id" => id "id" => id
} = _data, } = _data,
_options _options
) do ) do
with %User{local: true} = followed <- User.get_cached_by_ap_id(followed), with %User{local: true} = followed <- User.get_cached_by_ap_id(followed),
{:ok, %User{} = follower} <- User.get_or_fetch_by_ap_id(follower), {:ok, %User{} = follower} <- User.get_or_fetch_by_ap_id(follower),
{:ok, activity} <- ActivityPub.unfollow(follower, followed, id, false) do {:ok, activity} <- ActivityPub.unfollow(follower, followed, id, false) do
@ -560,46 +603,46 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
end end
end end
def handle_incoming( defp handle_incoming_normalized(
%{ %{
"type" => "Undo", "type" => "Undo",
"object" => %{"type" => type} "object" => %{"type" => type}
} = data, } = data,
_options _options
) )
when type in ["Like", "EmojiReact", "Announce", "Block"] do when type in ["Like", "EmojiReact", "Announce", "Block"] do
with {:ok, activity, _} <- Pipeline.common_pipeline(data, local: false) do with {:ok, activity, _} <- Pipeline.common_pipeline(data, local: false) do
{:ok, activity} {:ok, activity}
end end
end end
# For Undos that don't have the complete object attached, try to find it in our database. # For Undos that don't have the complete object attached, try to find it in our database.
def handle_incoming( defp handle_incoming_normalized(
%{ %{
"type" => "Undo", "type" => "Undo",
"object" => object "object" => object
} = activity, } = activity,
options options
) )
when is_binary(object) do when is_binary(object) do
with %Activity{data: data} <- Activity.get_by_ap_id(object) do with %Activity{data: data} <- Activity.get_by_ap_id(object) do
activity activity
|> Map.put("object", data) |> Map.put("object", data)
|> handle_incoming(options) |> handle_incoming_normalized(options)
else else
_e -> :error _e -> :error
end end
end end
def handle_incoming( defp handle_incoming_normalized(
%{ %{
"type" => "Move", "type" => "Move",
"actor" => origin_actor, "actor" => origin_actor,
"object" => origin_actor, "object" => origin_actor,
"target" => target_actor "target" => target_actor
}, },
_options _options
) do ) do
with %User{} = origin_user <- User.get_cached_by_ap_id(origin_actor), with %User{} = origin_user <- User.get_cached_by_ap_id(origin_actor),
{:ok, %User{} = target_user} <- User.get_or_fetch_by_ap_id(target_actor), {:ok, %User{} = target_user} <- User.get_or_fetch_by_ap_id(target_actor),
true <- origin_actor in target_user.also_known_as do true <- origin_actor in target_user.also_known_as do
@ -609,7 +652,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
end end
end end
def handle_incoming(_, _), do: :error defp handle_incoming_normalized(_, _), do: :error
@spec get_obj_helper(String.t(), Keyword.t()) :: {:ok, Object.t()} | nil @spec get_obj_helper(String.t(), Keyword.t()) :: {:ok, Object.t()} | nil
def get_obj_helper(id, options \\ []) do def get_obj_helper(id, options \\ []) do

26
lib/pleroma/web/metadata/providers/open_graph.ex
View file

@ -78,10 +78,10 @@ defmodule Pleroma.Web.Metadata.Providers.OpenGraph do
# object when a Video or GIF is attached it will display that in Whatsapp Rich Preview. # object when a Video or GIF is attached it will display that in Whatsapp Rich Preview.
case Utils.fetch_media_type(@media_types, url["mediaType"]) do case Utils.fetch_media_type(@media_types, url["mediaType"]) do
"audio" -> "audio" ->
[ acc ++
{:meta, [property: "og:audio", content: MediaProxy.url(url["href"])], []} [
| acc {:meta, [property: "og:audio", content: MediaProxy.url(url["href"])], []}
] ]
# Not using preview_url for this. It saves bandwidth, but the image dimensions will # Not using preview_url for this. It saves bandwidth, but the image dimensions will
# be wrong. We generate it on the fly and have no way to capture or analyze the # be wrong. We generate it on the fly and have no way to capture or analyze the
@ -89,18 +89,18 @@ defmodule Pleroma.Web.Metadata.Providers.OpenGraph do
# in timelines too, but you can get clever with the aspect ratio metadata as a # in timelines too, but you can get clever with the aspect ratio metadata as a
# workaround. # workaround.
"image" -> "image" ->
[ (acc ++
{:meta, [property: "og:image", content: MediaProxy.url(url["href"])], []}, [
{:meta, [property: "og:image:alt", content: attachment["name"]], []} {:meta, [property: "og:image", content: MediaProxy.url(url["href"])], []},
| acc {:meta, [property: "og:image:alt", content: attachment["name"]], []}
] ])
|> maybe_add_dimensions(url) |> maybe_add_dimensions(url)
"video" -> "video" ->
[ (acc ++
{:meta, [property: "og:video", content: MediaProxy.url(url["href"])], []} [
| acc {:meta, [property: "og:video", content: MediaProxy.url(url["href"])], []}
] ])
|> maybe_add_dimensions(url) |> maybe_add_dimensions(url)
|> maybe_add_video_thumbnail(url) |> maybe_add_video_thumbnail(url)

54
lib/pleroma/web/metadata/providers/twitter_card.ex
View file

@ -61,13 +61,13 @@ defmodule Pleroma.Web.Metadata.Providers.TwitterCard do
Enum.reduce(attachment["url"], [], fn url, acc -> Enum.reduce(attachment["url"], [], fn url, acc ->
case Utils.fetch_media_type(@media_types, url["mediaType"]) do case Utils.fetch_media_type(@media_types, url["mediaType"]) do
"audio" -> "audio" ->
[ acc ++
{:meta, [name: "twitter:card", content: "player"], []}, [
{:meta, [name: "twitter:player:width", content: "480"], []}, {:meta, [name: "twitter:card", content: "player"], []},
{:meta, [name: "twitter:player:height", content: "80"], []}, {:meta, [name: "twitter:player:width", content: "480"], []},
{:meta, [name: "twitter:player", content: player_url(id)], []} {:meta, [name: "twitter:player:height", content: "80"], []},
| acc {:meta, [name: "twitter:player", content: player_url(id)], []}
] ]
# Not using preview_url for this. It saves bandwidth, but the image dimensions will # Not using preview_url for this. It saves bandwidth, but the image dimensions will
# be wrong. We generate it on the fly and have no way to capture or analyze the # be wrong. We generate it on the fly and have no way to capture or analyze the
@ -75,16 +75,16 @@ defmodule Pleroma.Web.Metadata.Providers.TwitterCard do
# in timelines too, but you can get clever with the aspect ratio metadata as a # in timelines too, but you can get clever with the aspect ratio metadata as a
# workaround. # workaround.
"image" -> "image" ->
[ (acc ++
{:meta, [name: "twitter:card", content: "summary_large_image"], []},
{:meta,
[ [
name: "twitter:image", {:meta, [name: "twitter:card", content: "summary_large_image"], []},
content: MediaProxy.url(url["href"]) {:meta,
], []}, [
{:meta, [name: "twitter:image:alt", content: truncate(attachment["name"])], []} name: "twitter:image",
| acc content: MediaProxy.url(url["href"])
] ], []},
{:meta, [name: "twitter:image:alt", content: truncate(attachment["name"])], []}
])
|> maybe_add_dimensions(url) |> maybe_add_dimensions(url)
"video" -> "video" ->
@ -92,17 +92,17 @@ defmodule Pleroma.Web.Metadata.Providers.TwitterCard do
height = url["height"] || 480 height = url["height"] || 480
width = url["width"] || 480 width = url["width"] || 480
[ acc ++
{:meta, [name: "twitter:card", content: "player"], []}, [
{:meta, [name: "twitter:player", content: player_url(id)], []}, {:meta, [name: "twitter:card", content: "player"], []},
{:meta, [name: "twitter:player:width", content: "#{width}"], []}, {:meta, [name: "twitter:player", content: player_url(id)], []},
{:meta, [name: "twitter:player:height", content: "#{height}"], []}, {:meta, [name: "twitter:player:width", content: "#{width}"], []},
{:meta, [name: "twitter:player:stream", content: MediaProxy.url(url["href"])], {:meta, [name: "twitter:player:height", content: "#{height}"], []},
[]}, {:meta, [name: "twitter:player:stream", content: MediaProxy.url(url["href"])],
{:meta, [name: "twitter:player:stream:content_type", content: url["mediaType"]], []},
[]} {:meta, [name: "twitter:player:stream:content_type", content: url["mediaType"]],
| acc []}
] ]
_ -> _ ->
acc acc

34
lib/pleroma/web/plugs/ap_client_api_enabled_plug.ex Normal file
View file

@ -0,0 +1,34 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2024 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.APClientApiEnabledPlug do
import Plug.Conn
import Phoenix.Controller, only: [text: 2]
@config_impl Application.compile_env(:pleroma, [__MODULE__, :config_impl], Pleroma.Config)
@enabled_path [:activitypub, :client_api_enabled]
def init(options \\ []), do: Map.new(options)
def call(conn, %{allow_server: true}) do
if @config_impl.get(@enabled_path, false) do
conn
else
conn
|> assign(:user, nil)
|> assign(:token, nil)
end
end
def call(conn, _) do
if @config_impl.get(@enabled_path, false) do
conn
else
conn
|> put_status(:forbidden)
|> text("C2S not enabled")
|> halt()
end
end
end

12
lib/pleroma/web/plugs/http_signature_plug.ex
View file

@ -19,8 +19,16 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
options options
end end
def call(%{assigns: %{valid_signature: true}} = conn, _opts) do def call(%{assigns: %{valid_signature: true}} = conn, _opts), do: conn
conn
# skip for C2S requests from authenticated users
def call(%{assigns: %{user: %Pleroma.User{}}} = conn, _opts) do
if get_format(conn) in ["json", "activity+json"] do
# ensure access token is provided for 2FA
Pleroma.Web.Plugs.EnsureAuthenticatedPlug.call(conn, %{})
else
conn
end
end end
def call(conn, _opts) do def call(conn, _opts) do

22
lib/pleroma/web/plugs/instance_static.ex
View file

@ -4,6 +4,7 @@
defmodule Pleroma.Web.Plugs.InstanceStatic do defmodule Pleroma.Web.Plugs.InstanceStatic do
require Pleroma.Constants require Pleroma.Constants
import Plug.Conn, only: [put_resp_header: 3]
@moduledoc """ @moduledoc """
This is a shim to call `Plug.Static` but with runtime `from` configuration. This is a shim to call `Plug.Static` but with runtime `from` configuration.
@ -44,10 +45,31 @@ defmodule Pleroma.Web.Plugs.InstanceStatic do
end end
defp call_static(conn, opts, from) do defp call_static(conn, opts, from) do
# Prevent content-type spoofing by setting content_types: false
opts = opts =
opts opts
|> Map.put(:from, from) |> Map.put(:from, from)
|> Map.put(:content_types, false)
conn = set_content_type(conn, conn.request_path)
# Call Plug.Static with our sanitized content-type
Plug.Static.call(conn, opts) Plug.Static.call(conn, opts)
end end
defp set_content_type(conn, "/emoji/" <> filepath) do
real_mime = MIME.from_path(filepath)
clean_mime =
Pleroma.Web.Plugs.Utils.get_safe_mime_type(%{allowed_mime_types: ["image"]}, real_mime)
put_resp_header(conn, "content-type", clean_mime)
end
defp set_content_type(conn, filepath) do
real_mime = MIME.from_path(filepath)
put_resp_header(conn, "content-type", real_mime)
end
end end
# I think this needs to be uncleaned except for emoji.

17
lib/pleroma/web/plugs/uploaded_media.ex
View file

@ -11,6 +11,7 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do
require Logger require Logger
alias Pleroma.Web.MediaProxy alias Pleroma.Web.MediaProxy
alias Pleroma.Web.Plugs.Utils
@behaviour Plug @behaviour Plug
# no slashes # no slashes
@ -28,7 +29,9 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do
|> Keyword.put(:at, "/__unconfigured_media_plug") |> Keyword.put(:at, "/__unconfigured_media_plug")
|> Plug.Static.init() |> Plug.Static.init()
%{static_plug_opts: static_plug_opts} allowed_mime_types = Pleroma.Config.get([Pleroma.Upload, :allowed_mime_types])
%{static_plug_opts: static_plug_opts, allowed_mime_types: allowed_mime_types}
end end
def call(%{request_path: <<"/", @path, "/", file::binary>>} = conn, opts) do def call(%{request_path: <<"/", @path, "/", file::binary>>} = conn, opts) do
@ -69,13 +72,23 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do
defp media_is_banned(_, _), do: false defp media_is_banned(_, _), do: false
defp set_content_type(conn, opts, filepath) do
real_mime = MIME.from_path(filepath)
clean_mime = Utils.get_safe_mime_type(opts, real_mime)
put_resp_header(conn, "content-type", clean_mime)
end
defp get_media(conn, {:static_dir, directory}, _, opts) do defp get_media(conn, {:static_dir, directory}, _, opts) do
static_opts = static_opts =
Map.get(opts, :static_plug_opts) Map.get(opts, :static_plug_opts)
|> Map.put(:at, [@path]) |> Map.put(:at, [@path])
|> Map.put(:from, directory) |> Map.put(:from, directory)
|> Map.put(:content_types, false)
conn = Plug.Static.call(conn, static_opts) conn =
conn
|> set_content_type(opts, conn.request_path)
|> Plug.Static.call(static_opts)
if conn.halted do if conn.halted do
conn conn

14
lib/pleroma/web/plugs/utils.ex Normal file
View file

@ -0,0 +1,14 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.Utils do
@moduledoc """
Some helper functions shared across several plugs
"""
def get_safe_mime_type(%{allowed_mime_types: allowed_mime_types} = _opts, mime) do
[maintype | _] = String.split(mime, "/", parts: 2)
if maintype in allowed_mime_types, do: mime, else: "application/octet-stream"
end
end

2
lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex
View file

@ -9,7 +9,7 @@ defmodule Pleroma.Web.RichMedia.Parsers.MetaTagsParser do
|> Enum.reduce(data, fn el, acc -> |> Enum.reduce(data, fn el, acc ->
attributes = normalize_attributes(el, prefix, key_name, value_name) attributes = normalize_attributes(el, prefix, key_name, value_name)
Map.merge(acc, attributes) Map.merge(attributes, acc)
end) end)
|> maybe_put_title(html) |> maybe_put_title(html)
end end

11
lib/pleroma/web/rich_media/parsers/twitter_card.ex
View file

@ -11,5 +11,16 @@ defmodule Pleroma.Web.RichMedia.Parsers.TwitterCard do
|> MetaTagsParser.parse(html, "og", "property") |> MetaTagsParser.parse(html, "og", "property")
|> MetaTagsParser.parse(html, "twitter", "name") |> MetaTagsParser.parse(html, "twitter", "name")
|> MetaTagsParser.parse(html, "twitter", "property") |> MetaTagsParser.parse(html, "twitter", "property")
|> filter_tags()
end
defp filter_tags(tags) do
Map.filter(tags, fn {k, _v} ->
cond do
k in ["card", "description", "image", "title", "ttl", "type", "url"] -> true
String.starts_with?(k, "image:") -> true
true -> false
end
end)
end end
end end

19
lib/pleroma/web/router.ex
View file

@ -907,22 +907,37 @@ defmodule Pleroma.Web.Router do
# Client to Server (C2S) AP interactions # Client to Server (C2S) AP interactions
pipeline :activitypub_client do pipeline :activitypub_client do
plug(:ap_service_actor) plug(:ap_service_actor)
plug(Pleroma.Web.Plugs.APClientApiEnabledPlug)
plug(:fetch_session) plug(:fetch_session)
plug(:authenticate) plug(:authenticate)
plug(:after_auth) plug(:after_auth)
end end
# AP interactions used by both S2S and C2S
pipeline :activitypub_server_or_client do
plug(:ap_service_actor)
plug(:fetch_session)
plug(:authenticate)
plug(Pleroma.Web.Plugs.APClientApiEnabledPlug, allow_server: true)
plug(:after_auth)
plug(:http_signature)
end
scope "/", Pleroma.Web.ActivityPub do scope "/", Pleroma.Web.ActivityPub do
pipe_through([:activitypub_client]) pipe_through([:activitypub_client])
get("/api/ap/whoami", ActivityPubController, :whoami) get("/api/ap/whoami", ActivityPubController, :whoami)
get("/users/:nickname/inbox", ActivityPubController, :read_inbox) get("/users/:nickname/inbox", ActivityPubController, :read_inbox)
get("/users/:nickname/outbox", ActivityPubController, :outbox)
post("/users/:nickname/outbox", ActivityPubController, :update_outbox) post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
post("/api/ap/upload_media", ActivityPubController, :upload_media) post("/api/ap/upload_media", ActivityPubController, :upload_media)
end
scope "/", Pleroma.Web.ActivityPub do
pipe_through([:activitypub_server_or_client])
get("/users/:nickname/outbox", ActivityPubController, :outbox)
# The following two are S2S as well, see `ActivityPub.fetch_follow_information_for_user/1`:
get("/users/:nickname/followers", ActivityPubController, :followers) get("/users/:nickname/followers", ActivityPubController, :followers)
get("/users/:nickname/following", ActivityPubController, :following) get("/users/:nickname/following", ActivityPubController, :following)
get("/users/:nickname/collections/featured", ActivityPubController, :pinned) get("/users/:nickname/collections/featured", ActivityPubController, :pinned)

