commit: d998a114e26033e98e87778e5ca659aff91831bf
parent da6b4003acad84b0f60ad8da6d08cfe13564b058
Author: Haelwenn <contact+git.pleroma.social@hacktivis.me>
Date: Wed, 31 May 2023 00:50:01 +0000
Merge branch 'validate-host' into 'develop'
Validate Host header for MediaProxy and Uploads
See merge request pleroma/pleroma!3896
Diffstat:
6 files changed, 116 insertions(+), 2 deletions(-)
diff --git a/changelog.d/3896.add b/changelog.d/3896.add
@@ -0,0 +1 @@
+Validate Host header for MediaProxy and Uploads and return a 302 if the base_url has changed
diff --git a/lib/pleroma/web/media_proxy/media_proxy_controller.ex b/lib/pleroma/web/media_proxy/media_proxy_controller.ex
@@ -12,6 +12,7 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyController do
alias Pleroma.Web.MediaProxy
alias Plug.Conn
+ plug(:validate_host)
plug(:sandbox)
def remote(conn, %{"sig" => sig64, "url" => url64}) do
@@ -205,6 +206,30 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyController do
Config.get([:media_proxy, :proxy_opts], [])
end
+ defp validate_host(conn, _params) do
+ %{scheme: proxy_scheme, host: proxy_host, port: proxy_port} =
+ MediaProxy.base_url() |> URI.parse()
+
+ if match?(^proxy_host, conn.host) do
+ conn
+ else
+ redirect_url =
+ %URI{
+ scheme: proxy_scheme,
+ host: proxy_host,
+ port: proxy_port,
+ path: conn.request_path,
+ query: conn.query_string
+ }
+ |> URI.to_string()
+ |> String.trim_trailing("?")
+
+ conn
+ |> Phoenix.Controller.redirect(external: redirect_url)
+ |> halt()
+ end
+ end
+
defp sandbox(conn, _params) do
conn
|> merge_resp_headers([{"content-security-policy", "sandbox;"}])
diff --git a/lib/pleroma/web/plugs/uploaded_media.ex b/lib/pleroma/web/plugs/uploaded_media.ex
@@ -46,12 +46,32 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do
config = Pleroma.Config.get(Pleroma.Upload)
- with uploader <- Keyword.fetch!(config, :uploader),
+ %{scheme: media_scheme, host: media_host, port: media_port} =
+ Pleroma.Upload.base_url() |> URI.parse()
+
+ with {:valid_host, true} <- {:valid_host, match?(^media_host, conn.host)},
+ uploader <- Keyword.fetch!(config, :uploader),
proxy_remote = Keyword.get(config, :proxy_remote, false),
{:ok, get_method} <- uploader.get_file(file),
false <- media_is_banned(conn, get_method) do
get_media(conn, get_method, proxy_remote, opts)
else
+ {:valid_host, false} ->
+ redirect_url =
+ %URI{
+ scheme: media_scheme,
+ host: media_host,
+ port: media_port,
+ path: conn.request_path,
+ query: conn.query_string
+ }
+ |> URI.to_string()
+ |> String.trim_trailing("?")
+
+ conn
+ |> Phoenix.Controller.redirect(external: redirect_url)
+ |> halt()
+
_ ->
conn
|> send_resp(:internal_server_error, dgettext("errors", "Failed"))
diff --git a/test/pleroma/web/media_proxy/media_proxy_controller_test.exs b/test/pleroma/web/media_proxy/media_proxy_controller_test.exs
@@ -54,6 +54,40 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyControllerTest do
} = get(conn, "/proxy/hhgfh/eeee/fff")
end
+ test "it returns a 302 for invalid host", %{conn: conn} do
+ new_proxy_base = "http://mp.localhost/"
+
+ %{scheme: new_proxy_scheme, host: new_proxy_host, port: new_proxy_port} =
+ URI.parse(new_proxy_base)
+
+ clear_config([:media_proxy, :base_url], new_proxy_base)
+
+ proxy_url =
+ MediaProxy.encode_url("https://pleroma.social/logo.jpeg")
+ |> URI.parse()
+ |> Map.put(:host, "wronghost")
+ |> URI.to_string()
+
+ expected_url =
+ URI.parse(proxy_url)
+ |> Map.put(:host, new_proxy_host)
+ |> Map.put(:port, new_proxy_port)
+ |> Map.put(:scheme, new_proxy_scheme)
+ |> URI.to_string()
+
+ with_mock Pleroma.ReverseProxy,
+ call: fn _conn, _url, _opts -> %Conn{status: :success} end do
+ %{resp_headers: resp_headers, status: status} = get(conn, proxy_url)
+
+ assert status == 302
+
+ assert Enum.any?(
+ resp_headers,
+ &(&1 == {"location", expected_url})
+ )
+ end
+ end
+
test "redirects to valid url when filename is invalidated", %{conn: conn, url: url} do
invalid_url = String.replace(url, "test.png", "test-file.png")
response = get(conn, invalid_url)
diff --git a/test/pleroma/web/plugs/uploaded_media_plug_test.exs b/test/pleroma/web/plugs/uploaded_media_plug_test.exs
@@ -40,4 +40,35 @@ defmodule Pleroma.Web.Plugs.UploadedMediaPlugTest do
&(&1 == {"content-disposition", ~s[inline; filename="\\"cofe\\".gif"]})
)
end
+
+ test "denies access to media if wrong Host", %{
+ attachment_url: attachment_url
+ } do
+ conn = get(build_conn(), attachment_url)
+
+ assert conn.status == 200
+
+ new_media_base = "http://media.localhost:8080"
+
+ %{scheme: new_media_scheme, host: new_media_host, port: new_media_port} =
+ URI.parse(new_media_base)
+
+ clear_config([Pleroma.Upload, :base_url], new_media_base)
+
+ conn = get(build_conn(), attachment_url)
+
+ expected_url =
+ URI.parse(attachment_url)
+ |> Map.put(:host, new_media_host)
+ |> Map.put(:port, new_media_port)
+ |> Map.put(:scheme, new_media_scheme)
+ |> URI.to_string()
+
+ assert conn.status == 302
+
+ assert Enum.any?(
+ conn.resp_headers,
+ &(&1 == {"location", expected_url})
+ )
+ end
end
diff --git a/test/support/conn_case.ex b/test/support/conn_case.ex
@@ -120,6 +120,9 @@ defmodule Pleroma.Web.ConnCase do
Mox.verify_on_exit!()
- {:ok, conn: Phoenix.ConnTest.build_conn()}
+ {:ok,
+ conn:
+ Phoenix.ConnTest.build_conn()
+ |> Map.put(:host, Pleroma.Web.Endpoint.host())}
end
end