Merge branch 'security-2.9' into release/2.9.0

5 files changed, 885 insertions, 0 deletions

diff --git a/test/pleroma/emoji/pack_test.exs b/test/pleroma/emoji/pack_test.exs
index 00001abfc..0c5ee3416 100644
--- a/test/pleroma/emoji/pack_test.exs
+++ b/test/pleroma/emoji/pack_test.exs
@@ -4,6 +4,7 @@
 
 defmodule Pleroma.Emoji.PackTest do
   use Pleroma.DataCase
+  alias Pleroma.Emoji
   alias Pleroma.Emoji.Pack
 
   @emoji_path Path.join(
@@ -53,6 +54,63 @@ defmodule Pleroma.Emoji.PackTest do
 
       assert updated_pack.files_count == 5
     end
+
+    test "skips existing emojis when adding from zip file", %{pack: pack} do
+      # First, let's create a test pack with a "bear" emoji
+      test_pack_path = Path.join(@emoji_path, "test_bear_pack")
+      File.mkdir_p(test_pack_path)
+
+      # Create a pack.json file
+      File.write!(Path.join(test_pack_path, "pack.json"), """
+      {
+      "files": { "bear": "bear.png" },
+      "pack": {
+      "description": "Bear Pack", "homepage": "https://pleroma.social",
+      "license": "Test license", "share-files": true
+      }}
+      """)
+
+      # Copy a test image to use as the bear emoji
+      File.cp!(
+        Path.absname("test/instance_static/emoji/test_pack/blank.png"),
+        Path.join(test_pack_path, "bear.png")
+      )
+
+      # Load the pack to register the "bear" emoji in the global registry
+      {:ok, _bear_pack} = Pleroma.Emoji.Pack.load_pack("test_bear_pack")
+
+      # Reload emoji to make sure the bear emoji is in the global registry
+      Emoji.reload()
+
+      # Verify that the bear emoji exists in the global registry
+      assert Emoji.exist?("bear")
+
+      # Now try to add a zip file that contains an emoji with the same shortcode
+      file = %Plug.Upload{
+        content_type: "application/zip",
+        filename: "emojis.zip",
+        path: Path.absname("test/fixtures/emojis.zip")
+      }
+
+      {:ok, updated_pack} = Pack.add_file(pack, nil, nil, file)
+
+      # Verify that the "bear" emoji was skipped
+      refute Map.has_key?(updated_pack.files, "bear")
+
+      # Other emojis should be added
+      assert Map.has_key?(updated_pack.files, "a_trusted_friend-128")
+      assert Map.has_key?(updated_pack.files, "auroraborealis")
+      assert Map.has_key?(updated_pack.files, "baby_in_a_box")
+      assert Map.has_key?(updated_pack.files, "bear-128")
+
+      # Total count should be 4 (all emojis except "bear")
+      assert updated_pack.files_count == 4
+
+      # Clean up the test pack
+      on_exit(fn ->
+        File.rm_rf!(test_pack_path)
+      end)
+    end
   end
 
   test "returns error when zip file is bad", %{pack: pack} do
diff --git a/test/pleroma/safe_zip_test.exs b/test/pleroma/safe_zip_test.exs
new file mode 100644
index 000000000..5063f05e4
--- /dev/null
+++ b/test/pleroma/safe_zip_test.exs
@@ -0,0 +1,496 @@
+defmodule Pleroma.SafeZipTest do
+  # Not making this async because it creates and deletes files
+  use ExUnit.Case
+
+  alias Pleroma.SafeZip
+
+  @fixtures_dir "test/fixtures"
+  @tmp_dir "test/zip_tmp"
+
+  setup do
+    # Ensure tmp directory exists
+    File.mkdir_p!(@tmp_dir)
+
+    on_exit(fn ->
+      # Clean up any files created during tests
+      File.rm_rf!(@tmp_dir)
+      File.mkdir_p!(@tmp_dir)
+    end)
+
+    :ok
+  end
+
+  describe "list_dir_file/1" do
+    test "lists files in a valid zip" do
+      {:ok, files} = SafeZip.list_dir_file(Path.join(@fixtures_dir, "emojis.zip"))
+      assert is_list(files)
+      assert length(files) > 0
+    end
+
+    test "returns an empty list for empty zip" do
+      {:ok, files} = SafeZip.list_dir_file(Path.join(@fixtures_dir, "empty.zip"))
+      assert files == []
+    end
+
+    test "returns error for non-existent file" do
+      assert {:error, _} = SafeZip.list_dir_file(Path.join(@fixtures_dir, "nonexistent.zip"))
+    end
+
+    test "only lists regular files, not directories" do
+      # Create a zip with both files and directories
+      zip_path = create_zip_with_directory()
+
+      # List files with SafeZip
+      {:ok, files} = SafeZip.list_dir_file(zip_path)
+
+      # Verify only regular files are listed, not directories
+      assert "file_in_dir/test_file.txt" in files
+      assert "root_file.txt" in files
+
+      # Directory entries should not be included in the list