2
mix.exs
View file

@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
def project do def project do
[ [
app: :pleroma, app: :pleroma,
version: version("2.8.0"), version: version("2.9.1"),
elixir: "~> 1.14", elixir: "~> 1.14",
elixirc_paths: elixirc_paths(Mix.env()), elixirc_paths: elixirc_paths(Mix.env()),
compilers: Mix.compilers(), compilers: Mix.compilers(),

151
test/fixtures/fulmo.html vendored Normal file
View file

@ -0,0 +1,151 @@
<!DOCTYPE html>
<html lang='eo'>
<head>
<meta charset='utf-8'/>
<meta name='author' content='Tirifto'/>
<meta name='generator' content='Pageling'/>
<meta name='viewport' content='width=device-width,
height=device-height,
initial-scale=1.0'/>
<link rel='stylesheet' type='text/css' href='/r/stiloj/tiriftejo.css'/>
<link rel='alternate' type='application/atom+xml' href='/eo/novajhoj.atom'/>
<link rel='icon' size='16x16' type='image/vnd.microsoft.icon' href='/favicon.ico'/>
<link rel='icon' size='128x128' type='image/png' href='/icon.png'/>
<link rel='alternate' hreflang='eo' href='https://tirifto.xwx.moe/eo/rakontoj/fulmo.html'/>
<title>Fulmo</title>
<meta property='og:title' content='Fulmo'/>
<meta property='og:type' content='website'/>
<meta property='og:url' content='https://tirifto.xwx.moe/eo/rakontoj/fulmo.html'/>
<meta property='og:site_name' content='Tiriftejo'/>
<meta property='og:locale' content='eo'/>
<meta property='og:description' content='Pri feoj, kiuj devis ordigi falintan arbon.'/>
<meta property='og:image' content='https://tirifto.xwx.moe/r/ilustrajhoj/pinglordigado.png'/>
<meta property='og:image:alt' content='Meze de arbaro kuŝas falinta trunko, sen pingloj kaj kun branĉoj derompitaj. Post ĝi videblas du feoj: florofeo maldekstre kaj nubofeo dekstre. La florofeo iom kaŝas sin post la trunko. La nubofeo staras kaj tenas amason da pigloj. Ili iom rigardas al si.'/>
<meta property='og:image:height' content='630'/>
<meta property='og:image:width' content='1200'/>
<meta property='og:image' content='https://tirifto.xwx.moe/r/opengraph/eo.png'/>
<meta property='og:image:alt' content='La tirifta okulo ĉirkaŭita de ornamaj steloj kaj la teksto: »Tiriftejo. Esperanto.«'/>
<meta property='og:image:height' content='630'/>
<meta property='og:image:width' content='1200'/>
</head>
<body>
<header id='website-header'>
<nav id='website-navigation'>
<input type='checkbox' id='website-navigation-toggle'
aria-description='Montri ligilojn al ĉefaj paĝoj de la retejo.'/>
<label for='website-navigation-toggle'>Paĝoj</label>
<a href='/eo/verkoj.html'>Verkoj</a>
<a href='/eo/novajhoj.html'>Novaĵoj</a>
<a href='/eo/donacoj.html'>Donacoj</a>
<a href='/eo/prio.html'>Prio</a>
<a href='/eo/amikoj.html'>Amikoj</a>
<a href='/eo/kontakto.html'>Kontakto</a>
</nav>
<span id='eye' role='img' aria-label=''></span>
<nav id='language-switcher'
aria-roledescription='lingvo-ŝanĝilo'>
<input type='checkbox' id='language-switcher-toggle'
aria-description='Montri ligilojn al tradukoj de tiu ĉi paĝo.'/>
<label for='language-switcher-toggle'>Lingvoj</label>
<a href='fulmo.html' lang='eo' hreflang='eo'><img aria-hidden='true' alt='' src='/r/flagoj/eo.png'/>Esperanto</a>
</nav>
</header>
<div class='bodier'>
<nav id='work-links'>
<a href='.'>Ceteraj rakontoj</a>
<a href='../bildosignoj'>Bildosignoj</a>
<a href='../eseoj'>Eseoj</a>
<a href='../ludoj'>Ludoj</a>
<a href='../poemoj'>Poemoj</a>
<a href='../vortaroj'>Vortaroj</a>
</nav>
<main>
<article>
<header>
<h1>Fulmo</h1>
<p>Skribis Tirifto</p>
<time datetime='2025-01-31'>2025-01-31</time>
</header>
<p>»Kial ĉiam mi? Tio ne justas! Oni kulpigas min, sed ja ne mi kulpas!« La nubofeo lamentis, dum ĝi ordigis restaĵojn de falinta arbo. Plejparto el la pingloj estis brulintaj, kaj el la trunko ankoraŭ leviĝis fumo.</p>
<p>Subite aŭdeblis ekstraj kraketoj deapude. Ĝi rigardis flanken, kaj vidis iun kaŭri apud la arbo, derompi branĉetojn, kaj orde ilin amasigi. Ŝajnis, ke ekde sia rimarkiĝo, la nekonatulo laŭeble kuntiriĝis, kaj strebis labori kiel eble plej silente.</p>
<p>»Saluton…?« La nubofeo stariĝis, alporolante la eston. Tiu kvazaŭ frostiĝis, sed timeme ankaŭ stariĝis.</p>
<p>»S- Saluton…« Ĝi respondis sen kuraĝo rigardi ĝiadirekten. Nun stare, videblis ke ĝi estas verdanta florofeo.</p>
<p>»… kion vi faras tie ĉi?« La nubofeo demandis.</p>
<p>»Nu… tiel kaj tiel… mi ordigas.«</p>
<p>»Ho. Mi ricevis taskon ordigi ĉi tie… se vi povas atendi, vi ne bezonas peni!«</p>
<p>»N- Nu… mi tamen volus…« Parolis la florofeo, plu deturnante la kapon.</p>
<p>»Nu… bone, se vi tion deziras… dankon!« La nubofeo dankis, kaj returniĝis al sia laboro.</p>
<p>Fojfoje ĝi scivole rigardis al sia nova kunlaboranto, kaj fojfoje renkontis similan rigardon de ĝia flanko, kiuokaze ambaŭ rigardoj rapide revenis al la ordigataj pingloj kaj branĉetoj. »(Kial tiom volonte helpi min?)« Pensis al si la nubofeo. »(Ĉu ĝi simple tiom bonkoras? Ĝi ja tre bele floras; eble ankaŭ ĝia koro tiel same belas…)« Kaj vere, ĝiaj surfloroj grandanime malfermis siajn belkolorajn folietojn, kaj bonodoris al mondo.</p>
<figure>
<picture>
<source srcset='/r/ilustrajhoj/pinglordigado.jxl' type='image/jxl'/>
<img src='/r/ilustrajhoj/pinglordigado.png' alt='Meze de arbaro kuŝas falinta trunko, sen pingloj kaj kun branĉoj derompitaj. Post ĝi videblas du feoj: florofeo maldekstre kaj nubofeo dekstre. La florofeo iom kaŝas sin post la trunko. La nubofeo staras kaj tenas amason da pigloj. Ili iom rigardas al si.'/>
</picture>
<figcaption>
Pinglordigado
<details>
<summary>© <time datetime='2025'>2025</time> Tirifto</summary>
<a href='https://artlibre.org/'><img src='/r/permesiloj/lal.svg' class='stamp licence' alt='Emblemo: Permesilo de arto libera'/></a>
</details>
</figcaption>
</figure>
<p>Post iom da tempo, ĉiu feo tralaboris ĝis la trunkomezo, kaj proksimiĝis al la alia feo. Kaj tiam ekpezis sur ili devosento rompi la silenton.</p>
<p>»… kia bela vetero, ĉu ne?« Diris la nubofeo, tuj rimarkonte, ke mallumiĝas, kaj la ĉielo restas kovrita de nuboj.</p>
<p>»Jes ja! Tre nube. Mi ŝatas nubojn!« Respondis la alia entuziasme, sed tuj haltetis kaj deturnis la kapon. Ambaŭ feoj daŭrigis laboron silente, kaj plu proksimiĝis, ĝis tiu preskaŭ estis finita.</p>
<p>»H… H… Ho ne…!« Subite ekdiris la nubofeo urĝe.</p>
<p>»Kio okazas?!«</p>
<p>»T… Tern…!«</p>
<p>»Jen! Tenu!« La florofeo etendis manon kun granda folio. La nubofeo ĝin prenis, kaj tien ternis. Aperis ekfulmo, kaj la cindriĝinta folio disfalis.</p>
<p>»Pardonu… mi ne volis…« Bedaŭris la nubofeo. »Mi ne scias, kial tio ĉiam okazas! Tiom plaĉas al mi promeni tere, sed ĉiuj diras, ke mi maldevus, ĉar ial ĝi ĉiam finiĝas tiel ĉi.« Ĝi montris al la arbo. »Eble ili pravas…«</p>
<p>»Nu…« diris la florofeo bedaŭre, kaj etendis la manon.</p>
<p>»H… H… Ne ree…!«</p>
<p>Ekfulmis. Alia ĵus metita folio cindriĝis en la manoj de la florofeo, time ferminta la okulojn.</p>
<p>»Dankegon… mi tre ŝatas vian helpon! Kaj mi ne… ne…«</p>
<p>Metiĝis. Ekfulmis. Cindriĝis.</p>
<p>»Io tre iritas mian nazon!« Plendis la nubofeo. Poste ĝi rimarkis la florpolvon, kiu disŝutiĝis el la florofeo en la tutan ĉirkaŭaĵon, kaj eĉ tuj antaŭ la nubofeon.</p>
<p>»N- Nu…« Diris la florofeo, honte rigardanta la teron. »… pardonu.«</p>
<footer>
<noscript><p>Ĉu vi ŝatas la verkon? <a href='/eo/donacoj.html'>Subtenu min</a> aŭ kopiu adreson de la verko por diskonigi ĝin!</p></noscript>
<script id='underbuttons'>
/* @license magnet:?xt=urn:btih:90dc5c0be029de84e523b9b3922520e79e0e6f08&dn=cc0.txt CC0-1.0 */
document.getElementById('underbuttons').outerHTML = "<p><a href='/eo/donacoj.html' class='button' target='_blank'>Subtenu min</a> <button onclick='navigator.clipboard.writeText(window.location.href.split(\"\#\")[0]).then(() => window.alert(\"Ligilo al ĉi tiu verko estas kopiita. Sendu ĝin al iu por diskonigi la verkon! 🐱\"))'>Diskonigu la verkon</button></p>"
/* @license-end */
</script>
<details class='history'>
<summary>Historio</summary>
<dl>
<dt><time datetime='2025-01-31'>2025-01-31</time></dt>
<dd>Unua publikigo.</dd>
</dl>
</details>
<details class='licence' open='details'>
<summary>Permesilo</summary>
<p>Ĉi tiun verkon vi rajtas libere kopii, disdoni, kaj ŝanĝi, laŭ kondiĉoj de la <a href='https://artlibre.org/'>Permesilo de arto libera</a>. (Resume: Vi devas mencii la aŭtoron kaj doni ligilon al la verko. Se vi ŝanĝas la verkon, vi devas laŭeble noti la faritajn ŝanĝojn, ilian daton, kaj eldoni ilin sub la sama permesilo.)</p>
<a href='https://artlibre.org/'><img src='/r/permesiloj/lal.svg' class='stamp licence' alt='Emblemo: Permesilo de arto libera'/></a>
</details>
</footer>
</article>
</main>
</div>
<footer id='website-footer'>
<div class='stamps'>
<a href='https://gnu.org/'>
<img class='stamp' src='/r/retetikedoj/gnu.png' lang='en' alt='GNU'/></a>
<img class='stamp' src='/r/retetikedoj/ihhtus.png' lang='el' alt='ΙΧΘΥΣ'/>
<img class='stamp' src='/r/retetikedoj/be-kind.apng' lang='en' alt='Be kind.'/>
<img class='stamp' src='/r/retetikedoj/kulturo-libera.png' lang='eo' alt='Kulturo libera.'/>
<img class='stamp' src='/r/retetikedoj/discord.png' lang='en' alt='Say no to Discord.'/>
<a href='https://xwx.moe/'>
<img class='stamp' src='/r/retetikedoj/xwx-moe.png' alt='xwx.moe'/></a>
<a href='https://mojeek.co.uk' hreflang='en'>
<img class='stamp' src='/r/retetikedoj/mojeek.png' lang='en' alt='Mojeek'/></a>
<a href='https://raku.org/' hreflang='en'>
<img class='stamp' src='/r/retetikedoj/raku.png' alt='Raku'/></a>
<picture>
<source srcset='/r/retetikedoj/jxl.jxl' type='image/jxl'/>
<img class='stamp' src='/r/retetikedoj/jxl.png' alt='JPEG XL'/></picture>
</div>
</footer>
</body>
</html>

2
test/fixtures/users_mock/friendica_followers.json vendored
View file

@ -13,7 +13,7 @@
"directMessage": "litepub:directMessage" "directMessage": "litepub:directMessage"
} }
], ],
"id": "http://localhost:8080/followers/fuser3", "id": "https://remote.org/followers/fuser3",
"type": "OrderedCollection", "type": "OrderedCollection",
"totalItems": 296 "totalItems": 296
} }

2
test/fixtures/users_mock/friendica_following.json vendored
View file

@ -13,7 +13,7 @@
"directMessage": "litepub:directMessage" "directMessage": "litepub:directMessage"
} }
], ],
"id": "http://localhost:8080/following/fuser3", "id": "https://remote.org/following/fuser3",
"type": "OrderedCollection", "type": "OrderedCollection",
"totalItems": 32 "totalItems": 32
} }

4
test/fixtures/users_mock/masto_closed_followers.json vendored
View file

@ -1,7 +1,7 @@
{ {
"@context": "https://www.w3.org/ns/activitystreams", "@context": "https://www.w3.org/ns/activitystreams",
"id": "http://localhost:4001/users/masto_closed/followers", "id": "https://remote.org/users/masto_closed/followers",
"type": "OrderedCollection", "type": "OrderedCollection",
"totalItems": 437, "totalItems": 437,
"first": "http://localhost:4001/users/masto_closed/followers?page=1" "first": "https://remote.org/users/masto_closed/followers?page=1"
} }

2
test/fixtures/users_mock/masto_closed_followers_page.json vendored
View file

@ -1 +1 @@
{"@context":"https://www.w3.org/ns/activitystreams","id":"http://localhost:4001/users/masto_closed/followers?page=1","type":"OrderedCollectionPage","totalItems":437,"next":"http://localhost:4001/users/masto_closed/followers?page=2","partOf":"http://localhost:4001/users/masto_closed/followers","orderedItems":["https://testing.uguu.ltd/users/rin","https://patch.cx/users/rin","https://letsalllovela.in/users/xoxo","https://pleroma.site/users/crushv","https://aria.company/users/boris","https://kawen.space/users/crushv","https://freespeech.host/users/cvcvcv","https://pleroma.site/users/picpub","https://pixelfed.social/users/nosleep","https://boopsnoot.gq/users/5c1896d162f7d337f90492a3","https://pikachu.rocks/users/waifu","https://royal.crablettesare.life/users/crablettes"]} {"@context":"https://www.w3.org/ns/activitystreams","id":"https://remote.org/users/masto_closed/followers?page=1","type":"OrderedCollectionPage","totalItems":437,"next":"https://remote.org/users/masto_closed/followers?page=2","partOf":"https://remote.org/users/masto_closed/followers","orderedItems":["https://testing.uguu.ltd/users/rin","https://patch.cx/users/rin","https://letsalllovela.in/users/xoxo","https://pleroma.site/users/crushv","https://aria.company/users/boris","https://kawen.space/users/crushv","https://freespeech.host/users/cvcvcv","https://pleroma.site/users/picpub","https://pixelfed.social/users/nosleep","https://boopsnoot.gq/users/5c1896d162f7d337f90492a3","https://pikachu.rocks/users/waifu","https://royal.crablettesare.life/users/crablettes"]}

