.

1 files changed, 38 insertions, 0 deletions

diff --git a/test/pleroma/web/plugs/uploaded_media_test.exs b/test/pleroma/web/plugs/uploaded_media_test.exs
new file mode 100644
index 000000000..b260fd03b
--- /dev/null
+++ b/test/pleroma/web/plugs/uploaded_media_test.exs
@@ -0,0 +1,38 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.Plugs.UploadedMediaTest do
+  use Pleroma.Web.ConnCase, async: false
+
+  alias Pleroma.StaticStubbedConfigMock
+  alias Pleroma.Web.Plugs.Utils
+
+  setup do
+    Mox.stub_with(StaticStubbedConfigMock, Pleroma.Test.StaticConfig)
+
+    {:ok, %{}}
+  end
+
+  describe "content-type sanitization with Utils.get_safe_mime_type/2" do
+    test "it allows safe MIME types" do
+      opts = %{allowed_mime_types: ["image", "audio", "video"]}
+
+      assert Utils.get_safe_mime_type(opts, "image/jpeg") == "image/jpeg"
+      assert Utils.get_safe_mime_type(opts, "audio/mpeg") == "audio/mpeg"
+      assert Utils.get_safe_mime_type(opts, "video/mp4") == "video/mp4"
+    end
+
+    test "it sanitizes potentially dangerous content-types" do
+      opts = %{allowed_mime_types: ["image", "audio", "video"]}
+
+      assert Utils.get_safe_mime_type(opts, "application/activity+json") ==
+               "application/octet-stream"
+
+      assert Utils.get_safe_mime_type(opts, "text/html") == "application/octet-stream"
+
+      assert Utils.get_safe_mime_type(opts, "application/javascript") ==
+               "application/octet-stream"
+    end
+  end
+end