+      refute "file_in_dir/" in files
+    end
+  end
+
+  describe "contains_all_data?/2" do
+    test "returns true when all files are in the archive" do
+      # For this test, we'll create our own zip file with known content
+      # to ensure we can test the contains_all_data? function properly
+      zip_path = create_zip_with_directory()
+      archive_data = File.read!(zip_path)
+
+      # Check if the archive contains the root file
+      # Note: The function expects charlists (Erlang strings) in the MapSet
+      assert SafeZip.contains_all_data?(archive_data, MapSet.new([~c"root_file.txt"]))
+    end
+
+    test "returns false when files are missing" do
+      archive_path = Path.join(@fixtures_dir, "emojis.zip")
+      archive_data = File.read!(archive_path)
+
+      # Create a MapSet with non-existent files
+      fset = MapSet.new([~c"nonexistent.txt"])
+
+      refute SafeZip.contains_all_data?(archive_data, fset)
+    end
+
+    test "returns false for invalid archive data" do
+      refute SafeZip.contains_all_data?("invalid data", MapSet.new([~c"file.txt"]))
+    end
+
+    test "only checks for regular files, not directories" do
+      # Create a zip with both files and directories
+      zip_path = create_zip_with_directory()
+      archive_data = File.read!(zip_path)
+
+      # Check if the archive contains a directory (should return false)
+      refute SafeZip.contains_all_data?(archive_data, MapSet.new([~c"file_in_dir/"]))
+
+      # For this test, we'll manually check if the file exists in the archive
+      # by extracting it and verifying it exists
+      extract_dir = Path.join(@tmp_dir, "extract_check")
+      File.mkdir_p!(extract_dir)
+      {:ok, files} = SafeZip.unzip_file(zip_path, extract_dir)
+
+      # Verify the root file was extracted
+      assert Enum.any?(files, fn file ->
+               Path.basename(file) == "root_file.txt"
+             end)
+
+      # Verify the file exists on disk
+      assert File.exists?(Path.join(extract_dir, "root_file.txt"))
+    end
+  end
+
+  describe "zip/4" do
+    test "creates a zip file on disk" do
+      # Create a test file
+      test_file_path = Path.join(@tmp_dir, "test_file.txt")
+      File.write!(test_file_path, "test content")
+
+      # Create a zip file
+      zip_path = Path.join(@tmp_dir, "test.zip")
+      assert {:ok, ^zip_path} = SafeZip.zip(zip_path, ["test_file.txt"], @tmp_dir, false)
+
+      # Verify the zip file exists
+      assert File.exists?(zip_path)
+    end
+
+    test "creates a zip file in memory" do
+      # Create a test file
+      test_file_path = Path.join(@tmp_dir, "test_file.txt")
+      File.write!(test_file_path, "test content")
+
+      # Create a zip file in memory
+      zip_name = Path.join(@tmp_dir, "test.zip")
+
+      assert {:ok, {^zip_name, zip_data}} =
+               SafeZip.zip(zip_name, ["test_file.txt"], @tmp_dir, true)
+
+      # Verify the zip data is binary
+      assert is_binary(zip_data)
+    end
+
+    test "returns error for unsafe paths" do
+      # Try to zip a file with path traversal
+      assert {:error, _} =
+               SafeZip.zip(
+                 Path.join(@tmp_dir, "test.zip"),
+                 ["../fixtures/test.txt"],
+                 @tmp_dir,
+                 false
+               )
+    end
+
+    test "can create zip with directories" do
+      # Create a directory structure
+      dir_path = Path.join(@tmp_dir, "test_dir")
+      File.mkdir_p!(dir_path)
+
+      file_in_dir_path = Path.join(dir_path, "file_in_dir.txt")
+      File.write!(file_in_dir_path, "file in directory")
+
+      # Create a zip file
+      zip_path = Path.join(@tmp_dir, "dir_test.zip")
+
+      assert {:ok, ^zip_path} =
+               SafeZip.zip(
+                 zip_path,
+                 ["test_dir/file_in_dir.txt"],
+                 @tmp_dir,
+                 false
+               )
+
+      # Verify the zip file exists
+      assert File.exists?(zip_path)
+
+      # Extract and verify the directory structure is preserved
+      extract_dir = Path.join(@tmp_dir, "extract")
+      {:ok, files} = SafeZip.unzip_file(zip_path, extract_dir)
+
+      # Check if the file path is in the list, accounting for possible full paths
+      assert Enum.any?(files, fn file ->
+               String.ends_with?(file, "file_in_dir.txt")