4
test/fixtures/users_mock/masto_closed_following.json vendored
View file

@ -1,7 +1,7 @@
{ {
"@context": "https://www.w3.org/ns/activitystreams", "@context": "https://www.w3.org/ns/activitystreams",
"id": "http://localhost:4001/users/masto_closed/following", "id": "https://remote.org/users/masto_closed/following",
"type": "OrderedCollection", "type": "OrderedCollection",
"totalItems": 152, "totalItems": 152,
"first": "http://localhost:4001/users/masto_closed/following?page=1" "first": "https://remote.org/users/masto_closed/following?page=1"
} }

2
test/fixtures/users_mock/masto_closed_following_page.json vendored
View file

@ -1 +1 @@
{"@context":"https://www.w3.org/ns/activitystreams","id":"http://localhost:4001/users/masto_closed/following?page=1","type":"OrderedCollectionPage","totalItems":152,"next":"http://localhost:4001/users/masto_closed/following?page=2","partOf":"http://localhost:4001/users/masto_closed/following","orderedItems":["https://testing.uguu.ltd/users/rin","https://patch.cx/users/rin","https://letsalllovela.in/users/xoxo","https://pleroma.site/users/crushv","https://aria.company/users/boris","https://kawen.space/users/crushv","https://freespeech.host/users/cvcvcv","https://pleroma.site/users/picpub","https://pixelfed.social/users/nosleep","https://boopsnoot.gq/users/5c1896d162f7d337f90492a3","https://pikachu.rocks/users/waifu","https://royal.crablettesare.life/users/crablettes"]} {"@context":"https://www.w3.org/ns/activitystreams","id":"https://remote.org/users/masto_closed/following?page=1","type":"OrderedCollectionPage","totalItems":152,"next":"https://remote.org/users/masto_closed/following?page=2","partOf":"https://remote.org/users/masto_closed/following","orderedItems":["https://testing.uguu.ltd/users/rin","https://patch.cx/users/rin","https://letsalllovela.in/users/xoxo","https://pleroma.site/users/crushv","https://aria.company/users/boris","https://kawen.space/users/crushv","https://freespeech.host/users/cvcvcv","https://pleroma.site/users/picpub","https://pixelfed.social/users/nosleep","https://boopsnoot.gq/users/5c1896d162f7d337f90492a3","https://pikachu.rocks/users/waifu","https://royal.crablettesare.life/users/crablettes"]}

10
test/fixtures/users_mock/pleroma_followers.json vendored
View file

@ -1,18 +1,18 @@
{ {
"type": "OrderedCollection", "type": "OrderedCollection",
"totalItems": 527, "totalItems": 527,
"id": "http://localhost:4001/users/fuser2/followers", "id": "https://remote.org/users/fuser2/followers",
"first": { "first": {
"type": "OrderedCollectionPage", "type": "OrderedCollectionPage",
"totalItems": 527, "totalItems": 527,
"partOf": "http://localhost:4001/users/fuser2/followers", "partOf": "https://remote.org/users/fuser2/followers",
"orderedItems": [], "orderedItems": [],
"next": "http://localhost:4001/users/fuser2/followers?page=2", "next": "https://remote.org/users/fuser2/followers?page=2",
"id": "http://localhost:4001/users/fuser2/followers?page=1" "id": "https://remote.org/users/fuser2/followers?page=1"
}, },
"@context": [ "@context": [
"https://www.w3.org/ns/activitystreams", "https://www.w3.org/ns/activitystreams",
"http://localhost:4001/schemas/litepub-0.1.jsonld", "https://remote.org/schemas/litepub-0.1.jsonld",
{ {
"@language": "und" "@language": "und"
} }

10
test/fixtures/users_mock/pleroma_following.json vendored
View file

@ -1,18 +1,18 @@
{ {
"type": "OrderedCollection", "type": "OrderedCollection",
"totalItems": 267, "totalItems": 267,
"id": "http://localhost:4001/users/fuser2/following", "id": "https://remote.org/users/fuser2/following",
"first": { "first": {
"type": "OrderedCollectionPage", "type": "OrderedCollectionPage",
"totalItems": 267, "totalItems": 267,
"partOf": "http://localhost:4001/users/fuser2/following", "partOf": "https://remote.org/users/fuser2/following",
"orderedItems": [], "orderedItems": [],
"next": "http://localhost:4001/users/fuser2/following?page=2", "next": "https://remote.org/users/fuser2/following?page=2",
"id": "http://localhost:4001/users/fuser2/following?page=1" "id": "https://remote.org/users/fuser2/following?page=1"
}, },
"@context": [ "@context": [
"https://www.w3.org/ns/activitystreams", "https://www.w3.org/ns/activitystreams",
"http://localhost:4001/schemas/litepub-0.1.jsonld", "https://remote.org/schemas/litepub-0.1.jsonld",
{ {
"@language": "und" "@language": "und"
} }

2
test/mix/tasks/pleroma/digest_test.exs
View file

@ -24,7 +24,7 @@ defmodule Mix.Tasks.Pleroma.DigestTest do
setup do: clear_config([Pleroma.Emails.Mailer, :enabled], true) setup do: clear_config([Pleroma.Emails.Mailer, :enabled], true)
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end

2
test/mix/tasks/pleroma/user_test.exs
View file

@ -21,7 +21,7 @@ defmodule Mix.Tasks.Pleroma.UserTest do
import Pleroma.Factory import Pleroma.Factory
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end

2
test/pleroma/conversation_test.exs
View file

@ -14,7 +14,7 @@ defmodule Pleroma.ConversationTest do
setup_all do: clear_config([:instance, :federating], true) setup_all do: clear_config([:instance, :federating], true)
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end

60
test/pleroma/emoji/pack_test.exs
View file

@ -4,6 +4,7 @@
defmodule Pleroma.Emoji.PackTest do defmodule Pleroma.Emoji.PackTest do
use Pleroma.DataCase use Pleroma.DataCase
alias Pleroma.Emoji
alias Pleroma.Emoji.Pack alias Pleroma.Emoji.Pack
@emoji_path Path.join( @emoji_path Path.join(
@ -53,6 +54,63 @@ defmodule Pleroma.Emoji.PackTest do
assert updated_pack.files_count == 5 assert updated_pack.files_count == 5
end end
test "skips existing emojis when adding from zip file", %{pack: pack} do
# First, let's create a test pack with a "bear" emoji
test_pack_path = Path.join(@emoji_path, "test_bear_pack")
File.mkdir_p(test_pack_path)
# Create a pack.json file
File.write!(Path.join(test_pack_path, "pack.json"), """
{
"files": { "bear": "bear.png" },
"pack": {
"description": "Bear Pack", "homepage": "https://pleroma.social",
"license": "Test license", "share-files": true
}}
""")
# Copy a test image to use as the bear emoji
File.cp!(
Path.absname("test/instance_static/emoji/test_pack/blank.png"),
Path.join(test_pack_path, "bear.png")
)
# Load the pack to register the "bear" emoji in the global registry
{:ok, _bear_pack} = Pleroma.Emoji.Pack.load_pack("test_bear_pack")
# Reload emoji to make sure the bear emoji is in the global registry
Emoji.reload()
# Verify that the bear emoji exists in the global registry
assert Emoji.exist?("bear")
# Now try to add a zip file that contains an emoji with the same shortcode
file = %Plug.Upload{
content_type: "application/zip",
filename: "emojis.zip",
path: Path.absname("test/fixtures/emojis.zip")
}
{:ok, updated_pack} = Pack.add_file(pack, nil, nil, file)
# Verify that the "bear" emoji was skipped
refute Map.has_key?(updated_pack.files, "bear")
# Other emojis should be added
assert Map.has_key?(updated_pack.files, "a_trusted_friend-128")
assert Map.has_key?(updated_pack.files, "auroraborealis")
assert Map.has_key?(updated_pack.files, "baby_in_a_box")
assert Map.has_key?(updated_pack.files, "bear-128")
# Total count should be 4 (all emojis except "bear")
assert updated_pack.files_count == 4
# Clean up the test pack
on_exit(fn ->
File.rm_rf!(test_pack_path)
end)
end
end end
test "returns error when zip file is bad", %{pack: pack} do test "returns error when zip file is bad", %{pack: pack} do
@ -62,7 +120,7 @@ defmodule Pleroma.Emoji.PackTest do
path: Path.absname("test/instance_static/emoji/test_pack/blank.png") path: Path.absname("test/instance_static/emoji/test_pack/blank.png")
} }
assert Pack.add_file(pack, nil, nil, file) == {:error, :einval} assert {:error, _} = Pack.add_file(pack, nil, nil, file)
end end
test "returns pack when zip file is empty", %{pack: pack} do test "returns pack when zip file is empty", %{pack: pack} do

2
test/pleroma/notification_test.exs
View file

@ -19,7 +19,7 @@ defmodule Pleroma.NotificationTest do
alias Pleroma.Web.MastodonAPI.NotificationView alias Pleroma.Web.MastodonAPI.NotificationView
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end

189
test/pleroma/object/fetcher_test.exs
View file

@ -166,6 +166,91 @@ defmodule Pleroma.Object.FetcherTest do
) )
end end
test "it does not fetch from local instance" do
local_url = Pleroma.Web.Endpoint.url() <> "/objects/local_resource"
assert {:fetch, {:error, "Trying to fetch local resource"}} =
Fetcher.fetch_object_from_id(local_url)
end
test "it validates content-type headers according to ActivityPub spec" do
# Setup a mock for an object with invalid content-type
mock(fn
%{method: :get, url: "https://example.com/objects/invalid-content-type"} ->
%Tesla.Env{
status: 200,
# Not a valid AP content-type
headers: [{"content-type", "application/json"}],
body:
Jason.encode!(%{
"id" => "https://example.com/objects/invalid-content-type",
"type" => "Note",
"content" => "This has an invalid content type",
"actor" => "https://example.com/users/actor",
"attributedTo" => "https://example.com/users/actor"
})
}
end)
assert {:fetch, {:error, {:content_type, "application/json"}}} =
Fetcher.fetch_object_from_id("https://example.com/objects/invalid-content-type")
end
test "it accepts objects with application/ld+json and ActivityStreams profile" do
# Setup a mock for an object with ld+json content-type and AS profile
mock(fn
%{method: :get, url: "https://example.com/objects/valid-ld-json"} ->
%Tesla.Env{
status: 200,
headers: [
{"content-type",
"application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\""}
],
body:
Jason.encode!(%{
"id" => "https://example.com/objects/valid-ld-json",
"type" => "Note",
"content" => "This has a valid ld+json content type",
"actor" => "https://example.com/users/actor",
"attributedTo" => "https://example.com/users/actor"
})
}
end)
# This should pass if content-type validation works correctly
assert {:ok, object} =
Fetcher.fetch_and_contain_remote_object_from_id(
"https://example.com/objects/valid-ld-json"
)
assert object["content"] == "This has a valid ld+json content type"
end
test "it rejects objects with no content-type header" do
# Setup a mock for an object with no content-type header
mock(fn
%{method: :get, url: "https://example.com/objects/no-content-type"} ->
%Tesla.Env{
status: 200,
# No content-type header
headers: [],
body:
Jason.encode!(%{
"id" => "https://example.com/objects/no-content-type",
"type" => "Note",
"content" => "This has no content type header",
"actor" => "https://example.com/users/actor",
"attributedTo" => "https://example.com/users/actor"
})
}
end)
# We want to test that the request fails with a missing content-type error
# but the actual error is {:fetch, {:error, nil}} - we'll check for this format
result = Fetcher.fetch_object_from_id("https://example.com/objects/no-content-type")
assert {:fetch, {:error, nil}} = result
end
test "it resets instance reachability on successful fetch" do test "it resets instance reachability on successful fetch" do
id = "http://mastodon.example.org/@admin/99541947525187367" id = "http://mastodon.example.org/@admin/99541947525187367"
Instances.set_consistently_unreachable(id) Instances.set_consistently_unreachable(id)
@ -534,6 +619,110 @@ defmodule Pleroma.Object.FetcherTest do
end end
end end
describe "cross-domain redirect handling" do
setup do
mock(fn
# Cross-domain redirect with original domain in id
%{method: :get, url: "https://original.test/objects/123"} ->
%Tesla.Env{
status: 200,
url: "https://media.test/objects/123",
headers: [{"content-type", "application/activity+json"}],
body:
Jason.encode!(%{
"id" => "https://original.test/objects/123",
"type" => "Note",
"content" => "This is redirected content",
"actor" => "https://original.test/users/actor",
"attributedTo" => "https://original.test/users/actor"
})
}
# Cross-domain redirect with final domain in id
%{method: :get, url: "https://original.test/objects/final-domain-id"} ->
%Tesla.Env{
status: 200,
url: "https://media.test/objects/final-domain-id",
headers: [{"content-type", "application/activity+json"}],
body:
Jason.encode!(%{
"id" => "https://media.test/objects/final-domain-id",
"type" => "Note",
"content" => "This has final domain in id",
"actor" => "https://original.test/users/actor",
"attributedTo" => "https://original.test/users/actor"
})
}
# No redirect - same domain
%{method: :get, url: "https://original.test/objects/same-domain-redirect"} ->
%Tesla.Env{
status: 200,
url: "https://original.test/objects/different-path",
headers: [{"content-type", "application/activity+json"}],
body:
Jason.encode!(%{
"id" => "https://original.test/objects/same-domain-redirect",
"type" => "Note",
"content" => "This has a same-domain redirect",
"actor" => "https://original.test/users/actor",
"attributedTo" => "https://original.test/users/actor"
})
}
# Test case with missing url field in response (common in tests)
%{method: :get, url: "https://original.test/objects/missing-url"} ->
%Tesla.Env{
status: 200,
# No url field
headers: [{"content-type", "application/activity+json"}],
body:
Jason.encode!(%{
"id" => "https://original.test/objects/missing-url",
"type" => "Note",
"content" => "This has no URL field in response",
"actor" => "https://original.test/users/actor",
"attributedTo" => "https://original.test/users/actor"
})
}
end)
:ok
end
test "it rejects objects from cross-domain redirects with original domain in id" do
assert {:error, {:cross_domain_redirect, true}} =
Fetcher.fetch_and_contain_remote_object_from_id(
"https://original.test/objects/123"
)
end
test "it rejects objects from cross-domain redirects with final domain in id" do
assert {:error, {:cross_domain_redirect, true}} =
Fetcher.fetch_and_contain_remote_object_from_id(
"https://original.test/objects/final-domain-id"
)
end
test "it accepts objects with same-domain redirects" do
assert {:ok, data} =
Fetcher.fetch_and_contain_remote_object_from_id(
"https://original.test/objects/same-domain-redirect"
)
assert data["content"] == "This has a same-domain redirect"
end
test "it handles responses without URL field (common in tests)" do
assert {:ok, data} =
Fetcher.fetch_and_contain_remote_object_from_id(
"https://original.test/objects/missing-url"
)
assert data["content"] == "This has no URL field in response"
end
end
describe "fetch with history" do describe "fetch with history" do
setup do setup do
object2 = %{ object2 = %{

3
test/pleroma/repo/migrations/autolinker_to_linkify_test.exs
View file

@ -3,12 +3,11 @@
# SPDX-License-Identifier: AGPL-3.0-only # SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Repo.Migrations.AutolinkerToLinkifyTest do defmodule Pleroma.Repo.Migrations.AutolinkerToLinkifyTest do
use Pleroma.DataCase use Pleroma.DataCase, async: true
import Pleroma.Factory import Pleroma.Factory
import Pleroma.Tests.Helpers import Pleroma.Tests.Helpers
alias Pleroma.ConfigDB alias Pleroma.ConfigDB
setup do: clear_config(Pleroma.Formatter)
setup_all do: require_migration("20200716195806_autolinker_to_linkify") setup_all do: require_migration("20200716195806_autolinker_to_linkify")
test "change/0 converts auto_linker opts for Pleroma.Formatter", %{migration: migration} do test "change/0 converts auto_linker opts for Pleroma.Formatter", %{migration: migration} do

