Fix/mediaproxy whitelist base url

4 years ago · d93d777915
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -35,6 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - ActivityPub S2S: remote user deletions now work the same as local user deletions.
 - Not being able to access the Mastodon FE login page on private instances
 - Invalid SemVer version generation, when the current branch does not have commits ahead of tag/checked out on a tag
 - Pleroma.Upload base_url was not automatically whitelisted by MediaProxy. Now your custom CDN or file hosting will be accessed directly as expected.

 ### Added
 - MRF: Support for priming the mediaproxy cache (`Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy`)
--- a/lib/pleroma/web/media_proxy/media_proxy.ex
+++ b/lib/pleroma/web/media_proxy/media_proxy.ex
@@ -4,6 +4,7 @@

 defmodule Pleroma.Web.MediaProxy do
  alias Pleroma.Config
  alias Pleroma.Upload
  alias Pleroma.Web

  @base64_opts [padding: false]
@@ -26,7 +27,18 @@ defmodule Pleroma.Web.MediaProxy do
  defp whitelisted?(url) do
    %{host: domain} = URI.parse(url)

    Enum.any?(Config.get([:media_proxy, :whitelist]), fn pattern ->
    mediaproxy_whitelist = Config.get([:media_proxy, :whitelist])

    upload_base_url_domain =
      if !is_nil(Config.get([Upload, :base_url])) do
        [URI.parse(Config.get([Upload, :base_url])).host]
      else
        []
      end

    whitelist = mediaproxy_whitelist ++ upload_base_url_domain

    Enum.any?(whitelist, fn pattern ->
      String.equivalent?(domain, pattern)
    end)
  end
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -1671,40 +1671,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
      object = Repo.get(Object, media["id"])
      assert object.data["actor"] == User.ap_id(conn.assigns[:user])
    end

    test "returns proxied url when media proxy is enabled", %{conn: conn, image: image} do
      Pleroma.Config.put([Pleroma.Upload, :base_url], "https://media.pleroma.social")

      proxy_url = "https://cache.pleroma.social"
      Pleroma.Config.put([:media_proxy, :enabled], true)
      Pleroma.Config.put([:media_proxy, :base_url], proxy_url)

      media =
        conn
        |> post("/api/v1/media", %{"file" => image})
        |> json_response(:ok)

      assert String.starts_with?(media["url"], proxy_url)
    end

    test "returns media url when proxy is enabled but media url is whitelisted", %{
      conn: conn,
      image: image
    } do
      media_url = "https://media.pleroma.social"
      Pleroma.Config.put([Pleroma.Upload, :base_url], media_url)

      Pleroma.Config.put([:media_proxy, :enabled], true)
      Pleroma.Config.put([:media_proxy, :base_url], "https://cache.pleroma.social")
      Pleroma.Config.put([:media_proxy, :whitelist], ["media.pleroma.social"])

      media =
        conn
        |> post("/api/v1/media", %{"file" => image})
        |> json_response(:ok)

      assert String.starts_with?(media["url"], media_url)
    end
  end

  describe "locked accounts" do
--- a/test/web/media_proxy/media_proxy_test.exs
+++ b/test/web/media_proxy/media_proxy_test.exs
@@ -171,21 +171,6 @@ defmodule Pleroma.Web.MediaProxyTest do
      encoded = url(url)
      assert decode_result(encoded) == url
    end

    test "does not change whitelisted urls" do
      upload_config = Pleroma.Config.get([Pleroma.Upload])
      media_url = "https://media.pleroma.social"
      Pleroma.Config.put([Pleroma.Upload, :base_url], media_url)
      Pleroma.Config.put([:media_proxy, :whitelist], ["media.pleroma.social"])
      Pleroma.Config.put([:media_proxy, :base_url], "https://cache.pleroma.social")

      url = "#{media_url}/static/logo.png"
      encoded = url(url)

      assert String.starts_with?(encoded, media_url)

      Pleroma.Config.put([Pleroma.Upload], upload_config)
    end
  end

  describe "when disabled" do
@@ -215,12 +200,43 @@ defmodule Pleroma.Web.MediaProxyTest do
    decoded
  end

  test "mediaproxy whitelist" do
    Pleroma.Config.put([:media_proxy, :enabled], true)
    Pleroma.Config.put([:media_proxy, :whitelist], ["google.com", "feld.me"])
    url = "https://feld.me/foo.png"
  describe "whitelist" do
    setup do
      Pleroma.Config.put([:media_proxy, :enabled], true)
      :ok
    end

    test "mediaproxy whitelist" do
      Pleroma.Config.put([:media_proxy, :whitelist], ["google.com", "feld.me"])
      url = "https://feld.me/foo.png"

      unencoded = url(url)
      assert unencoded == url
    end

    test "does not change whitelisted urls" do
      Pleroma.Config.put([:media_proxy, :whitelist], ["mycdn.akamai.com"])
      Pleroma.Config.put([:media_proxy, :base_url], "https://cache.pleroma.social")

      media_url = "https://mycdn.akamai.com"

    unencoded = url(url)
    assert unencoded == url
      url = "#{media_url}/static/logo.png"
      encoded = url(url)

      assert String.starts_with?(encoded, media_url)
    end

    test "ensure Pleroma.Upload base_url is always whitelisted" do
      upload_config = Pleroma.Config.get([Pleroma.Upload])
      media_url = "https://media.pleroma.social"
      Pleroma.Config.put([Pleroma.Upload, :base_url], media_url)

      url = "#{media_url}/static/logo.png"
      encoded = url(url)

      assert String.starts_with?(encoded, media_url)

      Pleroma.Config.put([Pleroma.Upload], upload_config)
    end
  end
 end