+             end)
+
+      # Verify the file exists in the expected location
+      assert File.exists?(Path.join([extract_dir, "test_dir", "file_in_dir.txt"]))
+    end
+  end
+
+  describe "unzip_file/3" do
+    test "extracts files from a zip archive" do
+      archive_path = Path.join(@fixtures_dir, "emojis.zip")
+
+      # Extract the archive
+      assert {:ok, files} = SafeZip.unzip_file(archive_path, @tmp_dir)
+
+      # Verify files were extracted
+      assert is_list(files)
+      assert length(files) > 0
+
+      # Verify at least one file exists
+      first_file = List.first(files)
+
+      # Simply check that the file exists in the tmp directory
+      assert File.exists?(Path.join(@tmp_dir, Path.basename(first_file)))
+    end
+
+    test "extracts specific files from a zip archive" do
+      archive_path = Path.join(@fixtures_dir, "emojis.zip")
+
+      # Get list of files in the archive
+      {:ok, all_files} = SafeZip.list_dir_file(archive_path)
+      file_to_extract = List.first(all_files)
+
+      # Extract only one file
+      assert {:ok, [extracted_file]} =
+               SafeZip.unzip_file(archive_path, @tmp_dir, [file_to_extract])
+
+      # Verify only the specified file was extracted
+      assert Path.basename(extracted_file) == Path.basename(file_to_extract)
+
+      # Check that the file exists in the tmp directory
+      assert File.exists?(Path.join(@tmp_dir, Path.basename(file_to_extract)))
+    end
+
+    test "returns error for invalid zip file" do
+      invalid_path = Path.join(@tmp_dir, "invalid.zip")
+      File.write!(invalid_path, "not a zip file")
+
+      assert {:error, _} = SafeZip.unzip_file(invalid_path, @tmp_dir)
+    end
+
+    test "creates directories when extracting files in subdirectories" do
+      # Create a zip with files in subdirectories
+      zip_path = create_zip_with_directory()
+
+      # Extract the archive
+      assert {:ok, files} = SafeZip.unzip_file(zip_path, @tmp_dir)
+
+      # Verify files were extracted - handle both relative and absolute paths
+      assert Enum.any?(files, fn file ->
+               Path.basename(file) == "test_file.txt" &&
+                 String.contains?(file, "file_in_dir")
+             end)
+
+      assert Enum.any?(files, fn file ->
+               Path.basename(file) == "root_file.txt"
+             end)
+
+      # Verify directory was created
+      dir_path = Path.join(@tmp_dir, "file_in_dir")
+      assert File.exists?(dir_path)
+      assert File.dir?(dir_path)
+
+      # Verify file in directory was extracted
+      file_path = Path.join(dir_path, "test_file.txt")
+      assert File.exists?(file_path)
+    end
+  end
+
+  describe "unzip_data/3" do
+    test "extracts files from zip data" do
+      archive_path = Path.join(@fixtures_dir, "emojis.zip")
+      archive_data = File.read!(archive_path)
+
+      # Extract the archive from data
+      assert {:ok, files} = SafeZip.unzip_data(archive_data, @tmp_dir)
+
+      # Verify files were extracted
+      assert is_list(files)
+      assert length(files) > 0
+
+      # Verify at least one file exists
+      first_file = List.first(files)
+
+      # Simply check that the file exists in the tmp directory
+      assert File.exists?(Path.join(@tmp_dir, Path.basename(first_file)))
+    end
+
+    test "extracts specific files from zip data" do
+      archive_path = Path.join(@fixtures_dir, "emojis.zip")
+      archive_data = File.read!(archive_path)
+
+      # Get list of files in the archive
+      {:ok, all_files} = SafeZip.list_dir_file(archive_path)
+      file_to_extract = List.first(all_files)
+
+      # Extract only one file
+      assert {:ok, extracted_files} =
+               SafeZip.unzip_data(archive_data, @tmp_dir, [file_to_extract])
+
+      # Verify only the specified file was extracted
+      assert Enum.any?(extracted_files, fn path ->
+               Path.basename(path) == Path.basename(file_to_extract)
+             end)
+
+      # Simply check that the file exists in the tmp directory
+      assert File.exists?(Path.join(@tmp_dir, Path.basename(file_to_extract)))
+    end
+
+    test "returns error for invalid zip data" do
+      assert {:error, _} = SafeZip.unzip_data("not a zip file", @tmp_dir)
+    end
+
+    test "creates directories when extracting files in subdirectories from data" do