77
test/pleroma/reverse_proxy_test.exs
View file

@ -63,7 +63,11 @@ defmodule Pleroma.ReverseProxyTest do
|> Plug.Conn.put_req_header("user-agent", "fake/1.0") |> Plug.Conn.put_req_header("user-agent", "fake/1.0")
|> ReverseProxy.call("/user-agent") |> ReverseProxy.call("/user-agent")
assert json_response(conn, 200) == %{"user-agent" => Pleroma.Application.user_agent()} # Convert the response to a map without relying on json_response
body = conn.resp_body
assert conn.status == 200
response = Jason.decode!(body)
assert response == %{"user-agent" => Pleroma.Application.user_agent()}
end end
test "closed connection", %{conn: conn} do test "closed connection", %{conn: conn} do
@ -138,11 +142,14 @@ defmodule Pleroma.ReverseProxyTest do
test "common", %{conn: conn} do test "common", %{conn: conn} do
ClientMock ClientMock
|> expect(:request, fn :head, "/head", _, _, _ -> |> expect(:request, fn :head, "/head", _, _, _ ->
{:ok, 200, [{"content-type", "text/html; charset=utf-8"}]} {:ok, 200, [{"content-type", "image/png"}]}
end) end)
conn = ReverseProxy.call(Map.put(conn, :method, "HEAD"), "/head") conn = ReverseProxy.call(Map.put(conn, :method, "HEAD"), "/head")
assert html_response(conn, 200) == ""
assert conn.status == 200
assert Conn.get_resp_header(conn, "content-type") == ["image/png"]
assert conn.resp_body == ""
end end
end end
@ -249,7 +256,10 @@ defmodule Pleroma.ReverseProxyTest do
) )
|> ReverseProxy.call("/headers") |> ReverseProxy.call("/headers")
%{"headers" => headers} = json_response(conn, 200) body = conn.resp_body
assert conn.status == 200
response = Jason.decode!(body)
headers = response["headers"]
assert headers["Accept"] == "text/html" assert headers["Accept"] == "text/html"
end end
@ -262,7 +272,10 @@ defmodule Pleroma.ReverseProxyTest do
) )
|> ReverseProxy.call("/headers") |> ReverseProxy.call("/headers")
%{"headers" => headers} = json_response(conn, 200) body = conn.resp_body
assert conn.status == 200
response = Jason.decode!(body)
headers = response["headers"]
refute headers["Accept-Language"] refute headers["Accept-Language"]
end end
end end
@ -328,4 +341,58 @@ defmodule Pleroma.ReverseProxyTest do
assert {"content-disposition", "attachment; filename=\"filename.jpg\""} in conn.resp_headers assert {"content-disposition", "attachment; filename=\"filename.jpg\""} in conn.resp_headers
end end
end end
describe "content-type sanitisation" do
test "preserves allowed image type", %{conn: conn} do
ClientMock
|> expect(:request, fn :get, "/content", _, _, _ ->
{:ok, 200, [{"content-type", "image/png"}], %{url: "/content"}}
end)
|> expect(:stream_body, fn _ -> :done end)
conn = ReverseProxy.call(conn, "/content")
assert conn.status == 200
assert Conn.get_resp_header(conn, "content-type") == ["image/png"]
end
test "preserves allowed video type", %{conn: conn} do
ClientMock
|> expect(:request, fn :get, "/content", _, _, _ ->
{:ok, 200, [{"content-type", "video/mp4"}], %{url: "/content"}}
end)
|> expect(:stream_body, fn _ -> :done end)
conn = ReverseProxy.call(conn, "/content")
assert conn.status == 200
assert Conn.get_resp_header(conn, "content-type") == ["video/mp4"]
end
test "sanitizes ActivityPub content type", %{conn: conn} do
ClientMock
|> expect(:request, fn :get, "/content", _, _, _ ->
{:ok, 200, [{"content-type", "application/activity+json"}], %{url: "/content"}}
end)
|> expect(:stream_body, fn _ -> :done end)
conn = ReverseProxy.call(conn, "/content")
assert conn.status == 200
assert Conn.get_resp_header(conn, "content-type") == ["application/octet-stream"]
end
test "sanitizes LD-JSON content type", %{conn: conn} do
ClientMock
|> expect(:request, fn :get, "/content", _, _, _ ->
{:ok, 200, [{"content-type", "application/ld+json"}], %{url: "/content"}}
end)
|> expect(:stream_body, fn _ -> :done end)
conn = ReverseProxy.call(conn, "/content")
assert conn.status == 200
assert Conn.get_resp_header(conn, "content-type") == ["application/octet-stream"]
end
end
end end

496
test/pleroma/safe_zip_test.exs Normal file
View file

@ -0,0 +1,496 @@
defmodule Pleroma.SafeZipTest do
# Not making this async because it creates and deletes files
use ExUnit.Case
alias Pleroma.SafeZip
@fixtures_dir "test/fixtures"
@tmp_dir "test/zip_tmp"
setup do
# Ensure tmp directory exists
File.mkdir_p!(@tmp_dir)
on_exit(fn ->
# Clean up any files created during tests
File.rm_rf!(@tmp_dir)
File.mkdir_p!(@tmp_dir)
end)
:ok
end
describe "list_dir_file/1" do
test "lists files in a valid zip" do
{:ok, files} = SafeZip.list_dir_file(Path.join(@fixtures_dir, "emojis.zip"))
assert is_list(files)
assert length(files) > 0
end
test "returns an empty list for empty zip" do
{:ok, files} = SafeZip.list_dir_file(Path.join(@fixtures_dir, "empty.zip"))
assert files == []
end
test "returns error for non-existent file" do
assert {:error, _} = SafeZip.list_dir_file(Path.join(@fixtures_dir, "nonexistent.zip"))
end
test "only lists regular files, not directories" do
# Create a zip with both files and directories
zip_path = create_zip_with_directory()
# List files with SafeZip
{:ok, files} = SafeZip.list_dir_file(zip_path)
# Verify only regular files are listed, not directories
assert "file_in_dir/test_file.txt" in files
assert "root_file.txt" in files
# Directory entries should not be included in the list
refute "file_in_dir/" in files
end
end
describe "contains_all_data?/2" do
test "returns true when all files are in the archive" do
# For this test, we'll create our own zip file with known content
# to ensure we can test the contains_all_data? function properly
zip_path = create_zip_with_directory()
archive_data = File.read!(zip_path)
# Check if the archive contains the root file
# Note: The function expects charlists (Erlang strings) in the MapSet
assert SafeZip.contains_all_data?(archive_data, MapSet.new([~c"root_file.txt"]))
end
test "returns false when files are missing" do
archive_path = Path.join(@fixtures_dir, "emojis.zip")
archive_data = File.read!(archive_path)
# Create a MapSet with non-existent files
fset = MapSet.new([~c"nonexistent.txt"])
refute SafeZip.contains_all_data?(archive_data, fset)
end
test "returns false for invalid archive data" do
refute SafeZip.contains_all_data?("invalid data", MapSet.new([~c"file.txt"]))
end
test "only checks for regular files, not directories" do
# Create a zip with both files and directories
zip_path = create_zip_with_directory()
archive_data = File.read!(zip_path)
# Check if the archive contains a directory (should return false)
refute SafeZip.contains_all_data?(archive_data, MapSet.new([~c"file_in_dir/"]))
# For this test, we'll manually check if the file exists in the archive
# by extracting it and verifying it exists
extract_dir = Path.join(@tmp_dir, "extract_check")
File.mkdir_p!(extract_dir)
{:ok, files} = SafeZip.unzip_file(zip_path, extract_dir)
# Verify the root file was extracted
assert Enum.any?(files, fn file ->
Path.basename(file) == "root_file.txt"
end)
# Verify the file exists on disk
assert File.exists?(Path.join(extract_dir, "root_file.txt"))
end
end
describe "zip/4" do
test "creates a zip file on disk" do
# Create a test file
test_file_path = Path.join(@tmp_dir, "test_file.txt")
File.write!(test_file_path, "test content")
# Create a zip file
zip_path = Path.join(@tmp_dir, "test.zip")
assert {:ok, ^zip_path} = SafeZip.zip(zip_path, ["test_file.txt"], @tmp_dir, false)
# Verify the zip file exists
assert File.exists?(zip_path)
end
test "creates a zip file in memory" do
# Create a test file
test_file_path = Path.join(@tmp_dir, "test_file.txt")
File.write!(test_file_path, "test content")
# Create a zip file in memory
zip_name = Path.join(@tmp_dir, "test.zip")
assert {:ok, {^zip_name, zip_data}} =
SafeZip.zip(zip_name, ["test_file.txt"], @tmp_dir, true)
# Verify the zip data is binary
assert is_binary(zip_data)
end
test "returns error for unsafe paths" do
# Try to zip a file with path traversal
assert {:error, _} =
SafeZip.zip(
Path.join(@tmp_dir, "test.zip"),
["../fixtures/test.txt"],
@tmp_dir,
false
)
end
test "can create zip with directories" do
# Create a directory structure
dir_path = Path.join(@tmp_dir, "test_dir")
File.mkdir_p!(dir_path)
file_in_dir_path = Path.join(dir_path, "file_in_dir.txt")
File.write!(file_in_dir_path, "file in directory")
# Create a zip file
zip_path = Path.join(@tmp_dir, "dir_test.zip")
assert {:ok, ^zip_path} =
SafeZip.zip(
zip_path,
["test_dir/file_in_dir.txt"],
@tmp_dir,
false
)
# Verify the zip file exists
assert File.exists?(zip_path)
# Extract and verify the directory structure is preserved
extract_dir = Path.join(@tmp_dir, "extract")
{:ok, files} = SafeZip.unzip_file(zip_path, extract_dir)
# Check if the file path is in the list, accounting for possible full paths
assert Enum.any?(files, fn file ->
String.ends_with?(file, "file_in_dir.txt")
end)
# Verify the file exists in the expected location
assert File.exists?(Path.join([extract_dir, "test_dir", "file_in_dir.txt"]))
end
end
describe "unzip_file/3" do
test "extracts files from a zip archive" do
archive_path = Path.join(@fixtures_dir, "emojis.zip")
# Extract the archive
assert {:ok, files} = SafeZip.unzip_file(archive_path, @tmp_dir)
# Verify files were extracted
assert is_list(files)
assert length(files) > 0
# Verify at least one file exists
first_file = List.first(files)
# Simply check that the file exists in the tmp directory
assert File.exists?(first_file)
end
test "extracts specific files from a zip archive" do
archive_path = Path.join(@fixtures_dir, "emojis.zip")
# Get list of files in the archive
{:ok, all_files} = SafeZip.list_dir_file(archive_path)
file_to_extract = List.first(all_files)
# Extract only one file
assert {:ok, [extracted_file]} =
SafeZip.unzip_file(archive_path, @tmp_dir, [file_to_extract])
# Verify only the specified file was extracted
assert Path.basename(extracted_file) == Path.basename(file_to_extract)
# Check that the file exists in the tmp directory
assert File.exists?(Path.join(@tmp_dir, Path.basename(file_to_extract)))
end
test "returns error for invalid zip file" do
invalid_path = Path.join(@tmp_dir, "invalid.zip")
File.write!(invalid_path, "not a zip file")
assert {:error, _} = SafeZip.unzip_file(invalid_path, @tmp_dir)
end
test "creates directories when extracting files in subdirectories" do
# Create a zip with files in subdirectories
zip_path = create_zip_with_directory()
# Extract the archive
assert {:ok, files} = SafeZip.unzip_file(zip_path, @tmp_dir)
# Verify files were extracted - handle both relative and absolute paths
assert Enum.any?(files, fn file ->
Path.basename(file) == "test_file.txt" &&
String.contains?(file, "file_in_dir")
end)
assert Enum.any?(files, fn file ->
Path.basename(file) == "root_file.txt"
end)
# Verify directory was created
dir_path = Path.join(@tmp_dir, "file_in_dir")
assert File.exists?(dir_path)
assert File.dir?(dir_path)
# Verify file in directory was extracted
file_path = Path.join(dir_path, "test_file.txt")
assert File.exists?(file_path)
end
end
describe "unzip_data/3" do
test "extracts files from zip data" do
archive_path = Path.join(@fixtures_dir, "emojis.zip")
archive_data = File.read!(archive_path)
# Extract the archive from data
assert {:ok, files} = SafeZip.unzip_data(archive_data, @tmp_dir)
# Verify files were extracted
assert is_list(files)
assert length(files) > 0
# Verify at least one file exists
first_file = List.first(files)
# Simply check that the file exists in the tmp directory
assert File.exists?(first_file)
end
test "extracts specific files from zip data" do
archive_path = Path.join(@fixtures_dir, "emojis.zip")
archive_data = File.read!(archive_path)
# Get list of files in the archive
{:ok, all_files} = SafeZip.list_dir_file(archive_path)
file_to_extract = List.first(all_files)
# Extract only one file
assert {:ok, extracted_files} =
SafeZip.unzip_data(archive_data, @tmp_dir, [file_to_extract])
# Verify only the specified file was extracted
assert Enum.any?(extracted_files, fn path ->
Path.basename(path) == Path.basename(file_to_extract)
end)
# Simply check that the file exists in the tmp directory
assert File.exists?(Path.join(@tmp_dir, Path.basename(file_to_extract)))
end
test "returns error for invalid zip data" do
assert {:error, _} = SafeZip.unzip_data("not a zip file", @tmp_dir)
end
test "creates directories when extracting files in subdirectories from data" do
# Create a zip with files in subdirectories
zip_path = create_zip_with_directory()
archive_data = File.read!(zip_path)
# Extract the archive from data
assert {:ok, files} = SafeZip.unzip_data(archive_data, @tmp_dir)
# Verify files were extracted - handle both relative and absolute paths
assert Enum.any?(files, fn file ->
Path.basename(file) == "test_file.txt" &&
String.contains?(file, "file_in_dir")
end)
assert Enum.any?(files, fn file ->
Path.basename(file) == "root_file.txt"
end)
# Verify directory was created
dir_path = Path.join(@tmp_dir, "file_in_dir")
assert File.exists?(dir_path)
assert File.dir?(dir_path)
# Verify file in directory was extracted
file_path = Path.join(dir_path, "test_file.txt")
assert File.exists?(file_path)
end
end
# Security tests
describe "security checks" do
test "prevents path traversal in zip extraction" do
# Create a malicious zip file with path traversal
malicious_zip_path = create_malicious_zip_with_path_traversal()
# Try to extract it with SafeZip
assert {:error, _} = SafeZip.unzip_file(malicious_zip_path, @tmp_dir)
# Verify the file was not extracted outside the target directory
refute File.exists?(Path.join(Path.dirname(@tmp_dir), "traversal_attempt.txt"))
end
test "prevents directory traversal in zip listing" do
# Create a malicious zip file with path traversal
malicious_zip_path = create_malicious_zip_with_path_traversal()
# Try to list files with SafeZip
assert {:error, _} = SafeZip.list_dir_file(malicious_zip_path)
end
test "prevents path traversal in zip data extraction" do
# Create a malicious zip file with path traversal
malicious_zip_path = create_malicious_zip_with_path_traversal()
malicious_data = File.read!(malicious_zip_path)
# Try to extract it with SafeZip
assert {:error, _} = SafeZip.unzip_data(malicious_data, @tmp_dir)
# Verify the file was not extracted outside the target directory
refute File.exists?(Path.join(Path.dirname(@tmp_dir), "traversal_attempt.txt"))
end
test "handles zip bomb attempts" do
# Create a zip bomb (a zip with many files or large files)
zip_bomb_path = create_zip_bomb()
# The SafeZip module should handle this gracefully
# Either by successfully extracting it (if it's not too large)
# or by returning an error (if it detects a potential zip bomb)
result = SafeZip.unzip_file(zip_bomb_path, @tmp_dir)
case result do
{:ok, _} ->
# If it successfully extracts, make sure it didn't fill up the disk
# This is a simple check to ensure the extraction was controlled
assert File.exists?(@tmp_dir)
{:error, _} ->
# If it returns an error, that's also acceptable
# The important thing is that it doesn't crash or hang
assert true
end
end
test "handles deeply nested directory structures" do
# Create a zip with deeply nested directories
deep_nest_path = create_deeply_nested_zip()
# The SafeZip module should handle this gracefully
result = SafeZip.unzip_file(deep_nest_path, @tmp_dir)
case result do
{:ok, files} ->
# If it successfully extracts, verify the files were extracted
assert is_list(files)
assert length(files) > 0
{:error, _} ->
# If it returns an error, that's also acceptable
# The important thing is that it doesn't crash or hang
assert true
end
end
end
# Helper functions to create test fixtures
# Creates a zip file with a path traversal attempt
defp create_malicious_zip_with_path_traversal do
malicious_zip_path = Path.join(@tmp_dir, "path_traversal.zip")
# Create a file to include in the zip
test_file_path = Path.join(@tmp_dir, "test_file.txt")
File.write!(test_file_path, "malicious content")
# Use Erlang's zip module directly to create a zip with path traversal
{:ok, charlist_path} =
:zip.create(
String.to_charlist(malicious_zip_path),
[{String.to_charlist("../traversal_attempt.txt"), File.read!(test_file_path)}]
)
to_string(charlist_path)
end
# Creates a zip file with directory entries
defp create_zip_with_directory do
zip_path = Path.join(@tmp_dir, "with_directory.zip")
# Create files to include in the zip
root_file_path = Path.join(@tmp_dir, "root_file.txt")
File.write!(root_file_path, "root file content")
# Create a directory and a file in it
dir_path = Path.join(@tmp_dir, "file_in_dir")
File.mkdir_p!(dir_path)
file_in_dir_path = Path.join(dir_path, "test_file.txt")
File.write!(file_in_dir_path, "file in directory content")
# Use Erlang's zip module to create a zip with directory structure
{:ok, charlist_path} =
:zip.create(
String.to_charlist(zip_path),
[
{String.to_charlist("root_file.txt"), File.read!(root_file_path)},
{String.to_charlist("file_in_dir/test_file.txt"), File.read!(file_in_dir_path)}
]
)
to_string(charlist_path)
end
# Creates a zip bomb (a zip with many small files)
defp create_zip_bomb do
zip_path = Path.join(@tmp_dir, "zip_bomb.zip")
# Create a small file to duplicate many times
small_file_path = Path.join(@tmp_dir, "small_file.txt")
File.write!(small_file_path, String.duplicate("A", 100))
# Create a list of many files to include in the zip
file_entries =
for i <- 1..100 do
{String.to_charlist("file_#{i}.txt"), File.read!(small_file_path)}
end
# Use Erlang's zip module to create a zip with many files
{:ok, charlist_path} =
:zip.create(
String.to_charlist(zip_path),
file_entries
)
to_string(charlist_path)
end
# Creates a zip with deeply nested directories
defp create_deeply_nested_zip do
zip_path = Path.join(@tmp_dir, "deep_nest.zip")
# Create a file to include in the zip
file_content = "test content"
# Create a list of deeply nested files
file_entries =
for i <- 1..10 do
nested_path = Enum.reduce(1..i, "nested", fn j, acc -> "#{acc}/level_#{j}" end)
{String.to_charlist("#{nested_path}/file.txt"), file_content}
end
# Use Erlang's zip module to create a zip with deeply nested directories
{:ok, charlist_path} =
:zip.create(
String.to_charlist(zip_path),
file_entries
)
to_string(charlist_path)
end
end

