StealEmojiPolicy: Sanitize shortcodes

Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3245
author: Haelwenn (lanodan) Monnier <contact@hacktivis.me> 2024-02-20 08:45:48 +0100
committer: Haelwenn (lanodan) Monnier <contact@hacktivis.me> 2024-02-20 09:09:54 +0100
commit: 7d624c4750dcf53d48cc65874c832513f2b03fbc (patch)
tree: 6a5099520f07c0ae749a3f28df1a1abf7ed8aba1
parent: 0b9bc4a0d0e44a873bc59e8994f1996499ed0c4b (diff)
download: pleroma-7d624c4750dcf53d48cc65874c832513f2b03fbc.tar.gz
pleroma-7d624c4750dcf53d48cc65874c832513f2b03fbc.zip
3 files changed, 29 insertions, 0 deletions
diff --git a/changelog.d/mrf_steal_emoji-path.security b/changelog.d/mrf_steal_emoji-path.security
new file mode 100644
index 000000000..d880680d1
--- /dev/null
+++ b/changelog.d/mrf_steal_emoji-path.security
@@ -0,0 +1 @@
+StealEmojiPolicy: Sanitize shortcodes (thanks to Hazel K for the report)
+\ No newline at end of file
diff --git a/lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex b/lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex
index 237dfefa5..fa6b595ea 100644
--- a/lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex
+++ b/lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex
@@ -36,6 +36,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
 
         extension = if extension == "", do: ".png", else: extension
 
+        shortcode = Path.basename(shortcode)
         file_path = Path.join(emoji_dir_path, shortcode <> extension)
 
         case File.write(file_path, response.body) do
@@ -78,6 +79,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
       new_emojis =
         foreign_emojis
         |> Enum.reject(fn {shortcode, _url} -> shortcode in installed_emoji end)
+        |> Enum.reject(fn {shortcode, _url} -> String.contains?(shortcode, ["/", "\\"]) end)
         |> Enum.filter(fn {shortcode, _url} ->
           reject_emoji? =
             [:mrf_steal_emoji, :rejected_shortcodes]
diff --git a/test/pleroma/web/activity_pub/mrf/steal_emoji_policy_test.exs b/test/pleroma/web/activity_pub/mrf/steal_emoji_policy_test.exs
index c477a093d..2c7497da5 100644
--- a/test/pleroma/web/activity_pub/mrf/steal_emoji_policy_test.exs
+++ b/test/pleroma/web/activity_pub/mrf/steal_emoji_policy_test.exs
@@ -87,6 +87,32 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicyTest do
     assert File.exists?(fullpath)
   end
 
+  test "rejects invalid shortcodes", %{path: path} do
+    message = %{
+      "type" => "Create",
+      "object" => %{
+        "emoji" => [{"fired/fox", "https://example.org/emoji/firedfox"}],
+        "actor" => "https://example.org/users/admin"
+      }
+    }
+
+    fullpath = Path.join(path, "fired/fox.png")
+
+    Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox"} ->
+      %Tesla.Env{status: 200, body: File.read!("test/fixtures/image.jpg")}
+    end)
+
+    clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)
+
+    refute "firedfox" in installed()
+    refute File.exists?(path)
+
+    assert {:ok, _message} = StealEmojiPolicy.filter(message)
+
+    refute "fired/fox" in installed()
+    refute File.exists?(fullpath)
+  end
+
   test "reject regex shortcode", %{message: message} do
     refute "firedfox" in installed()
author	Haelwenn (lanodan) Monnier <contact@hacktivis.me>	2024-02-20 08:45:48 +0100
committer	Haelwenn (lanodan) Monnier <contact@hacktivis.me>	2024-02-20 09:09:54 +0100
commit	7d624c4750dcf53d48cc65874c832513f2b03fbc (patch)
tree	6a5099520f07c0ae749a3f28df1a1abf7ed8aba1
parent	0b9bc4a0d0e44a873bc59e8994f1996499ed0c4b (diff)
download	pleroma-7d624c4750dcf53d48cc65874c832513f2b03fbc.tar.gz pleroma-7d624c4750dcf53d48cc65874c832513f2b03fbc.zip