+      # Create a zip with files in subdirectories
+      zip_path = create_zip_with_directory()
+      archive_data = File.read!(zip_path)
+
+      # Extract the archive from data
+      assert {:ok, files} = SafeZip.unzip_data(archive_data, @tmp_dir)
+
+      # Verify files were extracted - handle both relative and absolute paths
+      assert Enum.any?(files, fn file ->
+               Path.basename(file) == "test_file.txt" &&
+                 String.contains?(file, "file_in_dir")
+             end)
+
+      assert Enum.any?(files, fn file ->
+               Path.basename(file) == "root_file.txt"
+             end)
+
+      # Verify directory was created
+      dir_path = Path.join(@tmp_dir, "file_in_dir")
+      assert File.exists?(dir_path)
+      assert File.dir?(dir_path)
+
+      # Verify file in directory was extracted
+      file_path = Path.join(dir_path, "test_file.txt")
+      assert File.exists?(file_path)
+    end
+  end
+
+  # Security tests
+  describe "security checks" do
+    test "prevents path traversal in zip extraction" do
+      # Create a malicious zip file with path traversal
+      malicious_zip_path = create_malicious_zip_with_path_traversal()
+
+      # Try to extract it with SafeZip
+      assert {:error, _} = SafeZip.unzip_file(malicious_zip_path, @tmp_dir)
+
+      # Verify the file was not extracted outside the target directory
+      refute File.exists?(Path.join(Path.dirname(@tmp_dir), "traversal_attempt.txt"))
+    end
+
+    test "prevents directory traversal in zip listing" do
+      # Create a malicious zip file with path traversal
+      malicious_zip_path = create_malicious_zip_with_path_traversal()
+
+      # Try to list files with SafeZip
+      assert {:error, _} = SafeZip.list_dir_file(malicious_zip_path)
+    end
+
+    test "prevents path traversal in zip data extraction" do
+      # Create a malicious zip file with path traversal
+      malicious_zip_path = create_malicious_zip_with_path_traversal()
+      malicious_data = File.read!(malicious_zip_path)
+
+      # Try to extract it with SafeZip
+      assert {:error, _} = SafeZip.unzip_data(malicious_data, @tmp_dir)
+
+      # Verify the file was not extracted outside the target directory
+      refute File.exists?(Path.join(Path.dirname(@tmp_dir), "traversal_attempt.txt"))
+    end
+
+    test "handles zip bomb attempts" do
+      # Create a zip bomb (a zip with many files or large files)
+      zip_bomb_path = create_zip_bomb()
+
+      # The SafeZip module should handle this gracefully
+      # Either by successfully extracting it (if it's not too large)
+      # or by returning an error (if it detects a potential zip bomb)
+      result = SafeZip.unzip_file(zip_bomb_path, @tmp_dir)
+
+      case result do
+        {:ok, _} ->
+          # If it successfully extracts, make sure it didn't fill up the disk
+          # This is a simple check to ensure the extraction was controlled
+          assert File.exists?(@tmp_dir)
+
+        {:error, _} ->
+          # If it returns an error, that's also acceptable
+          # The important thing is that it doesn't crash or hang
+          assert true
+      end
+    end
+
+    test "handles deeply nested directory structures" do
+      # Create a zip with deeply nested directories
+      deep_nest_path = create_deeply_nested_zip()
+
+      # The SafeZip module should handle this gracefully
+      result = SafeZip.unzip_file(deep_nest_path, @tmp_dir)
+
+      case result do
+        {:ok, files} ->
+          # If it successfully extracts, verify the files were extracted
+          assert is_list(files)
+          assert length(files) > 0
+
+        {:error, _} ->
+          # If it returns an error, that's also acceptable
+          # The important thing is that it doesn't crash or hang
+          assert true
+      end
+    end
+  end
+
+  # Helper functions to create test fixtures
+
+  # Creates a zip file with a path traversal attempt
+  defp create_malicious_zip_with_path_traversal do
+    malicious_zip_path = Path.join(@tmp_dir, "path_traversal.zip")
+
+    # Create a file to include in the zip
+    test_file_path = Path.join(@tmp_dir, "test_file.txt")
+    File.write!(test_file_path, "malicious content")
+
+    # Use Erlang's zip module directly to create a zip with path traversal
