commit: ea4225a646b355150fb8e5e8c77d7fdc58b5e7ef
parent 93ad16cca0a5b6acc1308027f798e347f44de4f8
Author: tusooa <tusooa@kazv.moe>
Date: Tue, 18 Jul 2023 18:39:59 -0400
Restrict attachments to only uploaded files only
Diffstat:
4 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/changelog.d/attachment-type-check.fix b/changelog.d/attachment-type-check.fix
@@ -0,0 +1 @@
+Restrict attachments to only uploaded files only
diff --git a/lib/pleroma/constants.ex b/lib/pleroma/constants.ex
@@ -81,4 +81,6 @@ defmodule Pleroma.Constants do
const(mime_regex,
do: ~r/^[^[:cntrl:] ()<>@,;:\\"\/\[\]?=]+\/[^[:cntrl:] ()<>@,;:\\"\/\[\]?=]+(; .*)?$/
)
+
+ const(upload_object_types, do: ["Document", "Image"])
end
diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex
@@ -59,7 +59,12 @@ defmodule Pleroma.Web.CommonAPI.Utils do
end
defp get_attachment(media_id) do
- Repo.get(Object, media_id)
+ with %Object{data: data} = object <- Repo.get(Object, media_id),
+ %{"type" => type} when type in Pleroma.Constants.upload_object_types() <- data do
+ object
+ else
+ _ -> nil
+ end
end
@spec get_to_and_cc(ActivityDraft.t()) :: {list(String.t()), list(String.t())}
diff --git a/test/pleroma/web/common_api/utils_test.exs b/test/pleroma/web/common_api/utils_test.exs
@@ -592,7 +592,7 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do
end
test "returns list attachments with desc" do
- object = insert(:note)
+ object = insert(:attachment)
desc = Jason.encode!(%{object.id => "test-desc"})
assert Utils.attachments_from_ids_descs(["#{object.id}", "34"], desc) == [
@@ -603,7 +603,7 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do
describe "attachments_from_ids/1" do
test "returns attachments with descs" do
- object = insert(:note)
+ object = insert(:attachment)
desc = Jason.encode!(%{object.id => "test-desc"})
assert Utils.attachments_from_ids(%{
@@ -615,13 +615,18 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do
end
test "returns attachments without descs" do
- object = insert(:note)
+ object = insert(:attachment)
assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}) == [object.data]
end
test "returns [] when not pass media_ids" do
assert Utils.attachments_from_ids(%{}) == []
end
+
+ test "checks that the object is of upload type" do
+ object = insert(:note)
+ assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}) == []
+ end
end
describe "maybe_add_list_data/3" do
