Fix/mediaproxy whitelist base url

4 files changed, 51 insertions, 56 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6fdc432ef..4fa9ffd9b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -35,6 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - ActivityPub S2S: remote user deletions now work the same as local user deletions.
 - Not being able to access the Mastodon FE login page on private instances
 - Invalid SemVer version generation, when the current branch does not have commits ahead of tag/checked out on a tag
+- Pleroma.Upload base_url was not automatically whitelisted by MediaProxy. Now your custom CDN or file hosting will be accessed directly as expected.
 
 ### Added
 - MRF: Support for priming the mediaproxy cache (`Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy`)
diff --git a/lib/pleroma/web/media_proxy/media_proxy.ex b/lib/pleroma/web/media_proxy/media_proxy.ex
index a661e9bb7..1725ab071 100644
--- a/lib/pleroma/web/media_proxy/media_proxy.ex
+++ b/lib/pleroma/web/media_proxy/media_proxy.ex
@@ -4,6 +4,7 @@
 
 defmodule Pleroma.Web.MediaProxy do
   alias Pleroma.Config
+  alias Pleroma.Upload
   alias Pleroma.Web
 
   @base64_opts [padding: false]
@@ -26,7 +27,18 @@ defmodule Pleroma.Web.MediaProxy do
   defp whitelisted?(url) do
     %{host: domain} = URI.parse(url)
 
-    Enum.any?(Config.get([:media_proxy, :whitelist]), fn pattern ->
+    mediaproxy_whitelist = Config.get([:media_proxy, :whitelist])
+
+    upload_base_url_domain =
+      if !is_nil(Config.get([Upload, :base_url])) do
+        [URI.parse(Config.get([Upload, :base_url])).host]
+      else
+        []
+      end
+
+    whitelist = mediaproxy_whitelist ++ upload_base_url_domain
+
+    Enum.any?(whitelist, fn pattern ->
       String.equivalent?(domain, pattern)
     end)
   end
diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs
index 66016c886..e49c4cc22 100644
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -1671,40 +1671,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
       object = Repo.get(Object, media["id"])
       assert object.data["actor"] == User.ap_id(conn.assigns[:user])
     end
-
-    test "returns proxied url when media proxy is enabled", %{conn: conn, image: image} do
-      Pleroma.Config.put([Pleroma.Upload, :base_url], "https://media.pleroma.social")
-
-      proxy_url = "https://cache.pleroma.social"
-      Pleroma.Config.put([:media_proxy, :enabled], true)
-      Pleroma.Config.put([:media_proxy, :base_url], proxy_url)
-
-      media =
-        conn
-        |> post("/api/v1/media", %{"file" => image})
-        |> json_response(:ok)
-
-      assert String.starts_with?(media["url"], proxy_url)
-    end
-
-    test "returns media url when proxy is enabled but media url is whitelisted", %{
-      conn: conn,
-      image: image
-    } do
-      media_url = "https://media.pleroma.social"
-      Pleroma.Config.put([Pleroma.Upload, :base_url], media_url)
-
-      Pleroma.Config.put([:media_proxy, :enabled], true)
-      Pleroma.Config.put([:media_proxy, :base_url], "https://cache.pleroma.social")
-      Pleroma.Config.put([:media_proxy, :whitelist], ["media.pleroma.social"])
-
-      media =
-        conn
-        |> post("/api/v1/media", %{"file" => image})
-        |> json_response(:ok)
-
-      assert String.starts_with?(media["url"], media_url)
-    end
   end
 
   describe "locked accounts" do
diff --git a/test/web/media_proxy/media_proxy_test.exs b/test/web/media_proxy/media_proxy_test.exs
index edbbf9b66..0c94755df 100644
--- a/test/web/media_proxy/media_proxy_test.exs
+++ b/test/web/media_proxy/media_proxy_test.exs
@@ -171,21 +171,6 @@ defmodule Pleroma.Web.MediaProxyTest do
       encoded = url(url)
       assert decode_result(encoded) == url
     end
-
-    test "does not change whitelisted urls" do
-      upload_config = Pleroma.Config.get([Pleroma.Upload])
-      media_url = "https://media.pleroma.social"
-      Pleroma.Config.put([Pleroma.Upload, :base_url], media_url)
-      Pleroma.Config.put([:media_proxy, :whitelist], ["media.pleroma.social"])
-      Pleroma.Config.put([:media_proxy, :base_url], "https://cache.pleroma.social")
-
-      url = "#{media_url}/static/logo.png"
-      encoded = url(url)
-
-      assert String.starts_with?(encoded, media_url)
-
-      Pleroma.Config.put([Pleroma.Upload], upload_config)
-    end
   end
 
   describe "when disabled" do
@@ -215,12 +200,43 @@ defmodule Pleroma.Web.MediaProxyTest do
     decoded
   end
 
-  test "mediaproxy whitelist" do
-    Pleroma.Config.put([:media_proxy, :enabled], true)
-    Pleroma.Config.put([:media_proxy, :whitelist], ["google.com", "feld.me"])
-    url = "https://feld.me/foo.png"
+  describe "whitelist" do
+    setup do
+      Pleroma.Config.put([:media_proxy, :enabled], true)
+      :ok
+    end
+
+    test "mediaproxy whitelist" do
+      Pleroma.Config.put([:media_proxy, :whitelist], ["google.com", "feld.me"])
+      url = "https://feld.me/foo.png"
+
+      unencoded = url(url)
+      assert unencoded == url
+    end
+
+    test "does not change whitelisted urls" do
+      Pleroma.Config.put([:media_proxy, :whitelist], ["mycdn.akamai.com"])
+      Pleroma.Config.put([:media_proxy, :base_url], "https://cache.pleroma.social")
+
+      media_url = "https://mycdn.akamai.com"
 
-    unencoded = url(url)
-    assert unencoded == url
+      url = "#{media_url}/static/logo.png"
+      encoded = url(url)
+
+      assert String.starts_with?(encoded, media_url)
+    end
+
+    test "ensure Pleroma.Upload base_url is always whitelisted" do
+      upload_config = Pleroma.Config.get([Pleroma.Upload])
+      media_url = "https://media.pleroma.social"
+      Pleroma.Config.put([Pleroma.Upload, :base_url], media_url)
+
+      url = "#{media_url}/static/logo.png"
+      encoded = url(url)
+
+      assert String.starts_with?(encoded, media_url)
+
+      Pleroma.Config.put([Pleroma.Upload], upload_config)
+    end
   end
 end