+    {:ok, charlist_path} =
+      :zip.create(
+        String.to_charlist(malicious_zip_path),
+        [{String.to_charlist("../traversal_attempt.txt"), File.read!(test_file_path)}]
+      )
+
+    to_string(charlist_path)
+  end
+
+  # Creates a zip file with directory entries
+  defp create_zip_with_directory do
+    zip_path = Path.join(@tmp_dir, "with_directory.zip")
+
+    # Create files to include in the zip
+    root_file_path = Path.join(@tmp_dir, "root_file.txt")
+    File.write!(root_file_path, "root file content")
+
+    # Create a directory and a file in it
+    dir_path = Path.join(@tmp_dir, "file_in_dir")
+    File.mkdir_p!(dir_path)
+
+    file_in_dir_path = Path.join(dir_path, "test_file.txt")
+    File.write!(file_in_dir_path, "file in directory content")
+
+    # Use Erlang's zip module to create a zip with directory structure
+    {:ok, charlist_path} =
+      :zip.create(
+        String.to_charlist(zip_path),
+        [
+          {String.to_charlist("root_file.txt"), File.read!(root_file_path)},
+          {String.to_charlist("file_in_dir/test_file.txt"), File.read!(file_in_dir_path)}
+        ]
+      )
+
+    to_string(charlist_path)
+  end
+
+  # Creates a zip bomb (a zip with many small files)
+  defp create_zip_bomb do
+    zip_path = Path.join(@tmp_dir, "zip_bomb.zip")
+
+    # Create a small file to duplicate many times
+    small_file_path = Path.join(@tmp_dir, "small_file.txt")
+    File.write!(small_file_path, String.duplicate("A", 100))
+
+    # Create a list of many files to include in the zip
+    file_entries =
+      for i <- 1..100 do
+        {String.to_charlist("file_#{i}.txt"), File.read!(small_file_path)}
+      end
+
+    # Use Erlang's zip module to create a zip with many files
+    {:ok, charlist_path} =
+      :zip.create(
+        String.to_charlist(zip_path),
+        file_entries
+      )
+
+    to_string(charlist_path)
+  end
+
+  # Creates a zip with deeply nested directories
+  defp create_deeply_nested_zip do
+    zip_path = Path.join(@tmp_dir, "deep_nest.zip")
+
+    # Create a file to include in the zip
+    file_content = "test content"
+
+    # Create a list of deeply nested files
+    file_entries =
+      for i <- 1..10 do
+        nested_path = Enum.reduce(1..i, "nested", fn j, acc -> "#{acc}/level_#{j}" end)
+        {String.to_charlist("#{nested_path}/file.txt"), file_content}
+      end
+
+    # Use Erlang's zip module to create a zip with deeply nested directories
+    {:ok, charlist_path} =
+      :zip.create(
+        String.to_charlist(zip_path),
+        file_entries
+      )
+
+    to_string(charlist_path)
+  end
+end
diff --git a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
index b627478dc..4edca14d8 100644
--- a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
@@ -1344,6 +1344,11 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
   end
 
   describe "GET /users/:nickname/outbox" do
+    setup do
+      Mox.stub_with(Pleroma.StaticStubbedConfigMock, Pleroma.Config)
+      :ok
+    end
+
     test "it paginates correctly", %{conn: conn} do
       user = insert(:user)
       conn = assign(conn, :user, user)
@@ -1432,6 +1437,22 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       assert %{"orderedItems" => []} = resp
     end
 
+    test "it does not return a local note activity when C2S API is disabled", %{conn: conn} do
+      clear_config([:activitypub, :client_api_enabled], false)
+      user = insert(:user)
+      reader = insert(:user)
+      {:ok, _note_activity} = CommonAPI.post(user, %{status: "mew mew", visibility: "local"})
+
+      resp =
+        conn
+        |> assign(:user, reader)
+        |> put_req_header("accept", "application/activity+json")
+        |> get("/users/#{user.nickname}/outbox?page=true")
+        |> json_response(200)
+
+      assert %{"orderedItems" => []} = resp
+    end
+
     test "it returns a note activity in a collection", %{conn: conn} do
       note_activity = insert(:note_activity)
       note_object = Object.normalize(note_activity, fetch: false)
@@ -1483,6 +1504,35 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       assert [answer_outbox] = outbox_get["orderedItems"]
       assert answer_outbox["id"] == activity.data["id"]
     end
+
+    test "it works with authorized fetch forced when authenticated" do
