Limit instance emoji to image types

2024-11-20 05:49:54 +01:00 · 2024-04-02 06:11:55 +09:00 · 2024-04-02 06:11:55 +09:00 · 3857c7f501
commit 3857c7f501
parent 48c39be2f6
3 changed files with 37 additions and 7 deletions
--- a/lib/pleroma/web/plugs/instance_static.ex
+++ b/lib/pleroma/web/plugs/instance_static.ex
@ -3,8 +3,12 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.Web.Plugs.InstanceStatic do
+  import Plug.Conn
+
  require Pleroma.Constants

+  alias Pleroma.Web.Plugs.Utils
+
  @moduledoc """
  This is a shim to call `Plug.Static` but with runtime `from` configuration.

@ -43,11 +47,25 @@ defmodule Pleroma.Web.Plugs.InstanceStatic do
    conn
  end

-  defp call_static(conn, opts, from) do
+  defp set_static_content_type(conn, "/emoji/" <> _ = request_path) do
+    real_mime = MIME.from_path(request_path)
+    safe_mime = Utils.get_safe_mime_type(%{allowed_mime_types: ["image"]}, real_mime)
+
+    put_resp_header(conn, "content-type", safe_mime)
+  end
+
+  defp set_static_content_type(conn, request_path) do
+    put_resp_header(conn, "content-type", MIME.from_path(request_path))
+  end
+
+  defp call_static(%{request_path: request_path} = conn, opts, from) do
    opts =
      opts
      |> Map.put(:from, from)
+      |> Map.put(:set_content_type, false)

-    Plug.Static.call(conn, opts)
+      conn
+      |> set_static_content_type(request_path)
+      |> Pleroma.Web.Plugs.StaticNoCT.call(opts)
  end
 end
--- a/lib/pleroma/web/plugs/uploaded_media.ex
+++ b/lib/pleroma/web/plugs/uploaded_media.ex
@ -11,6 +11,7 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do
  require Logger

  alias Pleroma.Web.MediaProxy
+  alias Pleroma.Web.Plugs.Utils

  @behaviour Plug
  # no slashes
@ -70,14 +71,11 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do

  defp media_is_banned(_, _), do: false

-  defp get_safe_mime_type(%{allowed_mime_types: allowed_mime_types} = _opts, mime) do
-    [maintype | _] = String.split(mime, "/", parts: 2)
-    if maintype in allowed_mime_types, do: mime, else: "application/octet-stream"
-  end
+

  defp set_content_type(conn, opts, filepath) do
    real_mime = MIME.from_path(filepath)
-    clean_mime = get_safe_mime_type(opts, real_mime)
+    clean_mime = Utils.get_safe_mime_type(opts, real_mime)
    put_resp_header(conn, "content-type", clean_mime)
  end

--- a/lib/pleroma/web/plugs/utils.ex
+++ b/lib/pleroma/web/plugs/utils.ex
@ -0,0 +1,14 @@
+# Akkoma: Magically expressive social media
+# Copyright © 2024 Akkoma Authors <https://akkoma.dev>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.Plugs.Utils do
+  @moduledoc """
+  Some helper functions shared across several plugs
+  """
+
+  def get_safe_mime_type(%{allowed_mime_types: allowed_mime_types} = _opts, mime) do
+    [maintype | _] = String.split(mime, "/", parts: 2)
+    if maintype in allowed_mime_types, do: mime, else: "application/octet-stream"
+  end
+end