Merge branch 'fix/mrf-subdomain-case-insensitive' into 'develop'

MRF: ensure that subdomain_match calls are case-insensitive

See merge request pleroma/pleroma!1550

3 files changed, 21 insertions, 6 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bfc73c8df..6f1a22359 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -40,6 +40,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Invalid SemVer version generation, when the current branch does not have commits ahead of tag/checked out on a tag
 - Pleroma.Upload base_url was not automatically whitelisted by MediaProxy. Now your custom CDN or file hosting will be accessed directly as expected.
 - Report email not being sent to admins when the reporter is a remote user
+- MRF: ensure that subdomain_match calls are case-insensitive
 
 ### Added
 - MRF: Support for priming the mediaproxy cache (`Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy`)
diff --git a/lib/pleroma/web/activity_pub/mrf.ex b/lib/pleroma/web/activity_pub/mrf.ex
index dd204b21c..caa2a3231 100644
--- a/lib/pleroma/web/activity_pub/mrf.ex
+++ b/lib/pleroma/web/activity_pub/mrf.ex
@@ -28,7 +28,7 @@ defmodule Pleroma.Web.ActivityPub.MRF do
 
   @spec subdomains_regex([String.t()]) :: [Regex.t()]
   def subdomains_regex(domains) when is_list(domains) do
-    for domain <- domains, do: ~r(^#{String.replace(domain, "*.", "(.*\\.)*")}$)
+    for domain <- domains, do: ~r(^#{String.replace(domain, "*.", "(.*\\.)*")}$)i
   end
 
   @spec subdomain_match?([Regex.t()], String.t()) :: boolean()
diff --git a/test/web/activity_pub/mrf/mrf_test.exs b/test/web/activity_pub/mrf/mrf_test.exs
index a9cdf5317..1a888e18f 100644
--- a/test/web/activity_pub/mrf/mrf_test.exs
+++ b/test/web/activity_pub/mrf/mrf_test.exs
@@ -4,8 +4,8 @@ defmodule Pleroma.Web.ActivityPub.MRFTest do
 
   test "subdomains_regex/1" do
     assert MRF.subdomains_regex(["unsafe.tld", "*.unsafe.tld"]) == [
-             ~r/^unsafe.tld$/,
-             ~r/^(.*\.)*unsafe.tld$/
+             ~r/^unsafe.tld$/i,
+             ~r/^(.*\.)*unsafe.tld$/i
            ]
   end
 
@@ -13,7 +13,7 @@ defmodule Pleroma.Web.ActivityPub.MRFTest do
     test "common domains" do
       regexes = MRF.subdomains_regex(["unsafe.tld", "unsafe2.tld"])
 
-      assert regexes == [~r/^unsafe.tld$/, ~r/^unsafe2.tld$/]
+      assert regexes == [~r/^unsafe.tld$/i, ~r/^unsafe2.tld$/i]
 
       assert MRF.subdomain_match?(regexes, "unsafe.tld")
       assert MRF.subdomain_match?(regexes, "unsafe2.tld")
@@ -24,7 +24,7 @@ defmodule Pleroma.Web.ActivityPub.MRFTest do
     test "wildcard domains with one subdomain" do
       regexes = MRF.subdomains_regex(["*.unsafe.tld"])
 
-      assert regexes == [~r/^(.*\.)*unsafe.tld$/]
+      assert regexes == [~r/^(.*\.)*unsafe.tld$/i]
 
       assert MRF.subdomain_match?(regexes, "unsafe.tld")
       assert MRF.subdomain_match?(regexes, "sub.unsafe.tld")
@@ -35,12 +35,26 @@ defmodule Pleroma.Web.ActivityPub.MRFTest do
     test "wildcard domains with two subdomains" do
       regexes = MRF.subdomains_regex(["*.unsafe.tld"])
 
-      assert regexes == [~r/^(.*\.)*unsafe.tld$/]
+      assert regexes == [~r/^(.*\.)*unsafe.tld$/i]
 
       assert MRF.subdomain_match?(regexes, "unsafe.tld")
       assert MRF.subdomain_match?(regexes, "sub.sub.unsafe.tld")
       refute MRF.subdomain_match?(regexes, "sub.anotherunsafe.tld")
       refute MRF.subdomain_match?(regexes, "sub.unsafe.tldanother")
     end
+
+    test "matches are case-insensitive" do
+      regexes = MRF.subdomains_regex(["UnSafe.TLD", "UnSAFE2.Tld"])
+
+      assert regexes == [~r/^UnSafe.TLD$/i, ~r/^UnSAFE2.Tld$/i]
+
+      assert MRF.subdomain_match?(regexes, "UNSAFE.TLD")
+      assert MRF.subdomain_match?(regexes, "UNSAFE2.TLD")
+      assert MRF.subdomain_match?(regexes, "unsafe.tld")
+      assert MRF.subdomain_match?(regexes, "unsafe2.tld")
+
+      refute MRF.subdomain_match?(regexes, "EXAMPLE.COM")
+      refute MRF.subdomain_match?(regexes, "example.com")
+    end
   end
 end