logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma git clone https://hacktivis.me/git/pleroma.git
commit: d998a114e26033e98e87778e5ca659aff91831bf
parent da6b4003acad84b0f60ad8da6d08cfe13564b058
Author: Haelwenn <contact+git.pleroma.social@hacktivis.me>
Date:   Wed, 31 May 2023 00:50:01 +0000

Merge branch 'validate-host' into 'develop'

Validate Host header for MediaProxy and Uploads

See merge request pleroma/pleroma!3896

Diffstat:

Achangelog.d/3896.add1+
Mlib/pleroma/web/media_proxy/media_proxy_controller.ex25+++++++++++++++++++++++++
Mlib/pleroma/web/plugs/uploaded_media.ex22+++++++++++++++++++++-
Mtest/pleroma/web/media_proxy/media_proxy_controller_test.exs34++++++++++++++++++++++++++++++++++
Mtest/pleroma/web/plugs/uploaded_media_plug_test.exs31+++++++++++++++++++++++++++++++
Mtest/support/conn_case.ex5++++-
6 files changed, 116 insertions(+), 2 deletions(-)

diff --git a/changelog.d/3896.add b/changelog.d/3896.add @@ -0,0 +1 @@ +Validate Host header for MediaProxy and Uploads and return a 302 if the base_url has changed diff --git a/lib/pleroma/web/media_proxy/media_proxy_controller.ex b/lib/pleroma/web/media_proxy/media_proxy_controller.ex @@ -12,6 +12,7 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyController do alias Pleroma.Web.MediaProxy alias Plug.Conn + plug(:validate_host) plug(:sandbox) def remote(conn, %{"sig" => sig64, "url" => url64}) do @@ -205,6 +206,30 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyController do Config.get([:media_proxy, :proxy_opts], []) end + defp validate_host(conn, _params) do + %{scheme: proxy_scheme, host: proxy_host, port: proxy_port} = + MediaProxy.base_url() |> URI.parse() + + if match?(^proxy_host, conn.host) do + conn + else + redirect_url = + %URI{ + scheme: proxy_scheme, + host: proxy_host, + port: proxy_port, + path: conn.request_path, + query: conn.query_string + } + |> URI.to_string() + |> String.trim_trailing("?") + + conn + |> Phoenix.Controller.redirect(external: redirect_url) + |> halt() + end + end + defp sandbox(conn, _params) do conn |> merge_resp_headers([{"content-security-policy", "sandbox;"}]) diff --git a/lib/pleroma/web/plugs/uploaded_media.ex b/lib/pleroma/web/plugs/uploaded_media.ex @@ -46,12 +46,32 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do config = Pleroma.Config.get(Pleroma.Upload) - with uploader <- Keyword.fetch!(config, :uploader), + %{scheme: media_scheme, host: media_host, port: media_port} = + Pleroma.Upload.base_url() |> URI.parse() + + with {:valid_host, true} <- {:valid_host, match?(^media_host, conn.host)}, + uploader <- Keyword.fetch!(config, :uploader), proxy_remote = Keyword.get(config, :proxy_remote, false), {:ok, get_method} <- uploader.get_file(file), false <- media_is_banned(conn, get_method) do get_media(conn, get_method, proxy_remote, opts) else + {:valid_host, false} -> + redirect_url = + %URI{ + scheme: media_scheme, + host: media_host, + port: media_port, + path: conn.request_path, + query: conn.query_string + } + |> URI.to_string() + |> String.trim_trailing("?") + + conn + |> Phoenix.Controller.redirect(external: redirect_url) + |> halt() + _ -> conn |> send_resp(:internal_server_error, dgettext("errors", "Failed")) diff --git a/test/pleroma/web/media_proxy/media_proxy_controller_test.exs b/test/pleroma/web/media_proxy/media_proxy_controller_test.exs @@ -54,6 +54,40 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyControllerTest do } = get(conn, "/proxy/hhgfh/eeee/fff") end + test "it returns a 302 for invalid host", %{conn: conn} do + new_proxy_base = "http://mp.localhost/" + + %{scheme: new_proxy_scheme, host: new_proxy_host, port: new_proxy_port} = + URI.parse(new_proxy_base) + + clear_config([:media_proxy, :base_url], new_proxy_base) + + proxy_url = + MediaProxy.encode_url("https://pleroma.social/logo.jpeg") + |> URI.parse() + |> Map.put(:host, "wronghost") + |> URI.to_string() + + expected_url = + URI.parse(proxy_url) + |> Map.put(:host, new_proxy_host) + |> Map.put(:port, new_proxy_port) + |> Map.put(:scheme, new_proxy_scheme) + |> URI.to_string() + + with_mock Pleroma.ReverseProxy, + call: fn _conn, _url, _opts -> %Conn{status: :success} end do + %{resp_headers: resp_headers, status: status} = get(conn, proxy_url) + + assert status == 302 + + assert Enum.any?( + resp_headers, + &(&1 == {"location", expected_url}) + ) + end + end + test "redirects to valid url when filename is invalidated", %{conn: conn, url: url} do invalid_url = String.replace(url, "test.png", "test-file.png") response = get(conn, invalid_url) diff --git a/test/pleroma/web/plugs/uploaded_media_plug_test.exs b/test/pleroma/web/plugs/uploaded_media_plug_test.exs @@ -40,4 +40,35 @@ defmodule Pleroma.Web.Plugs.UploadedMediaPlugTest do &(&1 == {"content-disposition", ~s[inline; filename="\\"cofe\\".gif"]}) ) end + + test "denies access to media if wrong Host", %{ + attachment_url: attachment_url + } do + conn = get(build_conn(), attachment_url) + + assert conn.status == 200 + + new_media_base = "http://media.localhost:8080" + + %{scheme: new_media_scheme, host: new_media_host, port: new_media_port} = + URI.parse(new_media_base) + + clear_config([Pleroma.Upload, :base_url], new_media_base) + + conn = get(build_conn(), attachment_url) + + expected_url = + URI.parse(attachment_url) + |> Map.put(:host, new_media_host) + |> Map.put(:port, new_media_port) + |> Map.put(:scheme, new_media_scheme) + |> URI.to_string() + + assert conn.status == 302 + + assert Enum.any?( + conn.resp_headers, + &(&1 == {"location", expected_url}) + ) + end end diff --git a/test/support/conn_case.ex b/test/support/conn_case.ex @@ -120,6 +120,9 @@ defmodule Pleroma.Web.ConnCase do Mox.verify_on_exit!() - {:ok, conn: Phoenix.ConnTest.build_conn()} + {:ok, + conn: + Phoenix.ConnTest.build_conn() + |> Map.put(:host, Pleroma.Web.Endpoint.host())} end end