diff options
| author | Lain Soykaf <lain@lain.com> | 2025-03-10 18:56:43 +0400 |
|---|---|---|
| committer | Lain Soykaf <lain@lain.com> | 2025-03-11 14:09:31 +0400 |
| commit | d9ae9b676c2963466cbb8e440711db1759e25c31 (patch) | |
| tree | ed971f14f122164428a9183e2a7958a5b587ad8c /test | |
| parent | b1309bdb403fdbfdb0a8b076a5a13af811191ca9 (diff) | |
| download | pleroma-d9ae9b676c2963466cbb8e440711db1759e25c31.tar.gz pleroma-d9ae9b676c2963466cbb8e440711db1759e25c31.zip | |
InstanceStatic: Extra-sanitize emoji
Diffstat (limited to 'test')
| -rw-r--r-- | test/pleroma/web/plugs/instance_static_test.exs | 40 |
1 files changed, 36 insertions, 4 deletions
diff --git a/test/pleroma/web/plugs/instance_static_test.exs b/test/pleroma/web/plugs/instance_static_test.exs index ee0dd4acb..e8cf17f3f 100644 --- a/test/pleroma/web/plugs/instance_static_test.exs +++ b/test/pleroma/web/plugs/instance_static_test.exs @@ -63,15 +63,47 @@ defmodule Pleroma.Web.Plugs.InstanceStaticTest do assert html_response(index, 200) == "<h1>rabbit hugs as a service</h1>" end - test "sanitizes content-types for potentially dangerous file extensions" do + test "does not sanitize dangerous files in general, as there can be html and javascript files legitimately in this folder" do # Create a file with a potentially dangerous extension (.json) # This mimics an attacker trying to serve ActivityPub JSON with a static file File.mkdir!(@dir <> "/static") File.write!(@dir <> "/static/malicious.json", "{\"type\": \"ActivityPub\"}") - # Request the malicious file conn = get(build_conn(), "/static/malicious.json") + assert conn.status == 200 + + content_type = + Enum.find_value(conn.resp_headers, fn + {"content-type", value} -> value + _ -> nil + end) + + assert content_type == "application/json" + + File.write!(@dir <> "/static/safe.jpg", "fake image data") + + conn = get(build_conn(), "/static/safe.jpg") + + assert conn.status == 200 + + # Get the content-type + content_type = + Enum.find_value(conn.resp_headers, fn + {"content-type", value} -> value + _ -> nil + end) + + assert content_type == "image/jpeg" + end + + test "always sanitizes emojis to images" do + File.mkdir!(@dir <> "/emoji") + File.write!(@dir <> "/emoji/malicious.html", "<script>HACKED</script>") + + # Request the malicious file + conn = get(build_conn(), "/emoji/malicious.html") + # Verify the file was served (status 200) assert conn.status == 200 @@ -87,10 +119,10 @@ defmodule Pleroma.Web.Plugs.InstanceStaticTest do assert content_type == "application/octet-stream" # Create a file with an allowed extension (.jpg) - File.write!(@dir <> "/static/safe.jpg", "fake image data") + File.write!(@dir <> "/emoji/safe.jpg", "fake image data") # Request the safe file - conn = get(build_conn(), "/static/safe.jpg") + conn = get(build_conn(), "/emoji/safe.jpg") # Verify the file was served (status 200) assert conn.status == 200 |