Merge branch 'tusooa/3154-attachment-type-check' into 'develop' - pleroma - My custom branche(s) on git.pleroma.social/pleroma/pleroma

commit: 819fccb7d1391ad88f5c236f32390b3e0430ef6c
parent b08cbe76f18c1e745511adf26ebdc3b675dd45ba
Author: Haelwenn <contact+git.pleroma.social@hacktivis.me>
Date:   Thu,  3 Aug 2023 10:01:32 +0000

Merge branch 'tusooa/3154-attachment-type-check' into 'develop'

Restrict attachments to only uploaded files only

Closes #3154

See merge request pleroma/pleroma!3923
Diffstat:
A changelog.d/attachment-type-check.fix 1 +
M lib/pleroma/constants.ex 2 ++
M lib/pleroma/web/common_api/utils.ex 7 ++++++-
M test/pleroma/web/common_api/utils_test.exs 11 ++++++++---

4 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/changelog.d/attachment-type-check.fix b/changelog.d/attachment-type-check.fix
@@ -0,0 +1 @@
+Restrict attachments to only uploaded files only
diff --git a/lib/pleroma/constants.ex b/lib/pleroma/constants.ex
@@ -81,4 +81,6 @@ defmodule Pleroma.Constants do
   const(mime_regex,
     do: ~r/^[^[:cntrl:] ()<>@,;:\\"\/\[\]?=]+\/[^[:cntrl:] ()<>@,;:\\"\/\[\]?=]+(; .*)?$/
   )
+
+  const(upload_object_types, do: ["Document", "Image"])
 end
diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex
@@ -59,7 +59,12 @@ defmodule Pleroma.Web.CommonAPI.Utils do
   end
 
   defp get_attachment(media_id) do
-    Repo.get(Object, media_id)
+    with %Object{data: data} = object <- Repo.get(Object, media_id),
+         %{"type" => type} when type in Pleroma.Constants.upload_object_types() <- data do
+      object
+    else
+      _ -> nil
+    end
   end
 
   @spec get_to_and_cc(ActivityDraft.t()) :: {list(String.t()), list(String.t())}
diff --git a/test/pleroma/web/common_api/utils_test.exs b/test/pleroma/web/common_api/utils_test.exs
@@ -592,7 +592,7 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do
     end
 
     test "returns list attachments with desc" do
-      object = insert(:note)
+      object = insert(:attachment)
       desc = Jason.encode!(%{object.id => "test-desc"})
 
       assert Utils.attachments_from_ids_descs(["#{object.id}", "34"], desc) == [
@@ -603,7 +603,7 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do
 
   describe "attachments_from_ids/1" do
     test "returns attachments with descs" do
-      object = insert(:note)
+      object = insert(:attachment)
       desc = Jason.encode!(%{object.id => "test-desc"})
 
       assert Utils.attachments_from_ids(%{
@@ -615,13 +615,18 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do
     end
 
     test "returns attachments without descs" do
-      object = insert(:note)
+      object = insert(:attachment)
       assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}) == [object.data]
     end
 
     test "returns [] when not pass media_ids" do
       assert Utils.attachments_from_ids(%{}) == []
     end
+
+    test "checks that the object is of upload type" do
+      object = insert(:note)
+      assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}) == []
+    end
   end
 
   describe "maybe_add_list_data/3" do

A	changelog.d/attachment-type-check.fix	1	+
M	lib/pleroma/constants.ex	2	++
M	lib/pleroma/web/common_api/utils.ex	7	++++++-
M	test/pleroma/web/common_api/utils_test.exs	11	++++++++---