diff options
| author | tusooa <tusooa@kazv.moe> | 2023-07-18 18:39:59 -0400 |
|---|---|---|
| committer | tusooa <tusooa@kazv.moe> | 2023-07-18 18:39:59 -0400 |
| commit | ea4225a646b355150fb8e5e8c77d7fdc58b5e7ef (patch) | |
| tree | d6d16c00a64cb2bd611d0aa25622963f5d192cc2 | |
| parent | 93ad16cca0a5b6acc1308027f798e347f44de4f8 (diff) | |
Restrict attachments to only uploaded files onlytusooa/3154-attachment-type-check
| -rw-r--r-- | changelog.d/attachment-type-check.fix | 1 | ||||
| -rw-r--r-- | lib/pleroma/constants.ex | 2 | ||||
| -rw-r--r-- | lib/pleroma/web/common_api/utils.ex | 7 | ||||
| -rw-r--r-- | test/pleroma/web/common_api/utils_test.exs | 11 |
4 files changed, 17 insertions, 4 deletions
diff --git a/changelog.d/attachment-type-check.fix b/changelog.d/attachment-type-check.fix new file mode 100644 index 000000000..9e14b75f1 --- /dev/null +++ b/changelog.d/attachment-type-check.fix @@ -0,0 +1 @@ +Restrict attachments to only uploaded files only diff --git a/lib/pleroma/constants.ex b/lib/pleroma/constants.ex index 7b4fd03b6..6befc6897 100644 --- a/lib/pleroma/constants.ex +++ b/lib/pleroma/constants.ex @@ -81,4 +81,6 @@ defmodule Pleroma.Constants do const(mime_regex, do: ~r/^[^[:cntrl:] ()<>@,;:\\"\/\[\]?=]+\/[^[:cntrl:] ()<>@,;:\\"\/\[\]?=]+(; .*)?$/ ) + + const(upload_object_types, do: ["Document", "Image"]) end diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex index a93c97e1e..b9fe0224c 100644 --- a/lib/pleroma/web/common_api/utils.ex +++ b/lib/pleroma/web/common_api/utils.ex @@ -59,7 +59,12 @@ defmodule Pleroma.Web.CommonAPI.Utils do end defp get_attachment(media_id) do - Repo.get(Object, media_id) + with %Object{data: data} = object <- Repo.get(Object, media_id), + %{"type" => type} when type in Pleroma.Constants.upload_object_types() <- data do + object + else + _ -> nil + end end @spec get_to_and_cc(ActivityDraft.t()) :: {list(String.t()), list(String.t())} diff --git a/test/pleroma/web/common_api/utils_test.exs b/test/pleroma/web/common_api/utils_test.exs index d309c6ded..ca5b92683 100644 --- a/test/pleroma/web/common_api/utils_test.exs +++ b/test/pleroma/web/common_api/utils_test.exs @@ -592,7 +592,7 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do end test "returns list attachments with desc" do - object = insert(:note) + object = insert(:attachment) desc = Jason.encode!(%{object.id => "test-desc"}) assert Utils.attachments_from_ids_descs(["#{object.id}", "34"], desc) == [ @@ -603,7 +603,7 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do describe "attachments_from_ids/1" do test "returns attachments with descs" do - object = insert(:note) + object = insert(:attachment) desc = Jason.encode!(%{object.id => "test-desc"}) assert Utils.attachments_from_ids(%{ @@ -615,13 +615,18 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do end test "returns attachments without descs" do - object = insert(:note) + object = insert(:attachment) assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}) == [object.data] end test "returns [] when not pass media_ids" do assert Utils.attachments_from_ids(%{}) == [] end + + test "checks that the object is of upload type" do + object = insert(:note) + assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}) == [] + end end describe "maybe_add_list_data/3" do |