Check for custom filename extension

2020-07-31 19:43:11 +02:00 · 2020-07-31 19:43:11 +02:00 · 3000f3ff7c
commit 3000f3ff7c
parent 19713aca3e
3 changed files with 52 additions and 0 deletions
--- a/lib/pleroma/upload.ex
+++ b/lib/pleroma/upload.ex
@ -72,6 +72,7 @@ defmodule Pleroma.Upload do

    with {:ok, upload} <- prepare_upload(upload, opts),
         upload = %__MODULE__{upload | path: upload.path || "#{upload.id}/#{upload.name}"},
+         :ok <- check_filename_extension(upload.name, opts),
         {:ok, upload} <- Pleroma.Upload.Filter.filter(opts.filters, upload),
         description = get_description(opts, upload),
         {_, true} <-
@ -199,6 +200,16 @@ defmodule Pleroma.Upload do

  defp check_file_size(_, _), do: :ok

+  defp check_filename_extension(name, %{filename: filename}) when is_binary(filename) do
+    if Path.extname(name) == Path.extname(filename) do
+      :ok
+    else
+      {:error, :invalid_filename_extension}
+    end
+  end
+
+  defp check_filename_extension(_, _), do: :ok
+
  # Creates a tempfile using the Plug.Upload Genserver which cleans them up
  # automatically.
  defp tempfile_for_image(data) do
--- a/test/pleroma/upload_test.exs
+++ b/test/pleroma/upload_test.exs
@ -157,6 +157,21 @@ defmodule Pleroma.UploadTest do
      assert data["filename"] == filename
    end

+    @tag capture_log: true
+    test "raise error when custom filename has different extension than original one" do
+      File.cp!("test/fixtures/image.jpg", "test/fixtures/image_tmp.jpg")
+
+      fake_name = "free_coins.exe"
+
+      file = %Plug.Upload{
+        content_type: "image/jpg",
+        path: Path.absname("test/fixtures/image_tmp.jpg"),
+        filename: "image_tmp.jpg"
+      }
+
+      assert Upload.store(file, filename: fake_name) == {:error, :invalid_filename_extension}
+    end
+
    test "returns a media url" do
      File.cp!("test/fixtures/image.jpg", "test/fixtures/image_tmp.jpg")

--- a/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs
+++ b/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs
@ -71,6 +71,32 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
      object = Object.get_by_id(media["id"])
      assert object.data["actor"] == user.ap_id
    end
+
+    test "returns error when description is too long", %{conn: conn, image: image} do
+      clear_config([:instance, :description_limit], 2)
+
+      response =
+        conn
+        |> put_req_header("content-type", "multipart/form-data")
+        |> post("/api/v1/media", %{"file" => image, "description" => "test-media"})
+        |> json_response(400)
+
+      assert response["error"] == "description_too_long"
+    end
+
+    @tag capture_log: true
+    test "returns error when custom filename has different extension than original one", %{
+      conn: conn,
+      image: image
+    } do
+      response =
+        conn
+        |> put_req_header("content-type", "multipart/form-data")
+        |> post("/api/v1/media", %{"file" => image, "filename" => "wrong.gif"})
+        |> json_response(400)
+
+      assert response["error"] == "invalid_filename_extension"
+    end
  end

  describe "Update media description" do