From 3000f3ff7c09057da51a07a0f51bb34bc1e4818d Mon Sep 17 00:00:00 2001 From: Sergey Suprunenko Date: Fri, 31 Jul 2020 19:43:11 +0200 Subject: [PATCH] Check for custom filename extension --- lib/pleroma/upload.ex | 11 +++++++++ test/pleroma/upload_test.exs | 15 +++++++++++++ .../controllers/media_controller_test.exs | 26 ++++++++++++++++++++++ 3 files changed, 52 insertions(+) diff --git a/lib/pleroma/upload.ex b/lib/pleroma/upload.ex index cc4dcf45e..47279dc0b 100644 --- a/lib/pleroma/upload.ex +++ b/lib/pleroma/upload.ex @@ -72,6 +72,7 @@ defmodule Pleroma.Upload do with {:ok, upload} <- prepare_upload(upload, opts), upload = %__MODULE__{upload | path: upload.path || "#{upload.id}/#{upload.name}"}, + :ok <- check_filename_extension(upload.name, opts), {:ok, upload} <- Pleroma.Upload.Filter.filter(opts.filters, upload), description = get_description(opts, upload), {_, true} <- @@ -199,6 +200,16 @@ defmodule Pleroma.Upload do defp check_file_size(_, _), do: :ok + defp check_filename_extension(name, %{filename: filename}) when is_binary(filename) do + if Path.extname(name) == Path.extname(filename) do + :ok + else + {:error, :invalid_filename_extension} + end + end + + defp check_filename_extension(_, _), do: :ok + # Creates a tempfile using the Plug.Upload Genserver which cleans them up # automatically. defp tempfile_for_image(data) do diff --git a/test/pleroma/upload_test.exs b/test/pleroma/upload_test.exs index e975f57c3..fc5b0acc4 100644 --- a/test/pleroma/upload_test.exs +++ b/test/pleroma/upload_test.exs @@ -157,6 +157,21 @@ defmodule Pleroma.UploadTest do assert data["filename"] == filename end + @tag capture_log: true + test "raise error when custom filename has different extension than original one" do + File.cp!("test/fixtures/image.jpg", "test/fixtures/image_tmp.jpg") + + fake_name = "free_coins.exe" + + file = %Plug.Upload{ + content_type: "image/jpg", + path: Path.absname("test/fixtures/image_tmp.jpg"), + filename: "image_tmp.jpg" + } + + assert Upload.store(file, filename: fake_name) == {:error, :invalid_filename_extension} + end + test "returns a media url" do File.cp!("test/fixtures/image.jpg", "test/fixtures/image_tmp.jpg") diff --git a/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs index 5aa077cef..c471c0366 100644 --- a/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs +++ b/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs @@ -71,6 +71,32 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do object = Object.get_by_id(media["id"]) assert object.data["actor"] == user.ap_id end + + test "returns error when description is too long", %{conn: conn, image: image} do + clear_config([:instance, :description_limit], 2) + + response = + conn + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/v1/media", %{"file" => image, "description" => "test-media"}) + |> json_response(400) + + assert response["error"] == "description_too_long" + end + + @tag capture_log: true + test "returns error when custom filename has different extension than original one", %{ + conn: conn, + image: image + } do + response = + conn + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/v1/media", %{"file" => image, "filename" => "wrong.gif"}) + |> json_response(400) + + assert response["error"] == "invalid_filename_extension" + end end describe "Update media description" do