Fix/mediaproxy whitelist base url See merge request pleroma/pleroma!1486tags/v1.1.4
@@ -35,6 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). | |||||
- ActivityPub S2S: remote user deletions now work the same as local user deletions. | - ActivityPub S2S: remote user deletions now work the same as local user deletions. | ||||
- Not being able to access the Mastodon FE login page on private instances | - Not being able to access the Mastodon FE login page on private instances | ||||
- Invalid SemVer version generation, when the current branch does not have commits ahead of tag/checked out on a tag | - Invalid SemVer version generation, when the current branch does not have commits ahead of tag/checked out on a tag | ||||
- Pleroma.Upload base_url was not automatically whitelisted by MediaProxy. Now your custom CDN or file hosting will be accessed directly as expected. | |||||
### Added | ### Added | ||||
- MRF: Support for priming the mediaproxy cache (`Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy`) | - MRF: Support for priming the mediaproxy cache (`Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy`) | ||||
@@ -4,6 +4,7 @@ | |||||
defmodule Pleroma.Web.MediaProxy do | defmodule Pleroma.Web.MediaProxy do | ||||
alias Pleroma.Config | alias Pleroma.Config | ||||
alias Pleroma.Upload | |||||
alias Pleroma.Web | alias Pleroma.Web | ||||
@base64_opts [padding: false] | @base64_opts [padding: false] | ||||
@@ -26,7 +27,18 @@ defmodule Pleroma.Web.MediaProxy do | |||||
defp whitelisted?(url) do | defp whitelisted?(url) do | ||||
%{host: domain} = URI.parse(url) | %{host: domain} = URI.parse(url) | ||||
Enum.any?(Config.get([:media_proxy, :whitelist]), fn pattern -> | |||||
mediaproxy_whitelist = Config.get([:media_proxy, :whitelist]) | |||||
upload_base_url_domain = | |||||
if !is_nil(Config.get([Upload, :base_url])) do | |||||
[URI.parse(Config.get([Upload, :base_url])).host] | |||||
else | |||||
[] | |||||
end | |||||
whitelist = mediaproxy_whitelist ++ upload_base_url_domain | |||||
Enum.any?(whitelist, fn pattern -> | |||||
String.equivalent?(domain, pattern) | String.equivalent?(domain, pattern) | ||||
end) | end) | ||||
end | end | ||||
@@ -1671,40 +1671,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do | |||||
object = Repo.get(Object, media["id"]) | object = Repo.get(Object, media["id"]) | ||||
assert object.data["actor"] == User.ap_id(conn.assigns[:user]) | assert object.data["actor"] == User.ap_id(conn.assigns[:user]) | ||||
end | end | ||||
test "returns proxied url when media proxy is enabled", %{conn: conn, image: image} do | |||||
Pleroma.Config.put([Pleroma.Upload, :base_url], "https://media.pleroma.social") | |||||
proxy_url = "https://cache.pleroma.social" | |||||
Pleroma.Config.put([:media_proxy, :enabled], true) | |||||
Pleroma.Config.put([:media_proxy, :base_url], proxy_url) | |||||
media = | |||||
conn | |||||
|> post("/api/v1/media", %{"file" => image}) | |||||
|> json_response(:ok) | |||||
assert String.starts_with?(media["url"], proxy_url) | |||||
end | |||||
test "returns media url when proxy is enabled but media url is whitelisted", %{ | |||||
conn: conn, | |||||
image: image | |||||
} do | |||||
media_url = "https://media.pleroma.social" | |||||
Pleroma.Config.put([Pleroma.Upload, :base_url], media_url) | |||||
Pleroma.Config.put([:media_proxy, :enabled], true) | |||||
Pleroma.Config.put([:media_proxy, :base_url], "https://cache.pleroma.social") | |||||
Pleroma.Config.put([:media_proxy, :whitelist], ["media.pleroma.social"]) | |||||
media = | |||||
conn | |||||
|> post("/api/v1/media", %{"file" => image}) | |||||
|> json_response(:ok) | |||||
assert String.starts_with?(media["url"], media_url) | |||||
end | |||||
end | end | ||||
describe "locked accounts" do | describe "locked accounts" do | ||||
@@ -171,21 +171,6 @@ defmodule Pleroma.Web.MediaProxyTest do | |||||
encoded = url(url) | encoded = url(url) | ||||
assert decode_result(encoded) == url | assert decode_result(encoded) == url | ||||
end | end | ||||
test "does not change whitelisted urls" do | |||||
upload_config = Pleroma.Config.get([Pleroma.Upload]) | |||||
media_url = "https://media.pleroma.social" | |||||
Pleroma.Config.put([Pleroma.Upload, :base_url], media_url) | |||||
Pleroma.Config.put([:media_proxy, :whitelist], ["media.pleroma.social"]) | |||||
Pleroma.Config.put([:media_proxy, :base_url], "https://cache.pleroma.social") | |||||
url = "#{media_url}/static/logo.png" | |||||
encoded = url(url) | |||||
assert String.starts_with?(encoded, media_url) | |||||
Pleroma.Config.put([Pleroma.Upload], upload_config) | |||||
end | |||||
end | end | ||||
describe "when disabled" do | describe "when disabled" do | ||||
@@ -215,12 +200,43 @@ defmodule Pleroma.Web.MediaProxyTest do | |||||
decoded | decoded | ||||
end | end | ||||
test "mediaproxy whitelist" do | |||||
Pleroma.Config.put([:media_proxy, :enabled], true) | |||||
Pleroma.Config.put([:media_proxy, :whitelist], ["google.com", "feld.me"]) | |||||
url = "https://feld.me/foo.png" | |||||
describe "whitelist" do | |||||
setup do | |||||
Pleroma.Config.put([:media_proxy, :enabled], true) | |||||
:ok | |||||
end | |||||
test "mediaproxy whitelist" do | |||||
Pleroma.Config.put([:media_proxy, :whitelist], ["google.com", "feld.me"]) | |||||
url = "https://feld.me/foo.png" | |||||
unencoded = url(url) | |||||
assert unencoded == url | |||||
end | |||||
test "does not change whitelisted urls" do | |||||
Pleroma.Config.put([:media_proxy, :whitelist], ["mycdn.akamai.com"]) | |||||
Pleroma.Config.put([:media_proxy, :base_url], "https://cache.pleroma.social") | |||||
media_url = "https://mycdn.akamai.com" | |||||
unencoded = url(url) | |||||
assert unencoded == url | |||||
url = "#{media_url}/static/logo.png" | |||||
encoded = url(url) | |||||
assert String.starts_with?(encoded, media_url) | |||||
end | |||||
test "ensure Pleroma.Upload base_url is always whitelisted" do | |||||
upload_config = Pleroma.Config.get([Pleroma.Upload]) | |||||
media_url = "https://media.pleroma.social" | |||||
Pleroma.Config.put([Pleroma.Upload, :base_url], media_url) | |||||
url = "#{media_url}/static/logo.png" | |||||
encoded = url(url) | |||||
assert String.starts_with?(encoded, media_url) | |||||
Pleroma.Config.put([Pleroma.Upload], upload_config) | |||||
end | |||||
end | end | ||||
end | end |