logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma git clone https://anongit.hacktivis.me/git/pleroma.git/

media_controller_test.exs (9797B)

    

  1. # Pleroma: A lightweight social networking server
  2. # Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
  3. # SPDX-License-Identifier: AGPL-3.0-only
  5. defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
  6.   use Pleroma.Web.ConnCase
  8.   import ExUnit.CaptureLog
  9.   import Mox
  11.   alias Pleroma.Object
  12.   alias Pleroma.UnstubbedConfigMock, as: ConfigMock
  13.   alias Pleroma.User
  14.   alias Pleroma.Web.ActivityPub.ActivityPub
  16.   describe "Upload media" do
  17.     setup do: oauth_access(["write:media"])
  19.     setup do
  20.       ConfigMock
  21.       |> stub_with(Pleroma.Test.StaticConfig)
  23.       image = %Plug.Upload{
  24.         content_type: "image/jpeg",
  25.         path: Path.absname("test/fixtures/image.jpg"),
  26.         filename: "an_image.jpg"
  27.       }
  29.       [image: image]
  30.     end
  32.     setup do: clear_config([:media_proxy])
  33.     setup do: clear_config([Pleroma.Upload])
  35.     test "/api/v1/media", %{conn: conn, image: image} do
  36.       desc = "Description of the image"
  38.       media =
  39.         conn
  40.         |> put_req_header("content-type", "multipart/form-data")
  41.         |> post("/api/v1/media", %{"file" => image, "description" => desc})
  42.         |> json_response_and_validate_schema(:ok)
  44.       assert media["type"] == "image"
  45.       assert media["description"] == desc
  46.       assert media["id"]
  48.       object = Object.get_by_id(media["id"])
  49.       assert object.data["actor"] == User.ap_id(conn.assigns[:user])
  50.     end
  52.     test "/api/v2/media", %{conn: conn, user: user, image: image} do
  53.       desc = "Description of the image"
  55.       response =
  56.         conn
  57.         |> put_req_header("content-type", "multipart/form-data")
  58.         |> post("/api/v2/media", %{"file" => image, "description" => desc})
  59.         |> json_response_and_validate_schema(200)
  61.       assert media_id = response["id"]
  63.       %{conn: conn} = oauth_access(["read:media"], user: user)
  65.       media =
  66.         conn
  67.         |> get("/api/v1/media/#{media_id}")
  68.         |> json_response_and_validate_schema(200)
  70.       assert media["type"] == "image"
  71.       assert media["description"] == desc
  72.       assert media["id"]
  74.       object = Object.get_by_id(media["id"])
  75.       assert object.data["actor"] == user.ap_id
  76.     end
  78.     test "/api/v2/media, upload_limit", %{conn: conn, user: user} do
  79.       clear_config([Pleroma.Upload, :uploader], Pleroma.Uploaders.Local)
  80.       desc = "Description of the binary"
  82.       upload_limit = Config.get([:instance, :upload_limit]) * 8 + 8
  84.       assert :ok ==
  85.                File.write(Path.absname("test/tmp/large_binary.data"), <<0::size(upload_limit)>>)
  87.       large_binary = %Plug.Upload{
  88.         content_type: nil,
  89.         path: Path.absname("test/tmp/large_binary.data"),
  90.         filename: "large_binary.data"
  91.       }
  93.       assert capture_log(fn ->
  94.                assert %{"error" => "file_too_large"} =
  95.                         conn
  96.                         |> put_req_header("content-type", "multipart/form-data")
  97.                         |> post("/api/v2/media", %{
  98.                           "file" => large_binary,
  99.                           "description" => desc
  100.                         })
  101.                         |> json_response_and_validate_schema(400)
  102.              end) =~
  103.                "[error] Elixir.Pleroma.Upload store (using Pleroma.Uploaders.Local) failed: :file_too_large"
  105.       clear_config([:instance, :upload_limit], upload_limit)
  107.       assert response =
  108.                conn
  109.                |> put_req_header("content-type", "multipart/form-data")
  110.                |> post("/api/v2/media", %{
  111.                  "file" => large_binary,
  112.                  "description" => desc
  113.                })
  114.                |> json_response_and_validate_schema(200)
  116.       assert media_id = response["id"]
  118.       %{conn: conn} = oauth_access(["read:media"], user: user)
  120.       media =
  121.         conn
  122.         |> get("/api/v1/media/#{media_id}")
  123.         |> json_response_and_validate_schema(200)
  125.       assert media["type"] == "unknown"
  126.       assert media["description"] == desc
  127.       assert media["id"]
  129.       assert :ok == File.rm(Path.absname("test/tmp/large_binary.data"))
  130.     end
  132.     test "Do not allow nested filename", %{conn: conn, image: image} do
  133.       image = %Plug.Upload{
  134.         image
  135.         | filename: "../../../../../nested/file.jpg"
  136.       }
  138.       desc = "Description of the image"
  140.       media =
  141.         conn
  142.         |> put_req_header("content-type", "multipart/form-data")
  143.         |> post("/api/v1/media", %{"file" => image, "description" => desc})
  144.         |> json_response_and_validate_schema(:ok)
  146.       refute Regex.match?(~r"/nested/", media["url"])
  147.     end
  148.   end
  150.   describe "Update media description" do
  151.     setup do: oauth_access(["write:media"])
  153.     setup %{user: actor} do
  154.       ConfigMock
  155.       |> stub_with(Pleroma.Test.StaticConfig)
  157.       file = %Plug.Upload{
  158.         content_type: "image/jpeg",
  159.         path: Path.absname("test/fixtures/image.jpg"),