17
test/pleroma/upload/filter/anonymize_filename_test.exs
View file

@ -3,8 +3,10 @@
# SPDX-License-Identifier: AGPL-3.0-only # SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Upload.Filter.AnonymizeFilenameTest do defmodule Pleroma.Upload.Filter.AnonymizeFilenameTest do
use Pleroma.DataCase use Pleroma.DataCase, async: true
import Mox
alias Pleroma.StaticStubbedConfigMock, as: ConfigMock
alias Pleroma.Upload alias Pleroma.Upload
setup do setup do
@ -19,21 +21,26 @@ defmodule Pleroma.Upload.Filter.AnonymizeFilenameTest do
%{upload_file: upload_file} %{upload_file: upload_file}
end end
setup do: clear_config([Pleroma.Upload.Filter.AnonymizeFilename, :text])
test "it replaces filename on pre-defined text", %{upload_file: upload_file} do test "it replaces filename on pre-defined text", %{upload_file: upload_file} do
clear_config([Upload.Filter.AnonymizeFilename, :text], "custom-file.png") ConfigMock
|> stub(:get, fn [Upload.Filter.AnonymizeFilename, :text] -> "custom-file.png" end)
{:ok, :filtered, %Upload{name: name}} = Upload.Filter.AnonymizeFilename.filter(upload_file) {:ok, :filtered, %Upload{name: name}} = Upload.Filter.AnonymizeFilename.filter(upload_file)
assert name == "custom-file.png" assert name == "custom-file.png"
end end
test "it replaces filename on pre-defined text expression", %{upload_file: upload_file} do test "it replaces filename on pre-defined text expression", %{upload_file: upload_file} do
clear_config([Upload.Filter.AnonymizeFilename, :text], "custom-file.{extension}") ConfigMock
|> stub(:get, fn [Upload.Filter.AnonymizeFilename, :text] -> "custom-file.{extension}" end)
{:ok, :filtered, %Upload{name: name}} = Upload.Filter.AnonymizeFilename.filter(upload_file) {:ok, :filtered, %Upload{name: name}} = Upload.Filter.AnonymizeFilename.filter(upload_file)
assert name == "custom-file.jpg" assert name == "custom-file.jpg"
end end
test "it replaces filename on random text", %{upload_file: upload_file} do test "it replaces filename on random text", %{upload_file: upload_file} do
ConfigMock
|> stub(:get, fn [Upload.Filter.AnonymizeFilename, :text] -> nil end)
{:ok, :filtered, %Upload{name: name}} = Upload.Filter.AnonymizeFilename.filter(upload_file) {:ok, :filtered, %Upload{name: name}} = Upload.Filter.AnonymizeFilename.filter(upload_file)
assert <<_::bytes-size(14)>> <> ".jpg" = name assert <<_::bytes-size(14)>> <> ".jpg" = name
refute name == "an… image.jpg" refute name == "an… image.jpg"

28
test/pleroma/upload/filter/mogrifun_test.exs
View file

@ -3,9 +3,10 @@
# SPDX-License-Identifier: AGPL-3.0-only # SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Upload.Filter.MogrifunTest do defmodule Pleroma.Upload.Filter.MogrifunTest do
use Pleroma.DataCase use Pleroma.DataCase, async: true
import Mock import Mox
alias Pleroma.MogrifyMock
alias Pleroma.Upload alias Pleroma.Upload
alias Pleroma.Upload.Filter alias Pleroma.Upload.Filter
@ -22,23 +23,12 @@ defmodule Pleroma.Upload.Filter.MogrifunTest do
tempfile: Path.absname("test/fixtures/image_tmp.jpg") tempfile: Path.absname("test/fixtures/image_tmp.jpg")
} }
task = MogrifyMock
Task.async(fn -> |> stub(:open, fn _file -> %{} end)
assert_receive {:apply_filter, {}}, 4_000 |> stub(:custom, fn _image, _action -> %{} end)
end) |> stub(:custom, fn _image, _action, _options -> %{} end)
|> stub(:save, fn _image, [in_place: true] -> :ok end)
with_mocks([ assert Filter.Mogrifun.filter(upload) == {:ok, :filtered}
{Mogrify, [],
[
open: fn _f -> %Mogrify.Image{} end,
custom: fn _m, _a -> send(task.pid, {:apply_filter, {}}) end,
custom: fn _m, _a, _o -> send(task.pid, {:apply_filter, {}}) end,
save: fn _f, _o -> :ok end
]}
]) do
assert Filter.Mogrifun.filter(upload) == {:ok, :filtered}
end
Task.await(task)
end end
end end

29
test/pleroma/upload/filter/mogrify_test.exs
View file

@ -3,13 +3,18 @@
# SPDX-License-Identifier: AGPL-3.0-only # SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Upload.Filter.MogrifyTest do defmodule Pleroma.Upload.Filter.MogrifyTest do
use Pleroma.DataCase use Pleroma.DataCase, async: true
import Mock import Mox
alias Pleroma.MogrifyMock
alias Pleroma.StaticStubbedConfigMock, as: ConfigMock
alias Pleroma.Upload.Filter alias Pleroma.Upload.Filter
setup :verify_on_exit!
test "apply mogrify filter" do test "apply mogrify filter" do
clear_config(Filter.Mogrify, args: [{"tint", "40"}]) ConfigMock
|> stub(:get!, fn [Filter.Mogrify, :args] -> [{"tint", "40"}] end)
File.cp!( File.cp!(
"test/fixtures/image.jpg", "test/fixtures/image.jpg",
@ -23,19 +28,11 @@ defmodule Pleroma.Upload.Filter.MogrifyTest do
tempfile: Path.absname("test/fixtures/image_tmp.jpg") tempfile: Path.absname("test/fixtures/image_tmp.jpg")
} }
task = MogrifyMock
Task.async(fn -> |> expect(:open, fn _file -> %{} end)
assert_receive {:apply_filter, {_, "tint", "40"}}, 4_000 |> expect(:custom, fn _image, "tint", "40" -> %{} end)
end) |> expect(:save, fn _image, [in_place: true] -> :ok end)
with_mock Mogrify, assert Filter.Mogrify.filter(upload) == {:ok, :filtered}
open: fn _f -> %Mogrify.Image{} end,
custom: fn _m, _a -> :ok end,
custom: fn m, a, o -> send(task.pid, {:apply_filter, {m, a, o}}) end,
save: fn _f, _o -> :ok end do
assert Filter.Mogrify.filter(upload) == {:ok, :filtered}
end
Task.await(task)
end end
end end

7
test/pleroma/upload/filter_test.exs
View file

@ -5,12 +5,13 @@
defmodule Pleroma.Upload.FilterTest do defmodule Pleroma.Upload.FilterTest do
use Pleroma.DataCase use Pleroma.DataCase
import Mox
alias Pleroma.StaticStubbedConfigMock, as: ConfigMock
alias Pleroma.Upload.Filter alias Pleroma.Upload.Filter
setup do: clear_config([Pleroma.Upload.Filter.AnonymizeFilename, :text])
test "applies filters" do test "applies filters" do
clear_config([Pleroma.Upload.Filter.AnonymizeFilename, :text], "custom-file.png") ConfigMock
|> stub(:get, fn [Pleroma.Upload.Filter.AnonymizeFilename, :text] -> "custom-file.png" end)
File.cp!( File.cp!(
"test/fixtures/image.jpg", "test/fixtures/image.jpg",

22
test/pleroma/user_relationship_test.exs
View file

@ -3,11 +3,12 @@
# SPDX-License-Identifier: AGPL-3.0-only # SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.UserRelationshipTest do defmodule Pleroma.UserRelationshipTest do
alias Pleroma.DateTimeMock
alias Pleroma.UserRelationship alias Pleroma.UserRelationship
use Pleroma.DataCase, async: false use Pleroma.DataCase, async: true
import Mock import Mox
import Pleroma.Factory import Pleroma.Factory
describe "*_exists?/2" do describe "*_exists?/2" do
@ -52,6 +53,9 @@ defmodule Pleroma.UserRelationshipTest do
end end
test "creates user relationship record if it doesn't exist", %{users: [user1, user2]} do test "creates user relationship record if it doesn't exist", %{users: [user1, user2]} do
DateTimeMock
|> stub_with(Pleroma.DateTime.Impl)
for relationship_type <- [ for relationship_type <- [
:block, :block,
:mute, :mute,
@ -80,13 +84,15 @@ defmodule Pleroma.UserRelationshipTest do
end end
test "if record already exists, returns it", %{users: [user1, user2]} do test "if record already exists, returns it", %{users: [user1, user2]} do
user_block = fixed_datetime = ~N[2017-03-17 17:09:58]
with_mock NaiveDateTime, [:passthrough], utc_now: fn -> ~N[2017-03-17 17:09:58] end do
{:ok, %{inserted_at: ~N[2017-03-17 17:09:58]}} =
UserRelationship.create_block(user1, user2)
end
assert user_block == UserRelationship.create_block(user1, user2) Pleroma.DateTimeMock
|> expect(:utc_now, 2, fn -> fixed_datetime end)
{:ok, %{inserted_at: ^fixed_datetime}} = UserRelationship.create_block(user1, user2)
# Test the idempotency without caring about the exact time
assert {:ok, _} = UserRelationship.create_block(user1, user2)
end end
end end

14
test/pleroma/user_test.exs
View file

@ -20,7 +20,7 @@ defmodule Pleroma.UserTest do
import Swoosh.TestAssertions import Swoosh.TestAssertions
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end
@ -2405,8 +2405,8 @@ defmodule Pleroma.UserTest do
other_user = other_user =
insert(:user, insert(:user,
local: false, local: false,
follower_address: "http://localhost:4001/users/masto_closed/followers", follower_address: "https://remote.org/users/masto_closed/followers",
following_address: "http://localhost:4001/users/masto_closed/following" following_address: "https://remote.org/users/masto_closed/following"
) )
assert other_user.following_count == 0 assert other_user.following_count == 0
@ -2426,8 +2426,8 @@ defmodule Pleroma.UserTest do
other_user = other_user =
insert(:user, insert(:user,
local: false, local: false,
follower_address: "http://localhost:4001/users/masto_closed/followers", follower_address: "https://remote.org/users/masto_closed/followers",
following_address: "http://localhost:4001/users/masto_closed/following" following_address: "https://remote.org/users/masto_closed/following"
) )
assert other_user.following_count == 0 assert other_user.following_count == 0
@ -2447,8 +2447,8 @@ defmodule Pleroma.UserTest do
other_user = other_user =
insert(:user, insert(:user,
local: false, local: false,
follower_address: "http://localhost:4001/users/masto_closed/followers", follower_address: "https://remote.org/users/masto_closed/followers",
following_address: "http://localhost:4001/users/masto_closed/following" following_address: "https://remote.org/users/masto_closed/following"
) )
assert other_user.following_count == 0 assert other_user.following_count == 0

76
test/pleroma/web/activity_pub/activity_pub_controller_test.exs
View file

@ -26,7 +26,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
require Pleroma.Constants require Pleroma.Constants
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end
@ -1344,6 +1344,11 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
end end
describe "GET /users/:nickname/outbox" do describe "GET /users/:nickname/outbox" do
setup do
Mox.stub_with(Pleroma.StaticStubbedConfigMock, Pleroma.Config)
:ok
end
test "it paginates correctly", %{conn: conn} do test "it paginates correctly", %{conn: conn} do
user = insert(:user) user = insert(:user)
conn = assign(conn, :user, user) conn = assign(conn, :user, user)
@ -1432,6 +1437,22 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
assert %{"orderedItems" => []} = resp assert %{"orderedItems" => []} = resp
end end
test "it does not return a local note activity when C2S API is disabled", %{conn: conn} do
clear_config([:activitypub, :client_api_enabled], false)
user = insert(:user)
reader = insert(:user)
{:ok, _note_activity} = CommonAPI.post(user, %{status: "mew mew", visibility: "local"})
resp =
conn
|> assign(:user, reader)
|> put_req_header("accept", "application/activity+json")
|> get("/users/#{user.nickname}/outbox?page=true")
|> json_response(200)
assert %{"orderedItems" => []} = resp
end
test "it returns a note activity in a collection", %{conn: conn} do test "it returns a note activity in a collection", %{conn: conn} do
note_activity = insert(:note_activity) note_activity = insert(:note_activity)
note_object = Object.normalize(note_activity, fetch: false) note_object = Object.normalize(note_activity, fetch: false)
@ -1483,6 +1504,35 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
assert [answer_outbox] = outbox_get["orderedItems"] assert [answer_outbox] = outbox_get["orderedItems"]
assert answer_outbox["id"] == activity.data["id"] assert answer_outbox["id"] == activity.data["id"]
end end
test "it works with authorized fetch forced when authenticated" do
clear_config([:activitypub, :authorized_fetch_mode], true)
user = insert(:user)
outbox_endpoint = user.ap_id <> "/outbox"
conn =
build_conn()
|> assign(:user, user)
|> put_req_header("accept", "application/activity+json")
|> get(outbox_endpoint)
assert json_response(conn, 200)
end
test "it fails with authorized fetch forced when unauthenticated", %{conn: conn} do
clear_config([:activitypub, :authorized_fetch_mode], true)
user = insert(:user)
outbox_endpoint = user.ap_id <> "/outbox"
conn =
conn
|> put_req_header("accept", "application/activity+json")
|> get(outbox_endpoint)
assert response(conn, 401)
end
end end
describe "POST /users/:nickname/outbox (C2S)" do describe "POST /users/:nickname/outbox (C2S)" do
@ -2153,6 +2203,30 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
|> post("/api/ap/upload_media", %{"file" => image, "description" => desc}) |> post("/api/ap/upload_media", %{"file" => image, "description" => desc})
|> json_response(403) |> json_response(403)
end end
test "they don't work when C2S API is disabled", %{conn: conn} do
clear_config([:activitypub, :client_api_enabled], false)
user = insert(:user)
assert conn
|> assign(:user, user)
|> get("/api/ap/whoami")
|> response(403)
desc = "Description of the image"
image = %Plug.Upload{
content_type: "image/jpeg",
path: Path.absname("test/fixtures/image.jpg"),
filename: "an_image.jpg"
}
assert conn
|> assign(:user, user)
|> post("/api/ap/upload_media", %{"file" => image, "description" => desc})
|> response(403)
end
end end
test "pinned collection", %{conn: conn} do test "pinned collection", %{conn: conn} do