+      clear_config([:activitypub, :authorized_fetch_mode], true)
+
+      user = insert(:user)
+      outbox_endpoint = user.ap_id <> "/outbox"
+
+      conn =
+        build_conn()
+        |> assign(:user, user)
+        |> put_req_header("accept", "application/activity+json")
+        |> get(outbox_endpoint)
+
+      assert json_response(conn, 200)
+    end
+
+    test "it fails with authorized fetch forced when unauthenticated", %{conn: conn} do
+      clear_config([:activitypub, :authorized_fetch_mode], true)
+
+      user = insert(:user)
+      outbox_endpoint = user.ap_id <> "/outbox"
+
+      conn =
+        conn
+        |> put_req_header("accept", "application/activity+json")
+        |> get(outbox_endpoint)
+
+      assert response(conn, 401)
+    end
   end
 
   describe "POST /users/:nickname/outbox (C2S)" do
@@ -2153,6 +2203,30 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       |> post("/api/ap/upload_media", %{"file" => image, "description" => desc})
       |> json_response(403)
     end
+
+    test "they don't work when C2S API is disabled", %{conn: conn} do
+      clear_config([:activitypub, :client_api_enabled], false)
+
+      user = insert(:user)
+
+      assert conn
+             |> assign(:user, user)
+             |> get("/api/ap/whoami")
+             |> response(403)
+
+      desc = "Description of the image"
+
+      image = %Plug.Upload{
+        content_type: "image/jpeg",
+        path: Path.absname("test/fixtures/image.jpg"),
+        filename: "an_image.jpg"
+      }
+
+      assert conn
+             |> assign(:user, user)
+             |> post("/api/ap/upload_media", %{"file" => image, "description" => desc})
+             |> response(403)
+    end
   end
 
   test "pinned collection", %{conn: conn} do
diff --git a/test/pleroma/web/activity_pub/object_validators/attachment_validator_test.exs b/test/pleroma/web/activity_pub/object_validators/attachment_validator_test.exs
index 6627fa6db..744ae8704 100644
--- a/test/pleroma/web/activity_pub/object_validators/attachment_validator_test.exs
+++ b/test/pleroma/web/activity_pub/object_validators/attachment_validator_test.exs
@@ -13,6 +13,23 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.AttachmentValidatorTest do
   import Pleroma.Factory
 
   describe "attachments" do
+    test "works with apng" do
+      attachment =
+        %{
+          "mediaType" => "image/apng",
+          "name" => "",
+          "type" => "Document",
+          "url" =>
+            "https://media.misskeyusercontent.com/io/2859c26e-cd43-4550-848b-b6243bc3fe28.apng"
+        }
+
+      assert {:ok, attachment} =
+               AttachmentValidator.cast_and_validate(attachment)
+               |> Ecto.Changeset.apply_action(:insert)
+
+      assert attachment.mediaType == "image/apng"
+    end
+
     test "fails without url" do
       attachment = %{
         "mediaType" => "",
diff --git a/test/pleroma/web/activity_pub/transmogrifier_test.exs b/test/pleroma/web/activity_pub/transmogrifier_test.exs
index fcb8d65d1..e0395d7bb 100644
--- a/test/pleroma/web/activity_pub/transmogrifier_test.exs
+++ b/test/pleroma/web/activity_pub/transmogrifier_test.exs
@@ -156,6 +156,246 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
       # It fetched the quoted post
       assert Object.normalize("https://misskey.io/notes/8vs6wxufd0")
     end
+
+    test "doesn't allow remote edits to fake local likes" do
+      # as a spot check for no internal fields getting injected
+      now = DateTime.utc_now()
+      pub_date = DateTime.to_iso8601(Timex.subtract(now, Timex.Duration.from_minutes(3)))
+      edit_date = DateTime.to_iso8601(now)
+
+      local_user = insert(:user)
+
+      create_data = %{
+        "type" => "Create",
+        "id" => "http://mastodon.example.org/users/admin/statuses/2619539638/activity",
+        "actor" => "http://mastodon.example.org/users/admin",
+        "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+        "cc" => [],
+        "object" => %{
+          "type" => "Note",
+          "id" => "http://mastodon.example.org/users/admin/statuses/2619539638",
+          "attributedTo" => "http://mastodon.example.org/users/admin",
+          "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+          "cc" => [],
+          "published" => pub_date,
+          "content" => "miaow",
