diff options
| author | Sergey Suprunenko <suprunenko.s@gmail.com> | 2020-07-31 19:43:11 +0200 |
|---|---|---|
| committer | Sergey Suprunenko <suprunenko.s@gmail.com> | 2020-11-29 18:10:56 +0100 |
| commit | 3000f3ff7c09057da51a07a0f51bb34bc1e4818d (patch) | |
| tree | 8a7c7b0e94eebdd552b0a591cb5f8f2de812ebd0 | |
| parent | 19713aca3edb76c0aad71fbbba47df791a3fa7a9 (diff) | |
| download | pleroma-3000f3ff7c09057da51a07a0f51bb34bc1e4818d.tar.gz | |
Check for custom filename extension
| -rw-r--r-- | lib/pleroma/upload.ex | 11 | ||||
| -rw-r--r-- | test/pleroma/upload_test.exs | 15 | ||||
| -rw-r--r-- | test/pleroma/web/mastodon_api/controllers/media_controller_test.exs | 26 |
3 files changed, 52 insertions, 0 deletions
diff --git a/lib/pleroma/upload.ex b/lib/pleroma/upload.ex index cc4dcf45e..47279dc0b 100644 --- a/lib/pleroma/upload.ex +++ b/lib/pleroma/upload.ex @@ -72,6 +72,7 @@ defmodule Pleroma.Upload do with {:ok, upload} <- prepare_upload(upload, opts), upload = %__MODULE__{upload | path: upload.path || "#{upload.id}/#{upload.name}"}, + :ok <- check_filename_extension(upload.name, opts), {:ok, upload} <- Pleroma.Upload.Filter.filter(opts.filters, upload), description = get_description(opts, upload), {_, true} <- @@ -199,6 +200,16 @@ defmodule Pleroma.Upload do defp check_file_size(_, _), do: :ok + defp check_filename_extension(name, %{filename: filename}) when is_binary(filename) do + if Path.extname(name) == Path.extname(filename) do + :ok + else + {:error, :invalid_filename_extension} + end + end + + defp check_filename_extension(_, _), do: :ok + # Creates a tempfile using the Plug.Upload Genserver which cleans them up # automatically. defp tempfile_for_image(data) do diff --git a/test/pleroma/upload_test.exs b/test/pleroma/upload_test.exs index e975f57c3..fc5b0acc4 100644 --- a/test/pleroma/upload_test.exs +++ b/test/pleroma/upload_test.exs @@ -157,6 +157,21 @@ defmodule Pleroma.UploadTest do assert data["filename"] == filename end + @tag capture_log: true + test "raise error when custom filename has different extension than original one" do + File.cp!("test/fixtures/image.jpg", "test/fixtures/image_tmp.jpg") + + fake_name = "free_coins.exe" + + file = %Plug.Upload{ + content_type: "image/jpg", + path: Path.absname("test/fixtures/image_tmp.jpg"), + filename: "image_tmp.jpg" + } + + assert Upload.store(file, filename: fake_name) == {:error, :invalid_filename_extension} + end + test "returns a media url" do File.cp!("test/fixtures/image.jpg", "test/fixtures/image_tmp.jpg") diff --git a/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs index 5aa077cef..c471c0366 100644 --- a/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs +++ b/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs @@ -71,6 +71,32 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do object = Object.get_by_id(media["id"]) assert object.data["actor"] == user.ap_id end + + test "returns error when description is too long", %{conn: conn, image: image} do + clear_config([:instance, :description_limit], 2) + + response = + conn + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/v1/media", %{"file" => image, "description" => "test-media"}) + |> json_response(400) + + assert response["error"] == "description_too_long" + end + + @tag capture_log: true + test "returns error when custom filename has different extension than original one", %{ + conn: conn, + image: image + } do + response = + conn + |> put_req_header("content-type", "multipart/form-data") + |> post("/api/v1/media", %{"file" => image, "filename" => "wrong.gif"}) + |> json_response(400) + + assert response["error"] == "invalid_filename_extension" + end end describe "Update media description" do |