36
test/pleroma/web/activity_pub/activity_pub_test.exs
View file

@ -1785,8 +1785,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
user = user =
insert(:user, insert(:user,
local: false, local: false,
follower_address: "http://localhost:4001/users/fuser2/followers", follower_address: "https://remote.org/users/fuser2/followers",
following_address: "http://localhost:4001/users/fuser2/following" following_address: "https://remote.org/users/fuser2/following"
) )
{:ok, info} = ActivityPub.fetch_follow_information_for_user(user) {:ok, info} = ActivityPub.fetch_follow_information_for_user(user)
@ -1797,7 +1797,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
test "detects hidden followers" do test "detects hidden followers" do
mock(fn env -> mock(fn env ->
case env.url do case env.url do
"http://localhost:4001/users/masto_closed/followers?page=1" -> "https://remote.org/users/masto_closed/followers?page=1" ->
%Tesla.Env{status: 403, body: ""} %Tesla.Env{status: 403, body: ""}
_ -> _ ->
@ -1808,8 +1808,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
user = user =
insert(:user, insert(:user,
local: false, local: false,
follower_address: "http://localhost:4001/users/masto_closed/followers", follower_address: "https://remote.org/users/masto_closed/followers",
following_address: "http://localhost:4001/users/masto_closed/following" following_address: "https://remote.org/users/masto_closed/following"
) )
{:ok, follow_info} = ActivityPub.fetch_follow_information_for_user(user) {:ok, follow_info} = ActivityPub.fetch_follow_information_for_user(user)
@ -1820,7 +1820,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
test "detects hidden follows" do test "detects hidden follows" do
mock(fn env -> mock(fn env ->
case env.url do case env.url do
"http://localhost:4001/users/masto_closed/following?page=1" -> "https://remote.org/users/masto_closed/following?page=1" ->
%Tesla.Env{status: 403, body: ""} %Tesla.Env{status: 403, body: ""}
_ -> _ ->
@ -1831,8 +1831,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
user = user =
insert(:user, insert(:user,
local: false, local: false,
follower_address: "http://localhost:4001/users/masto_closed/followers", follower_address: "https://remote.org/users/masto_closed/followers",
following_address: "http://localhost:4001/users/masto_closed/following" following_address: "https://remote.org/users/masto_closed/following"
) )
{:ok, follow_info} = ActivityPub.fetch_follow_information_for_user(user) {:ok, follow_info} = ActivityPub.fetch_follow_information_for_user(user)
@ -1844,8 +1844,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
user = user =
insert(:user, insert(:user,
local: false, local: false,
follower_address: "http://localhost:8080/followers/fuser3", follower_address: "https://remote.org/followers/fuser3",
following_address: "http://localhost:8080/following/fuser3" following_address: "https://remote.org/following/fuser3"
) )
{:ok, follow_info} = ActivityPub.fetch_follow_information_for_user(user) {:ok, follow_info} = ActivityPub.fetch_follow_information_for_user(user)
@ -1858,28 +1858,28 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
test "doesn't crash when follower and following counters are hidden" do test "doesn't crash when follower and following counters are hidden" do
mock(fn env -> mock(fn env ->
case env.url do case env.url do
"http://localhost:4001/users/masto_hidden_counters/following" -> "https://remote.org/users/masto_hidden_counters/following" ->
json( json(
%{ %{
"@context" => "https://www.w3.org/ns/activitystreams", "@context" => "https://www.w3.org/ns/activitystreams",
"id" => "http://localhost:4001/users/masto_hidden_counters/followers" "id" => "https://remote.org/users/masto_hidden_counters/followers"
}, },
headers: HttpRequestMock.activitypub_object_headers() headers: HttpRequestMock.activitypub_object_headers()
) )
"http://localhost:4001/users/masto_hidden_counters/following?page=1" -> "https://remote.org/users/masto_hidden_counters/following?page=1" ->
%Tesla.Env{status: 403, body: ""} %Tesla.Env{status: 403, body: ""}
"http://localhost:4001/users/masto_hidden_counters/followers" -> "https://remote.org/users/masto_hidden_counters/followers" ->
json( json(
%{ %{
"@context" => "https://www.w3.org/ns/activitystreams", "@context" => "https://www.w3.org/ns/activitystreams",
"id" => "http://localhost:4001/users/masto_hidden_counters/following" "id" => "https://remote.org/users/masto_hidden_counters/following"
}, },
headers: HttpRequestMock.activitypub_object_headers() headers: HttpRequestMock.activitypub_object_headers()
) )
"http://localhost:4001/users/masto_hidden_counters/followers?page=1" -> "https://remote.org/users/masto_hidden_counters/followers?page=1" ->
%Tesla.Env{status: 403, body: ""} %Tesla.Env{status: 403, body: ""}
end end
end) end)
@ -1887,8 +1887,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
user = user =
insert(:user, insert(:user,
local: false, local: false,
follower_address: "http://localhost:4001/users/masto_hidden_counters/followers", follower_address: "https://remote.org/users/masto_hidden_counters/followers",
following_address: "http://localhost:4001/users/masto_hidden_counters/following" following_address: "https://remote.org/users/masto_hidden_counters/following"
) )
{:ok, follow_info} = ActivityPub.fetch_follow_information_for_user(user) {:ok, follow_info} = ActivityPub.fetch_follow_information_for_user(user)

117
test/pleroma/web/activity_pub/mrf/fo_direct_reply_test.exs
View file

@ -1,117 +0,0 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.ActivityPub.MRF.FODirectReplyTest do
use Pleroma.DataCase
import Pleroma.Factory
require Pleroma.Constants
alias Pleroma.Object
alias Pleroma.Web.ActivityPub.MRF.FODirectReply
alias Pleroma.Web.CommonAPI
test "replying to followers-only/private is changed to direct" do
batman = insert(:user, nickname: "batman")
robin = insert(:user, nickname: "robin")
{:ok, post} =
CommonAPI.post(batman, %{
status: "Has anyone seen Selina Kyle's latest selfies?",
visibility: "private"
})
reply = %{
"type" => "Create",
"actor" => robin.ap_id,
"to" => [batman.ap_id, robin.follower_address],
"cc" => [],
"object" => %{
"type" => "Note",
"actor" => robin.ap_id,
"content" => "@batman 🤤 ❤️ 🐈‍⬛",
"to" => [batman.ap_id, robin.follower_address],
"cc" => [],
"inReplyTo" => Object.normalize(post).data["id"]
}
}
expected_to = [batman.ap_id]
expected_cc = []
assert {:ok, filtered} = FODirectReply.filter(reply)
assert expected_to == filtered["to"]
assert expected_cc == filtered["cc"]
assert expected_to == filtered["object"]["to"]
assert expected_cc == filtered["object"]["cc"]
end
test "replies to unlisted posts are unmodified" do
batman = insert(:user, nickname: "batman")
robin = insert(:user, nickname: "robin")
{:ok, post} =
CommonAPI.post(batman, %{
status: "Has anyone seen Selina Kyle's latest selfies?",
visibility: "unlisted"
})
reply = %{
"type" => "Create",
"actor" => robin.ap_id,
"to" => [batman.ap_id, robin.follower_address],
"cc" => [],
"object" => %{
"type" => "Note",
"actor" => robin.ap_id,
"content" => "@batman 🤤 ❤️ 🐈<200d>⬛",
"to" => [batman.ap_id, robin.follower_address],
"cc" => [],
"inReplyTo" => Object.normalize(post).data["id"]
}
}
assert {:ok, filtered} = FODirectReply.filter(reply)
assert match?(^filtered, reply)
end
test "replies to public posts are unmodified" do
batman = insert(:user, nickname: "batman")
robin = insert(:user, nickname: "robin")
{:ok, post} =
CommonAPI.post(batman, %{status: "Has anyone seen Selina Kyle's latest selfies?"})
reply = %{
"type" => "Create",
"actor" => robin.ap_id,
"to" => [batman.ap_id, robin.follower_address],
"cc" => [],
"object" => %{
"type" => "Note",
"actor" => robin.ap_id,
"content" => "@batman 🤤 ❤️ 🐈<200d>⬛",
"to" => [batman.ap_id, robin.follower_address],
"cc" => [],
"inReplyTo" => Object.normalize(post).data["id"]
}
}
assert {:ok, filtered} = FODirectReply.filter(reply)
assert match?(^filtered, reply)
end
test "non-reply posts are unmodified" do
batman = insert(:user, nickname: "batman")
{:ok, post} = CommonAPI.post(batman, %{status: "To the Batmobile!"})
assert {:ok, filtered} = FODirectReply.filter(post)
assert match?(^filtered, post)
end
end

140
test/pleroma/web/activity_pub/mrf/quiet_reply_test.exs
View file

@ -1,140 +0,0 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.ActivityPub.MRF.QuietReplyTest do
use Pleroma.DataCase
import Pleroma.Factory
require Pleroma.Constants
alias Pleroma.Object
alias Pleroma.Web.ActivityPub.MRF.QuietReply
alias Pleroma.Web.CommonAPI
test "replying to public post is forced to be quiet" do
batman = insert(:user, nickname: "batman")
robin = insert(:user, nickname: "robin")
{:ok, post} = CommonAPI.post(batman, %{status: "To the Batmobile!"})
reply = %{
"type" => "Create",
"actor" => robin.ap_id,
"to" => [
batman.ap_id,
Pleroma.Constants.as_public()
],
"cc" => [robin.follower_address],
"object" => %{
"type" => "Note",
"actor" => robin.ap_id,
"content" => "@batman Wait up, I forgot my spandex!",
"to" => [
batman.ap_id,
Pleroma.Constants.as_public()
],
"cc" => [robin.follower_address],
"inReplyTo" => Object.normalize(post).data["id"]
}
}
expected_to = [batman.ap_id, robin.follower_address]
expected_cc = [Pleroma.Constants.as_public()]
assert {:ok, filtered} = QuietReply.filter(reply)
assert expected_to == filtered["to"]
assert expected_cc == filtered["cc"]
assert expected_to == filtered["object"]["to"]
assert expected_cc == filtered["object"]["cc"]
end
test "replying to unlisted post is unmodified" do
batman = insert(:user, nickname: "batman")
robin = insert(:user, nickname: "robin")
{:ok, post} = CommonAPI.post(batman, %{status: "To the Batmobile!", visibility: "private"})
reply = %{
"type" => "Create",
"actor" => robin.ap_id,
"to" => [batman.ap_id],
"cc" => [],
"object" => %{
"type" => "Note",
"actor" => robin.ap_id,
"content" => "@batman Wait up, I forgot my spandex!",
"to" => [batman.ap_id],
"cc" => [],
"inReplyTo" => Object.normalize(post).data["id"]
}
}
assert {:ok, filtered} = QuietReply.filter(reply)
assert match?(^filtered, reply)
end
test "replying direct is unmodified" do
batman = insert(:user, nickname: "batman")
robin = insert(:user, nickname: "robin")
{:ok, post} = CommonAPI.post(batman, %{status: "To the Batmobile!"})
reply = %{
"type" => "Create",
"actor" => robin.ap_id,
"to" => [batman.ap_id],
"cc" => [],
"object" => %{
"type" => "Note",
"actor" => robin.ap_id,
"content" => "@batman Wait up, I forgot my spandex!",
"to" => [batman.ap_id],
"cc" => [],
"inReplyTo" => Object.normalize(post).data["id"]
}
}
assert {:ok, filtered} = QuietReply.filter(reply)
assert match?(^filtered, reply)
end
test "replying followers-only is unmodified" do
batman = insert(:user, nickname: "batman")
robin = insert(:user, nickname: "robin")
{:ok, post} = CommonAPI.post(batman, %{status: "To the Batmobile!"})
reply = %{
"type" => "Create",
"actor" => robin.ap_id,
"to" => [batman.ap_id, robin.follower_address],
"cc" => [],
"object" => %{
"type" => "Note",
"actor" => robin.ap_id,
"content" => "@batman Wait up, I forgot my spandex!",
"to" => [batman.ap_id, robin.follower_address],
"cc" => [],
"inReplyTo" => Object.normalize(post).data["id"]
}
}
assert {:ok, filtered} = QuietReply.filter(reply)
assert match?(^filtered, reply)
end
test "non-reply posts are unmodified" do
batman = insert(:user, nickname: "batman")
{:ok, post} = CommonAPI.post(batman, %{status: "To the Batmobile!"})
assert {:ok, filtered} = QuietReply.filter(post)
assert match?(^filtered, post)
end
end

123
test/pleroma/web/activity_pub/mrf/steal_emoji_policy_test.exs
View file

@ -87,7 +87,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicyTest do
assert File.exists?(fullpath) assert File.exists?(fullpath)
end end
test "rejects invalid shortcodes", %{path: path} do test "rejects invalid shortcodes with slashes", %{path: path} do
message = %{ message = %{
"type" => "Create", "type" => "Create",
"object" => %{ "object" => %{
@ -113,6 +113,58 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicyTest do
refute File.exists?(fullpath) refute File.exists?(fullpath)
end end
test "rejects invalid shortcodes with dots", %{path: path} do
message = %{
"type" => "Create",
"object" => %{
"emoji" => [{"fired.fox", "https://example.org/emoji/firedfox"}],
"actor" => "https://example.org/users/admin"
}
}
fullpath = Path.join(path, "fired.fox.png")
Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox"} ->
%Tesla.Env{status: 200, body: File.read!("test/fixtures/image.jpg")}
end)
clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)
refute "fired.fox" in installed()
refute File.exists?(path)
assert {:ok, _message} = StealEmojiPolicy.filter(message)
refute "fired.fox" in installed()
refute File.exists?(fullpath)
end
test "rejects invalid shortcodes with special characters", %{path: path} do
message = %{
"type" => "Create",
"object" => %{
"emoji" => [{"fired:fox", "https://example.org/emoji/firedfox"}],
"actor" => "https://example.org/users/admin"
}
}
fullpath = Path.join(path, "fired:fox.png")
Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox"} ->
%Tesla.Env{status: 200, body: File.read!("test/fixtures/image.jpg")}
end)
clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)
refute "fired:fox" in installed()
refute File.exists?(path)
assert {:ok, _message} = StealEmojiPolicy.filter(message)
refute "fired:fox" in installed()
refute File.exists?(fullpath)
end
test "reject regex shortcode", %{message: message} do test "reject regex shortcode", %{message: message} do
refute "firedfox" in installed() refute "firedfox" in installed()
@ -171,5 +223,74 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicyTest do
refute "firedfox" in installed() refute "firedfox" in installed()
end end
test "accepts valid alphanum shortcodes", %{path: path} do
message = %{
"type" => "Create",
"object" => %{
"emoji" => [{"fire1fox", "https://example.org/emoji/fire1fox.png"}],
"actor" => "https://example.org/users/admin"
}
}
Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/fire1fox.png"} ->
%Tesla.Env{status: 200, body: File.read!("test/fixtures/image.jpg")}
end)
clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)
refute "fire1fox" in installed()
refute File.exists?(path)
assert {:ok, _message} = StealEmojiPolicy.filter(message)
assert "fire1fox" in installed()
end
test "accepts valid shortcodes with underscores", %{path: path} do
message = %{
"type" => "Create",
"object" => %{
"emoji" => [{"fire_fox", "https://example.org/emoji/fire_fox.png"}],
"actor" => "https://example.org/users/admin"
}
}
Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/fire_fox.png"} ->
%Tesla.Env{status: 200, body: File.read!("test/fixtures/image.jpg")}
end)
clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)
refute "fire_fox" in installed()
refute File.exists?(path)
assert {:ok, _message} = StealEmojiPolicy.filter(message)
assert "fire_fox" in installed()
end
test "accepts valid shortcodes with hyphens", %{path: path} do
message = %{
"type" => "Create",
"object" => %{
"emoji" => [{"fire-fox", "https://example.org/emoji/fire-fox.png"}],
"actor" => "https://example.org/users/admin"
}
}
Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/fire-fox.png"} ->
%Tesla.Env{status: 200, body: File.read!("test/fixtures/image.jpg")}
end)
clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)
refute "fire-fox" in installed()
refute File.exists?(path)
assert {:ok, _message} = StealEmojiPolicy.filter(message)
assert "fire-fox" in installed()
end
defp installed, do: Emoji.get_all() |> Enum.map(fn {k, _} -> k end) defp installed, do: Emoji.get_all() |> Enum.map(fn {k, _} -> k end)
end end

17
test/pleroma/web/activity_pub/object_validators/attachment_validator_test.exs
View file