+          "likes" => [local_user.ap_id]
+        }
+      }
+
+      update_data =
+        create_data
+        |> Map.put("type", "Update")
+        |> Map.put("id", create_data["object"]["id"] <> "/update/1")
+        |> put_in(["object", "content"], "miaow :3")
+        |> put_in(["object", "updated"], edit_date)
+        |> put_in(["object", "formerRepresentations"], %{
+          "type" => "OrderedCollection",
+          "totalItems" => 1,
+          "orderedItems" => [create_data["object"]]
+        })
+
+      {:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(create_data)
+      %Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"])
+      assert object.data["content"] == "miaow"
+      assert object.data["likes"] == []
+      assert object.data["like_count"] == 0
+
+      {:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(update_data)
+      %Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"]["id"])
+      assert object.data["content"] == "miaow :3"
+      assert object.data["likes"] == []
+      assert object.data["like_count"] == 0
+    end
+
+    test "strips internal fields from history items in edited notes" do
+      now = DateTime.utc_now()
+      pub_date = DateTime.to_iso8601(Timex.subtract(now, Timex.Duration.from_minutes(3)))
+      edit_date = DateTime.to_iso8601(now)
+
+      local_user = insert(:user)
+
+      create_data = %{
+        "type" => "Create",
+        "id" => "http://mastodon.example.org/users/admin/statuses/2619539638/activity",
+        "actor" => "http://mastodon.example.org/users/admin",
+        "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+        "cc" => [],
+        "object" => %{
+          "type" => "Note",
+          "id" => "http://mastodon.example.org/users/admin/statuses/2619539638",
+          "attributedTo" => "http://mastodon.example.org/users/admin",
+          "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+          "cc" => [],
+          "published" => pub_date,
+          "content" => "miaow",
+          "likes" => [],
+          "like_count" => 0
+        }
+      }
+
+      update_data =
+        create_data
+        |> Map.put("type", "Update")
+        |> Map.put("id", create_data["object"]["id"] <> "/update/1")
+        |> put_in(["object", "content"], "miaow :3")
+        |> put_in(["object", "updated"], edit_date)
+        |> put_in(["object", "formerRepresentations"], %{
+          "type" => "OrderedCollection",
+          "totalItems" => 1,
+          "orderedItems" => [
+            Map.merge(create_data["object"], %{
+              "likes" => [local_user.ap_id],
+              "like_count" => 1,
+              "pleroma" => %{"internal_field" => "should_be_stripped"}
+            })
+          ]
+        })
+
+      {:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(create_data)
+      %Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"])
+      assert object.data["content"] == "miaow"
+      assert object.data["likes"] == []
+      assert object.data["like_count"] == 0
+
+      {:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(update_data)
+      %Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"]["id"])
+      assert object.data["content"] == "miaow :3"
+      assert object.data["likes"] == []
+      assert object.data["like_count"] == 0
+
+      # Check that internal fields are stripped from history items
+      history_item = List.first(object.data["formerRepresentations"]["orderedItems"])
+      assert history_item["likes"] == []
+      assert history_item["like_count"] == 0
+      refute Map.has_key?(history_item, "pleroma")
+    end
+
+    test "doesn't trip over remote likes in notes" do
+      now = DateTime.utc_now()
+      pub_date = DateTime.to_iso8601(Timex.subtract(now, Timex.Duration.from_minutes(3)))
+      edit_date = DateTime.to_iso8601(now)
+
+      create_data = %{
+        "type" => "Create",
+        "id" => "http://mastodon.example.org/users/admin/statuses/3409297097/activity",
+        "actor" => "http://mastodon.example.org/users/admin",
+        "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+        "cc" => [],
+        "object" => %{
+          "type" => "Note",
+          "id" => "http://mastodon.example.org/users/admin/statuses/3409297097",
+          "attributedTo" => "http://mastodon.example.org/users/admin",