  160.         filename: "an_image.jpg"
  161.       }
  163.       {:ok, %Object{} = object} =
  164.         ActivityPub.upload(
  165.           file,
  166.           actor: User.ap_id(actor),
  167.           description: "test-m"
  168.         )
  170.       [object: object]
  171.     end
  173.     test "/api/v1/media/:id good request", %{conn: conn, object: object} do
  174.       media =
  175.         conn
  176.         |> put_req_header("content-type", "multipart/form-data")
  177.         |> put("/api/v1/media/#{object.id}", %{"description" => "test-media"})
  178.         |> json_response_and_validate_schema(:ok)
  180.       assert media["description"] == "test-media"
  181.       assert refresh_record(object).data["name"] == "test-media"
  182.     end
  183.   end
  185.   describe "Get media by id (/api/v1/media/:id)" do
  186.     setup do: oauth_access(["read:media"])
  188.     setup %{user: actor} do
  189.       ConfigMock
  190.       |> stub_with(Pleroma.Test.StaticConfig)
  192.       file = %Plug.Upload{
  193.         content_type: "image/jpeg",
  194.         path: Path.absname("test/fixtures/image.jpg"),
  195.         filename: "an_image.jpg"
  196.       }
  198.       {:ok, %Object{} = object} =
  199.         ActivityPub.upload(
  200.           file,
  201.           actor: User.ap_id(actor),
  202.           description: "test-media"
  203.         )
  205.       [object: object]
  206.     end
  208.     test "it returns media object when requested by owner", %{conn: conn, object: object} do
  209.       media =
  210.         conn
  211.         |> get("/api/v1/media/#{object.id}")
  212.         |> json_response_and_validate_schema(:ok)
  214.       assert media["description"] == "test-media"
  215.       assert media["type"] == "image"
  216.       assert media["id"]
  217.     end
  219.     test "it returns 403 if media object requested by non-owner", %{object: object, user: user} do
  220.       %{conn: conn, user: other_user} = oauth_access(["read:media"])
  222.       assert object.data["actor"] == user.ap_id
  223.       refute user.id == other_user.id
  225.       conn
  226.       |> get("/api/v1/media/#{object.id}")
  227.       |> json_response_and_validate_schema(403)
  228.     end
  229.   end
  231.   describe "Content-Type sanitization" do
  232.     setup do: oauth_access(["write:media", "read:media"])
  234.     setup do
  235.       ConfigMock
  236.       |> stub_with(Pleroma.Test.StaticConfig)
  238.       config =
  239.         Pleroma.Config.get([Pleroma.Upload])
  240.         |> Keyword.put(:uploader, Pleroma.Uploaders.Local)
  242.       clear_config([Pleroma.Upload], config)
  243.       clear_config([Pleroma.Upload, :allowed_mime_types], ["image", "audio", "video"])
  245.       # Create a file with a malicious content type and dangerous extension
  246.       malicious_file = %Plug.Upload{
  247.         content_type: "application/activity+json",
  248.         path: Path.absname("test/fixtures/image.jpg"),
  249.         # JSON extension to make MIME.from_path detect application/json
  250.         filename: "malicious.json"
  251.       }
  253.       [malicious_file: malicious_file]
  254.     end
  256.     test "sanitizes malicious content types when serving media", %{
  257.       conn: conn,
  258.       malicious_file: malicious_file
  259.     } do
  260.       # First upload the file with the malicious content type
  261.       media =
  262.         conn
  263.         |> put_req_header("content-type", "multipart/form-data")
  264.         |> post("/api/v1/media", %{"file" => malicious_file})
  265.         |> json_response_and_validate_schema(:ok)
  267.       # Get the file URL from the response
  268.       url = media["url"]
  270.       # Now make a direct request to the media URL and check the content-type header
  271.       response =
  272.         build_conn()
  273.         |> get(URI.parse(url).path)
  275.       # Find the content-type header
  276.       content_type_header =
  277.         Enum.find(response.resp_headers, fn {name, _} -> name == "content-type" end)
  279.       # The server should detect the application/json MIME type from the .json extension
  280.       # and replace it with application/octet-stream since it's not in allowed_mime_types
  281.       assert content_type_header == {"content-type", "application/octet-stream"}
  283.       # Verify that the file was still served correctly
  284.       assert response.status == 200
  285.     end
  287.     test "allows safe content types", %{conn: conn} do
  288.       safe_image = %Plug.Upload{
  289.         content_type: "image/jpeg",
  290.         path: Path.absname("test/fixtures/image.jpg"),
  291.         filename: "safe_image.jpg"
  292.       }
  294.       # Upload a file with a safe content type
  295.       media =
  296.         conn
  297.         |> put_req_header("content-type", "multipart/form-data")
  298.         |> post("/api/v1/media", %{"file" => safe_image})
  299.         |> json_response_and_validate_schema(:ok)
  301.       # Get the file URL from the response
  302.       url = media["url"]
  304.       # Make a direct request to the media URL and check the content-type header
  305.       response =
  306.         build_conn()
  307.         |> get(URI.parse(url).path)
  309.       # The server should preserve the image/jpeg MIME type since it's allowed
  310.       content_type_header =
  311.         Enum.find(response.resp_headers, fn {name, _} -> name == "content-type" end)
  313.       assert content_type_header == {"content-type", "image/jpeg"}
  315.       # Verify that the file was served correctly
  316.       assert response.status == 200
  317.     end
  318.   end
  319. end