@ -13,6 +13,23 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.AttachmentValidatorTest do
import Pleroma.Factory import Pleroma.Factory
describe "attachments" do describe "attachments" do
test "works with apng" do
attachment =
%{
"mediaType" => "image/apng",
"name" => "",
"type" => "Document",
"url" =>
"https://media.misskeyusercontent.com/io/2859c26e-cd43-4550-848b-b6243bc3fe28.apng"
}
assert {:ok, attachment} =
AttachmentValidator.cast_and_validate(attachment)
|> Ecto.Changeset.apply_action(:insert)
assert attachment.mediaType == "image/apng"
end
test "fails without url" do test "fails without url" do
attachment = %{ attachment = %{
"mediaType" => "", "mediaType" => "",

240
test/pleroma/web/activity_pub/transmogrifier_test.exs
View file

@ -156,6 +156,246 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
# It fetched the quoted post # It fetched the quoted post
assert Object.normalize("https://misskey.io/notes/8vs6wxufd0") assert Object.normalize("https://misskey.io/notes/8vs6wxufd0")
end end
test "doesn't allow remote edits to fake local likes" do
# as a spot check for no internal fields getting injected
now = DateTime.utc_now()
pub_date = DateTime.to_iso8601(Timex.subtract(now, Timex.Duration.from_minutes(3)))
edit_date = DateTime.to_iso8601(now)
local_user = insert(:user)
create_data = %{
"type" => "Create",
"id" => "http://mastodon.example.org/users/admin/statuses/2619539638/activity",
"actor" => "http://mastodon.example.org/users/admin",
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
"cc" => [],
"object" => %{
"type" => "Note",
"id" => "http://mastodon.example.org/users/admin/statuses/2619539638",
"attributedTo" => "http://mastodon.example.org/users/admin",
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
"cc" => [],
"published" => pub_date,
"content" => "miaow",
"likes" => [local_user.ap_id]
}
}
update_data =
create_data
|> Map.put("type", "Update")
|> Map.put("id", create_data["object"]["id"] <> "/update/1")
|> put_in(["object", "content"], "miaow :3")
|> put_in(["object", "updated"], edit_date)
|> put_in(["object", "formerRepresentations"], %{
"type" => "OrderedCollection",
"totalItems" => 1,
"orderedItems" => [create_data["object"]]
})
{:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(create_data)
%Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"])
assert object.data["content"] == "miaow"
assert object.data["likes"] == []
assert object.data["like_count"] == 0
{:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(update_data)
%Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"]["id"])
assert object.data["content"] == "miaow :3"
assert object.data["likes"] == []
assert object.data["like_count"] == 0
end
test "strips internal fields from history items in edited notes" do
now = DateTime.utc_now()
pub_date = DateTime.to_iso8601(Timex.subtract(now, Timex.Duration.from_minutes(3)))
edit_date = DateTime.to_iso8601(now)
local_user = insert(:user)
create_data = %{
"type" => "Create",
"id" => "http://mastodon.example.org/users/admin/statuses/2619539638/activity",
"actor" => "http://mastodon.example.org/users/admin",
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
"cc" => [],
"object" => %{
"type" => "Note",
"id" => "http://mastodon.example.org/users/admin/statuses/2619539638",
"attributedTo" => "http://mastodon.example.org/users/admin",
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
"cc" => [],
"published" => pub_date,
"content" => "miaow",
"likes" => [],
"like_count" => 0
}
}
update_data =
create_data
|> Map.put("type", "Update")
|> Map.put("id", create_data["object"]["id"] <> "/update/1")
|> put_in(["object", "content"], "miaow :3")
|> put_in(["object", "updated"], edit_date)
|> put_in(["object", "formerRepresentations"], %{
"type" => "OrderedCollection",
"totalItems" => 1,
"orderedItems" => [
Map.merge(create_data["object"], %{
"likes" => [local_user.ap_id],
"like_count" => 1,
"pleroma" => %{"internal_field" => "should_be_stripped"}
})
]
})
{:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(create_data)
%Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"])
assert object.data["content"] == "miaow"
assert object.data["likes"] == []
assert object.data["like_count"] == 0
{:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(update_data)
%Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"]["id"])
assert object.data["content"] == "miaow :3"
assert object.data["likes"] == []
assert object.data["like_count"] == 0
# Check that internal fields are stripped from history items
history_item = List.first(object.data["formerRepresentations"]["orderedItems"])
assert history_item["likes"] == []
assert history_item["like_count"] == 0
refute Map.has_key?(history_item, "pleroma")
end
test "doesn't trip over remote likes in notes" do
now = DateTime.utc_now()
pub_date = DateTime.to_iso8601(Timex.subtract(now, Timex.Duration.from_minutes(3)))
edit_date = DateTime.to_iso8601(now)
create_data = %{
"type" => "Create",
"id" => "http://mastodon.example.org/users/admin/statuses/3409297097/activity",
"actor" => "http://mastodon.example.org/users/admin",
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
"cc" => [],
"object" => %{
"type" => "Note",
"id" => "http://mastodon.example.org/users/admin/statuses/3409297097",
"attributedTo" => "http://mastodon.example.org/users/admin",
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
"cc" => [],
"published" => pub_date,
"content" => "miaow",
"likes" => %{
"id" => "http://mastodon.example.org/users/admin/statuses/3409297097/likes",
"totalItems" => 0,
"type" => "Collection"
}
}
}
update_data =
create_data
|> Map.put("type", "Update")
|> Map.put("id", create_data["object"]["id"] <> "/update/1")
|> put_in(["object", "content"], "miaow :3")
|> put_in(["object", "updated"], edit_date)
|> put_in(["object", "likes", "totalItems"], 666)
|> put_in(["object", "formerRepresentations"], %{
"type" => "OrderedCollection",
"totalItems" => 1,
"orderedItems" => [create_data["object"]]
})
{:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(create_data)
%Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"])
assert object.data["content"] == "miaow"
assert object.data["likes"] == []
assert object.data["like_count"] == 0
{:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(update_data)
%Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"]["id"])
assert object.data["content"] == "miaow :3"
assert object.data["likes"] == []
# in the future this should retain remote likes, but for now:
assert object.data["like_count"] == 0
end
test "doesn't trip over remote likes in polls" do
now = DateTime.utc_now()
pub_date = DateTime.to_iso8601(Timex.subtract(now, Timex.Duration.from_minutes(3)))
edit_date = DateTime.to_iso8601(now)
create_data = %{
"type" => "Create",
"id" => "http://mastodon.example.org/users/admin/statuses/2471790073/activity",
"actor" => "http://mastodon.example.org/users/admin",
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
"cc" => [],
"object" => %{
"type" => "Question",
"id" => "http://mastodon.example.org/users/admin/statuses/2471790073",
"attributedTo" => "http://mastodon.example.org/users/admin",
"to" => ["https://www.w3.org/ns/activitystreams#Public"],
"cc" => [],
"published" => pub_date,
"content" => "vote!",
"anyOf" => [
%{
"type" => "Note",
"name" => "a",
"replies" => %{
"type" => "Collection",
"totalItems" => 3
}
},
%{
"type" => "Note",
"name" => "b",
"replies" => %{
"type" => "Collection",
"totalItems" => 1
}
}
],
"likes" => %{
"id" => "http://mastodon.example.org/users/admin/statuses/2471790073/likes",
"totalItems" => 0,
"type" => "Collection"
}
}
}
update_data =
create_data
|> Map.put("type", "Update")
|> Map.put("id", create_data["object"]["id"] <> "/update/1")
|> put_in(["object", "content"], "vote now!")
|> put_in(["object", "updated"], edit_date)
|> put_in(["object", "likes", "totalItems"], 666)
|> put_in(["object", "formerRepresentations"], %{
"type" => "OrderedCollection",
"totalItems" => 1,
"orderedItems" => [create_data["object"]]
})
{:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(create_data)
%Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"])
assert object.data["content"] == "vote!"
assert object.data["likes"] == []
assert object.data["like_count"] == 0
{:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(update_data)
%Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"]["id"])
assert object.data["content"] == "vote now!"
assert object.data["likes"] == []
# in the future this should retain remote likes, but for now:
assert object.data["like_count"] == 0
end
end end
describe "prepare outgoing" do describe "prepare outgoing" do

11
test/pleroma/web/admin_api/controllers/config_controller_test.exs
View file

@ -1211,8 +1211,6 @@ defmodule Pleroma.Web.AdminAPI.ConfigControllerTest do
end end
test "args for Pleroma.Upload.Filter.Mogrify with custom tuples", %{conn: conn} do test "args for Pleroma.Upload.Filter.Mogrify with custom tuples", %{conn: conn} do
clear_config(Pleroma.Upload.Filter.Mogrify)
assert conn assert conn
|> put_req_header("content-type", "application/json") |> put_req_header("content-type", "application/json")
|> post("/api/pleroma/admin/config", %{ |> post("/api/pleroma/admin/config", %{
@ -1240,7 +1238,8 @@ defmodule Pleroma.Web.AdminAPI.ConfigControllerTest do
"need_reboot" => false "need_reboot" => false
} }
assert Config.get(Pleroma.Upload.Filter.Mogrify) == [args: ["auto-orient", "strip"]] config = Config.get(Pleroma.Upload.Filter.Mogrify)
assert {:args, ["auto-orient", "strip"]} in config
assert conn assert conn
|> put_req_header("content-type", "application/json") |> put_req_header("content-type", "application/json")
@ -1289,9 +1288,9 @@ defmodule Pleroma.Web.AdminAPI.ConfigControllerTest do
"need_reboot" => false "need_reboot" => false
} }
assert Config.get(Pleroma.Upload.Filter.Mogrify) == [ config = Config.get(Pleroma.Upload.Filter.Mogrify)
args: ["auto-orient", "strip", {"implode", "1"}, {"resize", "3840x1080>"}]
] assert {:args, ["auto-orient", "strip", {"implode", "1"}, {"resize", "3840x1080>"}]} in config
end end
test "enables the welcome messages", %{conn: conn} do test "enables the welcome messages", %{conn: conn} do

2
test/pleroma/web/admin_api/controllers/user_controller_test.exs
View file

@ -20,7 +20,7 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
alias Pleroma.Web.MediaProxy alias Pleroma.Web.MediaProxy
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end

2
test/pleroma/web/mastodon_api/controllers/account_controller_test.exs
View file

@ -19,7 +19,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
import Pleroma.Factory import Pleroma.Factory
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end

89
test/pleroma/web/mastodon_api/controllers/media_controller_test.exs
View file

@ -227,4 +227,93 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
|> json_response_and_validate_schema(403) |> json_response_and_validate_schema(403)
end end
end end
describe "Content-Type sanitization" do
setup do: oauth_access(["write:media", "read:media"])
setup do
ConfigMock
|> stub_with(Pleroma.Test.StaticConfig)
config =
Pleroma.Config.get([Pleroma.Upload])
|> Keyword.put(:uploader, Pleroma.Uploaders.Local)
clear_config([Pleroma.Upload], config)
clear_config([Pleroma.Upload, :allowed_mime_types], ["image", "audio", "video"])
# Create a file with a malicious content type and dangerous extension
malicious_file = %Plug.Upload{
content_type: "application/activity+json",
path: Path.absname("test/fixtures/image.jpg"),
# JSON extension to make MIME.from_path detect application/json
filename: "malicious.json"
}
[malicious_file: malicious_file]
end
test "sanitizes malicious content types when serving media", %{
conn: conn,
malicious_file: malicious_file
} do
# First upload the file with the malicious content type
media =
conn
|> put_req_header("content-type", "multipart/form-data")
|> post("/api/v1/media", %{"file" => malicious_file})
|> json_response_and_validate_schema(:ok)
# Get the file URL from the response
url = media["url"]
# Now make a direct request to the media URL and check the content-type header
response =
build_conn()
|> get(URI.parse(url).path)
# Find the content-type header
content_type_header =
Enum.find(response.resp_headers, fn {name, _} -> name == "content-type" end)
# The server should detect the application/json MIME type from the .json extension
# and replace it with application/octet-stream since it's not in allowed_mime_types
assert content_type_header == {"content-type", "application/octet-stream"}
# Verify that the file was still served correctly
assert response.status == 200
end
test "allows safe content types", %{conn: conn} do
safe_image = %Plug.Upload{
content_type: "image/jpeg",
path: Path.absname("test/fixtures/image.jpg"),
filename: "safe_image.jpg"
}
# Upload a file with a safe content type
media =
conn
|> put_req_header("content-type", "multipart/form-data")
|> post("/api/v1/media", %{"file" => safe_image})
|> json_response_and_validate_schema(:ok)
# Get the file URL from the response
url = media["url"]
# Make a direct request to the media URL and check the content-type header
response =
build_conn()
|> get(URI.parse(url).path)
# The server should preserve the image/jpeg MIME type since it's allowed
content_type_header =
Enum.find(response.resp_headers, fn {name, _} -> name == "content-type" end)
assert content_type_header == {"content-type", "image/jpeg"}
# Verify that the file was served correctly
assert response.status == 200
end
end
end end

2
test/pleroma/web/mastodon_api/controllers/notification_controller_test.exs
View file

@ -13,7 +13,7 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
import Pleroma.Factory import Pleroma.Factory
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end

2
test/pleroma/web/mastodon_api/controllers/search_controller_test.exs
View file

@ -14,7 +14,7 @@ defmodule Pleroma.Web.MastodonAPI.SearchControllerTest do
import Mock import Mock
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end

2
test/pleroma/web/mastodon_api/views/notification_view_test.exs
View file

@ -23,7 +23,7 @@ defmodule Pleroma.Web.MastodonAPI.NotificationViewTest do
import Pleroma.Factory import Pleroma.Factory
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end

55
test/pleroma/web/metadata/providers/open_graph_test.exs
View file

@ -9,6 +9,7 @@ defmodule Pleroma.Web.Metadata.Providers.OpenGraphTest do
alias Pleroma.UnstubbedConfigMock, as: ConfigMock alias Pleroma.UnstubbedConfigMock, as: ConfigMock
alias Pleroma.Web.Metadata.Providers.OpenGraph alias Pleroma.Web.Metadata.Providers.OpenGraph
alias Pleroma.Web.Metadata.Utils
setup do setup do
ConfigMock ConfigMock
@ -197,4 +198,58 @@ defmodule Pleroma.Web.Metadata.Providers.OpenGraphTest do
"http://localhost:4001/proxy/preview/LzAnlke-l5oZbNzWsrHfprX1rGw/aHR0cHM6Ly9wbGVyb21hLmdvdi9hYm91dC9qdWNoZS53ZWJt/juche.webm" "http://localhost:4001/proxy/preview/LzAnlke-l5oZbNzWsrHfprX1rGw/aHR0cHM6Ly9wbGVyb21hLmdvdi9hYm91dC9qdWNoZS53ZWJt/juche.webm"
], []} in result ], []} in result
end end
test "meta tag ordering matches attachment order" do
user = insert(:user, name: "Jimmy Hendriks", bio: "born 19 March 1994")
note =
insert(:note, %{
data: %{
"actor" => user.ap_id,
"tag" => [],
"id" => "https://pleroma.gov/objects/whatever",
"summary" => "",
"content" => "pleroma in a nutshell",
"attachment" => [
%{
"url" => [
%{
"mediaType" => "image/png",
"href" => "https://example.com/first.png",
"height" => 1024,
"width" => 1280
}
]
},
%{
"url" => [
%{
"mediaType" => "image/png",
"href" => "https://example.com/second.png",
"height" => 1024,
"width" => 1280
}
]
}
]
}
})
result = OpenGraph.build_tags(%{object: note, url: note.data["id"], user: user})
assert [
{:meta, [property: "og:title", content: Utils.user_name_string(user)], []},
{:meta, [property: "og:url", content: "https://pleroma.gov/objects/whatever"], []},
{:meta, [property: "og:description", content: "pleroma in a nutshell"], []},
{:meta, [property: "og:type", content: "article"], []},
{:meta, [property: "og:image", content: "https://example.com/first.png"], []},
{:meta, [property: "og:image:alt", content: nil], []},
{:meta, [property: "og:image:width", content: "1280"], []},
{:meta, [property: "og:image:height", content: "1024"], []},
{:meta, [property: "og:image", content: "https://example.com/second.png"], []},
{:meta, [property: "og:image:alt", content: nil], []},
{:meta, [property: "og:image:width", content: "1280"], []},
{:meta, [property: "og:image:height", content: "1024"], []}
] == result
end
end end