+          "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+          "cc" => [],
+          "published" => pub_date,
+          "content" => "miaow",
+          "likes" => %{
+            "id" => "http://mastodon.example.org/users/admin/statuses/3409297097/likes",
+            "totalItems" => 0,
+            "type" => "Collection"
+          }
+        }
+      }
+
+      update_data =
+        create_data
+        |> Map.put("type", "Update")
+        |> Map.put("id", create_data["object"]["id"] <> "/update/1")
+        |> put_in(["object", "content"], "miaow :3")
+        |> put_in(["object", "updated"], edit_date)
+        |> put_in(["object", "likes", "totalItems"], 666)
+        |> put_in(["object", "formerRepresentations"], %{
+          "type" => "OrderedCollection",
+          "totalItems" => 1,
+          "orderedItems" => [create_data["object"]]
+        })
+
+      {:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(create_data)
+      %Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"])
+      assert object.data["content"] == "miaow"
+      assert object.data["likes"] == []
+      assert object.data["like_count"] == 0
+
+      {:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(update_data)
+      %Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"]["id"])
+      assert object.data["content"] == "miaow :3"
+      assert object.data["likes"] == []
+      # in the future this should retain remote likes, but for now:
+      assert object.data["like_count"] == 0
+    end
+
+    test "doesn't trip over remote likes in polls" do
+      now = DateTime.utc_now()
+      pub_date = DateTime.to_iso8601(Timex.subtract(now, Timex.Duration.from_minutes(3)))
+      edit_date = DateTime.to_iso8601(now)
+
+      create_data = %{
+        "type" => "Create",
+        "id" => "http://mastodon.example.org/users/admin/statuses/2471790073/activity",
+        "actor" => "http://mastodon.example.org/users/admin",
+        "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+        "cc" => [],
+        "object" => %{
+          "type" => "Question",
+          "id" => "http://mastodon.example.org/users/admin/statuses/2471790073",
+          "attributedTo" => "http://mastodon.example.org/users/admin",
+          "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+          "cc" => [],
+          "published" => pub_date,
+          "content" => "vote!",
+          "anyOf" => [
+            %{
+              "type" => "Note",
+              "name" => "a",
+              "replies" => %{
+                "type" => "Collection",
+                "totalItems" => 3
+              }
+            },
+            %{
+              "type" => "Note",
+              "name" => "b",
+              "replies" => %{
+                "type" => "Collection",
+                "totalItems" => 1
+              }
+            }
+          ],
+          "likes" => %{
+            "id" => "http://mastodon.example.org/users/admin/statuses/2471790073/likes",
+            "totalItems" => 0,
+            "type" => "Collection"
+          }
+        }
+      }
+
+      update_data =
+        create_data
+        |> Map.put("type", "Update")
+        |> Map.put("id", create_data["object"]["id"] <> "/update/1")
+        |> put_in(["object", "content"], "vote now!")
+        |> put_in(["object", "updated"], edit_date)
+        |> put_in(["object", "likes", "totalItems"], 666)
+        |> put_in(["object", "formerRepresentations"], %{
+          "type" => "OrderedCollection",
+          "totalItems" => 1,
+          "orderedItems" => [create_data["object"]]
+        })
+
+      {:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(create_data)
+      %Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"])
+      assert object.data["content"] == "vote!"
+      assert object.data["likes"] == []
+      assert object.data["like_count"] == 0
+
+      {:ok, %Pleroma.Activity{} = activity} = Transmogrifier.handle_incoming(update_data)
+      %Pleroma.Object{} = object = Object.get_by_ap_id(activity.data["object"]["id"])
+      assert object.data["content"] == "vote now!"
+      assert object.data["likes"] == []
+      # in the future this should retain remote likes, but for now:
+      assert object.data["like_count"] == 0
+    end
   end
 
   describe "prepare outgoing" do