54
test/pleroma/web/metadata/providers/twitter_card_test.exs
View file

@ -202,4 +202,58 @@ defmodule Pleroma.Web.Metadata.Providers.TwitterCardTest do
{:meta, [name: "twitter:player:stream:content_type", content: "video/webm"], []} {:meta, [name: "twitter:player:stream:content_type", content: "video/webm"], []}
] == result ] == result
end end
test "meta tag ordering matches attachment order" do
user = insert(:user, name: "Jimmy Hendriks", bio: "born 19 March 1994")
note =
insert(:note, %{
data: %{
"actor" => user.ap_id,
"tag" => [],
"id" => "https://pleroma.gov/objects/whatever",
"summary" => "",
"content" => "pleroma in a nutshell",
"attachment" => [
%{
"url" => [
%{
"mediaType" => "image/png",
"href" => "https://example.com/first.png",
"height" => 1024,
"width" => 1280
}
]
},
%{
"url" => [
%{
"mediaType" => "image/png",
"href" => "https://example.com/second.png",
"height" => 1024,
"width" => 1280
}
]
}
]
}
})
result = TwitterCard.build_tags(%{object: note, activity_id: note.data["id"], user: user})
assert [
{:meta, [name: "twitter:title", content: Utils.user_name_string(user)], []},
{:meta, [name: "twitter:description", content: "pleroma in a nutshell"], []},
{:meta, [name: "twitter:card", content: "summary_large_image"], []},
{:meta, [name: "twitter:image", content: "https://example.com/first.png"], []},
{:meta, [name: "twitter:image:alt", content: ""], []},
{:meta, [name: "twitter:player:width", content: "1280"], []},
{:meta, [name: "twitter:player:height", content: "1024"], []},
{:meta, [name: "twitter:card", content: "summary_large_image"], []},
{:meta, [name: "twitter:image", content: "https://example.com/second.png"], []},
{:meta, [name: "twitter:image:alt", content: ""], []},
{:meta, [name: "twitter:player:width", content: "1280"], []},
{:meta, [name: "twitter:player:height", content: "1024"], []}
] == result
end
end end

20
test/pleroma/web/o_auth/app_test.exs
View file

@ -58,16 +58,28 @@ defmodule Pleroma.Web.OAuth.AppTest do
attrs = %{client_name: "Mastodon-Local", redirect_uris: "."} attrs = %{client_name: "Mastodon-Local", redirect_uris: "."}
{:ok, %App{} = old_app} = App.get_or_make(attrs, ["write"]) {:ok, %App{} = old_app} = App.get_or_make(attrs, ["write"])
# backdate the old app so it's within the threshold for being cleaned up
one_hour_ago = DateTime.add(DateTime.utc_now(), -3600)
{:ok, _} =
"UPDATE apps SET inserted_at = $1, updated_at = $1 WHERE id = $2"
|> Pleroma.Repo.query([one_hour_ago, old_app.id])
# Create the new app after backdating the old one
attrs = %{client_name: "PleromaFE", redirect_uris: "."} attrs = %{client_name: "PleromaFE", redirect_uris: "."}
{:ok, %App{} = app} = App.get_or_make(attrs, ["write"]) {:ok, %App{} = app} = App.get_or_make(attrs, ["write"])
# backdate the old app so it's within the threshold for being cleaned up # Ensure the new app has a recent timestamp
now = DateTime.utc_now()
{:ok, _} = {:ok, _} =
"UPDATE apps SET inserted_at = now() - interval '1 hour' WHERE id = #{old_app.id}" "UPDATE apps SET inserted_at = $1, updated_at = $1 WHERE id = $2"
|> Pleroma.Repo.query() |> Pleroma.Repo.query([now, app.id])
App.remove_orphans() App.remove_orphans()
assert [app] == Pleroma.Repo.all(App) assert [returned_app] = Pleroma.Repo.all(App)
assert returned_app.client_name == "PleromaFE"
assert returned_app.id == app.id
end end
end end

2
test/pleroma/web/pleroma_api/controllers/emoji_reaction_controller_test.exs
View file

@ -14,7 +14,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiReactionControllerTest do
import Pleroma.Factory import Pleroma.Factory
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end

75
test/pleroma/web/plugs/instance_static_test.exs
View file

@ -62,4 +62,79 @@ defmodule Pleroma.Web.Plugs.InstanceStaticTest do
index = get(build_conn(), "/static/kaniini.html") index = get(build_conn(), "/static/kaniini.html")
assert html_response(index, 200) == "<h1>rabbit hugs as a service</h1>" assert html_response(index, 200) == "<h1>rabbit hugs as a service</h1>"
end end
test "does not sanitize dangerous files in general, as there can be html and javascript files legitimately in this folder" do
# Create a file with a potentially dangerous extension (.json)
# This mimics an attacker trying to serve ActivityPub JSON with a static file
File.mkdir!(@dir <> "/static")
File.write!(@dir <> "/static/malicious.json", "{\"type\": \"ActivityPub\"}")
conn = get(build_conn(), "/static/malicious.json")
assert conn.status == 200
content_type =
Enum.find_value(conn.resp_headers, fn
{"content-type", value} -> value
_ -> nil
end)
assert content_type == "application/json"
File.write!(@dir <> "/static/safe.jpg", "fake image data")
conn = get(build_conn(), "/static/safe.jpg")
assert conn.status == 200
# Get the content-type
content_type =
Enum.find_value(conn.resp_headers, fn
{"content-type", value} -> value
_ -> nil
end)
assert content_type == "image/jpeg"
end
test "always sanitizes emojis to images" do
File.mkdir!(@dir <> "/emoji")
File.write!(@dir <> "/emoji/malicious.html", "<script>HACKED</script>")
# Request the malicious file
conn = get(build_conn(), "/emoji/malicious.html")
# Verify the file was served (status 200)
assert conn.status == 200
# The content should be served, but with a sanitized content-type
content_type =
Enum.find_value(conn.resp_headers, fn
{"content-type", value} -> value
_ -> nil
end)
# It should have been sanitized to application/octet-stream because "application"
# is not in the allowed_mime_types list
assert content_type == "application/octet-stream"
# Create a file with an allowed extension (.jpg)
File.write!(@dir <> "/emoji/safe.jpg", "fake image data")
# Request the safe file
conn = get(build_conn(), "/emoji/safe.jpg")
# Verify the file was served (status 200)
assert conn.status == 200
# Get the content-type
content_type =
Enum.find_value(conn.resp_headers, fn
{"content-type", value} -> value
_ -> nil
end)
# It should be preserved because "image" is in the allowed_mime_types list
assert content_type == "image/jpeg"
end
end end

53
test/pleroma/web/plugs/uploaded_media_test.exs Normal file
View file

@ -0,0 +1,53 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.UploadedMediaTest do
use ExUnit.Case, async: true
alias Pleroma.Web.Plugs.Utils
describe "content-type sanitization with Utils.get_safe_mime_type/2" do
test "it allows safe MIME types" do
opts = %{allowed_mime_types: ["image", "audio", "video"]}
assert Utils.get_safe_mime_type(opts, "image/jpeg") == "image/jpeg"
assert Utils.get_safe_mime_type(opts, "audio/mpeg") == "audio/mpeg"
assert Utils.get_safe_mime_type(opts, "video/mp4") == "video/mp4"
end
test "it sanitizes potentially dangerous content-types" do
opts = %{allowed_mime_types: ["image", "audio", "video"]}
assert Utils.get_safe_mime_type(opts, "application/activity+json") ==
"application/octet-stream"
assert Utils.get_safe_mime_type(opts, "text/html") == "application/octet-stream"
assert Utils.get_safe_mime_type(opts, "application/javascript") ==
"application/octet-stream"
end
test "it sanitizes ActivityPub content types" do
opts = %{allowed_mime_types: ["image", "audio", "video"]}
assert Utils.get_safe_mime_type(opts, "application/activity+json") ==
"application/octet-stream"
assert Utils.get_safe_mime_type(opts, "application/ld+json") == "application/octet-stream"
assert Utils.get_safe_mime_type(opts, "application/jrd+json") == "application/octet-stream"
end
test "it sanitizes other potentially dangerous types" do
opts = %{allowed_mime_types: ["image", "audio", "video"]}
assert Utils.get_safe_mime_type(opts, "text/html") == "application/octet-stream"
assert Utils.get_safe_mime_type(opts, "application/javascript") ==
"application/octet-stream"
assert Utils.get_safe_mime_type(opts, "text/javascript") == "application/octet-stream"
assert Utils.get_safe_mime_type(opts, "application/xhtml+xml") == "application/octet-stream"
end
end
end

1
test/pleroma/web/rich_media/parser_test.exs
View file

@ -54,7 +54,6 @@ defmodule Pleroma.Web.RichMedia.ParserTest do
{:ok, {:ok,
%{ %{
"card" => "summary", "card" => "summary",
"site" => "@flickr",
"image" => "https://farm6.staticflickr.com/5510/14338202952_93595258ff_z.jpg", "image" => "https://farm6.staticflickr.com/5510/14338202952_93595258ff_z.jpg",
"title" => "Small Island Developing States Photo Submission", "title" => "Small Island Developing States Photo Submission",
"description" => "View the album on Flickr.", "description" => "View the album on Flickr.",

37
test/pleroma/web/rich_media/parsers/twitter_card_test.exs
View file

@ -17,10 +17,6 @@ defmodule Pleroma.Web.RichMedia.Parsers.TwitterCardTest do
assert TwitterCard.parse(html, %{}) == assert TwitterCard.parse(html, %{}) ==
%{ %{
"app:id:googleplay" => "com.nytimes.android",
"app:name:googleplay" => "NYTimes",
"app:url:googleplay" => "nytimes://reader/id/100000006583622",
"site" => nil,
"description" => "description" =>
"With little oversight, the N.Y.P.D. has been using powerful surveillance technology on photos of children and teenagers.", "With little oversight, the N.Y.P.D. has been using powerful surveillance technology on photos of children and teenagers.",
"image" => "image" =>
@ -44,7 +40,7 @@ defmodule Pleroma.Web.RichMedia.Parsers.TwitterCardTest do
"description" => "description" =>
"With little oversight, the N.Y.P.D. has been using powerful surveillance technology on photos of children and teenagers.", "With little oversight, the N.Y.P.D. has been using powerful surveillance technology on photos of children and teenagers.",
"image" => "image" =>
"https://static01.nyt.com/images/2019/08/01/nyregion/01nypd-juveniles-promo/01nypd-juveniles-promo-videoSixteenByNineJumbo1600.jpg", "https://static01.nyt.com/images/2019/08/01/nyregion/01nypd-juveniles-promo/01nypd-juveniles-promo-facebookJumbo.jpg",
"image:alt" => "", "image:alt" => "",
"title" => "title" =>
"She Was Arrested at 14. Then Her Photo Went to a Facial Recognition Database.", "She Was Arrested at 14. Then Her Photo Went to a Facial Recognition Database.",
@ -61,16 +57,12 @@ defmodule Pleroma.Web.RichMedia.Parsers.TwitterCardTest do
assert TwitterCard.parse(html, %{}) == assert TwitterCard.parse(html, %{}) ==
%{ %{
"app:id:googleplay" => "com.nytimes.android",
"app:name:googleplay" => "NYTimes",
"app:url:googleplay" => "nytimes://reader/id/100000006583622",
"card" => "summary_large_image", "card" => "summary_large_image",
"description" => "description" =>
"With little oversight, the N.Y.P.D. has been using powerful surveillance technology on photos of children and teenagers.", "With little oversight, the N.Y.P.D. has been using powerful surveillance technology on photos of children and teenagers.",
"image" => "image" =>
"https://static01.nyt.com/images/2019/08/01/nyregion/01nypd-juveniles-promo/01nypd-juveniles-promo-videoSixteenByNineJumbo1600.jpg", "https://static01.nyt.com/images/2019/08/01/nyregion/01nypd-juveniles-promo/01nypd-juveniles-promo-facebookJumbo.jpg",
"image:alt" => "", "image:alt" => "",
"site" => nil,
"title" => "title" =>
"She Was Arrested at 14. Then Her Photo Went to a Facial Recognition Database.", "She Was Arrested at 14. Then Her Photo Went to a Facial Recognition Database.",
"url" => "url" =>
@ -90,13 +82,11 @@ defmodule Pleroma.Web.RichMedia.Parsers.TwitterCardTest do
assert TwitterCard.parse(html, %{}) == assert TwitterCard.parse(html, %{}) ==
%{ %{
"site" => "@atlasobscura",
"title" => "The Missing Grave of Margaret Corbin, Revolutionary War Veteran", "title" => "The Missing Grave of Margaret Corbin, Revolutionary War Veteran",
"card" => "summary_large_image", "card" => "summary_large_image",
"image" => image_path, "image" => image_path,
"description" => "description" =>
"She's the only woman veteran honored with a monument at West Point. But where was she buried?", "She's the only woman veteran honored with a monument at West Point. But where was she buried?",
"site_name" => "Atlas Obscura",
"type" => "article", "type" => "article",
"url" => "http://www.atlasobscura.com/articles/margaret-corbin-grave-west-point" "url" => "http://www.atlasobscura.com/articles/margaret-corbin-grave-west-point"
} }
@ -109,12 +99,8 @@ defmodule Pleroma.Web.RichMedia.Parsers.TwitterCardTest do
assert TwitterCard.parse(html, %{}) == assert TwitterCard.parse(html, %{}) ==
%{ %{
"site" => nil,
"title" => "title" =>
"She Was Arrested at 14. Then Her Photo Went to a Facial Recognition Database.", "She Was Arrested at 14. Then Her Photo Went to a Facial Recognition Database.",
"app:id:googleplay" => "com.nytimes.android",
"app:name:googleplay" => "NYTimes",
"app:url:googleplay" => "nytimes://reader/id/100000006583622",
"description" => "description" =>
"With little oversight, the N.Y.P.D. has been using powerful surveillance technology on photos of children and teenagers.", "With little oversight, the N.Y.P.D. has been using powerful surveillance technology on photos of children and teenagers.",
"image" => "image" =>
@ -124,4 +110,23 @@ defmodule Pleroma.Web.RichMedia.Parsers.TwitterCardTest do
"https://www.nytimes.com/2019/08/01/nyregion/nypd-facial-recognition-children-teenagers.html" "https://www.nytimes.com/2019/08/01/nyregion/nypd-facial-recognition-children-teenagers.html"
} }
end end
test "takes first image if multiple are specified" do
html =
File.read!("test/fixtures/fulmo.html")
|> Floki.parse_document!()
assert TwitterCard.parse(html, %{}) ==
%{
"description" => "Pri feoj, kiuj devis ordigi falintan arbon.",
"image" => "https://tirifto.xwx.moe/r/ilustrajhoj/pinglordigado.png",
"title" => "Fulmo",
"type" => "website",
"url" => "https://tirifto.xwx.moe/eo/rakontoj/fulmo.html",
"image:alt" =>
"Meze de arbaro kuŝas falinta trunko, sen pingloj kaj kun branĉoj derompitaj. Post ĝi videblas du feoj: florofeo maldekstre kaj nubofeo dekstre. La florofeo iom kaŝas sin post la trunko. La nubofeo staras kaj tenas amason da pigloj. Ili iom rigardas al si.",
"image:height" => "630",
"image:width" => "1200"
}
end
end end

2
test/pleroma/workers/cron/digest_emails_worker_test.exs
View file

@ -14,7 +14,7 @@ defmodule Pleroma.Workers.Cron.DigestEmailsWorkerTest do
setup do: clear_config([:email_notifications, :digest]) setup do: clear_config([:email_notifications, :digest])
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end

2
test/pleroma/workers/cron/new_users_digest_worker_test.exs
View file

@ -11,7 +11,7 @@ defmodule Pleroma.Workers.Cron.NewUsersDigestWorkerTest do
alias Pleroma.Workers.Cron.NewUsersDigestWorker alias Pleroma.Workers.Cron.NewUsersDigestWorker
setup do setup do
Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
:ok :ok
end end

2
test/support/data_case.ex
View file

@ -117,6 +117,8 @@ defmodule Pleroma.DataCase do
Mox.stub_with(Pleroma.ConfigMock, Pleroma.Config) Mox.stub_with(Pleroma.ConfigMock, Pleroma.Config)
Mox.stub_with(Pleroma.StaticStubbedConfigMock, Pleroma.Test.StaticConfig) Mox.stub_with(Pleroma.StaticStubbedConfigMock, Pleroma.Test.StaticConfig)
Mox.stub_with(Pleroma.StubbedHTTPSignaturesMock, Pleroma.Test.HTTPSignaturesProxy) Mox.stub_with(Pleroma.StubbedHTTPSignaturesMock, Pleroma.Test.HTTPSignaturesProxy)
Mox.stub_with(Pleroma.DateTimeMock, Pleroma.DateTime.Impl)
end end
def ensure_local_uploader(context) do def ensure_local_uploader(context) do

Some files were not shown because too many files have changed in this diff Show more