3 files changed, 45 insertions, 15 deletions

diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex
index 2a266c407..057553e24 100644
--- a/lib/pleroma/plugs/http_security_plug.ex
+++ b/lib/pleroma/plugs/http_security_plug.ex
@@ -33,7 +33,22 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
   end
 
   defp csp_string do
-    protocol = Config.get([Pleroma.Web.Endpoint, :protocol])
+    scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme]
+    websocket_url = String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws")
+
+    connect_src =
+      if Mix.env() == :dev do
+        "connect-src 'self' http://localhost:3035/ " <> websocket_url
+      else
+        "connect-src 'self' " <> websocket_url
+      end
+
+    script_src =
+      if Mix.env() == :dev do
+        "script-src 'self' 'unsafe-eval'"
+      else
+        "script-src 'self'"
+      end
 
     [
       "default-src 'none'",
@@ -43,10 +58,10 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
       "media-src 'self' https:",
       "style-src 'self' 'unsafe-inline'",
       "font-src 'self'",
-      "script-src 'self'",
-      "connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
       "manifest-src 'self'",
-      if protocol == "https" do
+      connect_src,
+      script_src,
+      if scheme == "https" do
         "upgrade-insecure-requests"
       end
     ]
diff --git a/lib/pleroma/web/activity_pub/mrf/keyword_policy.ex b/lib/pleroma/web/activity_pub/mrf/keyword_policy.ex
index ce6d2e529..5fdc03414 100644
--- a/lib/pleroma/web/activity_pub/mrf/keyword_policy.ex
+++ b/lib/pleroma/web/activity_pub/mrf/keyword_policy.ex
@@ -12,9 +12,9 @@ defmodule Pleroma.Web.ActivityPub.MRF.KeywordPolicy do
     String.match?(string, pattern)
   end
 
-  defp check_reject(%{"object" => %{"content" => content}} = message) do
+  defp check_reject(%{"object" => %{"content" => content, "summary" => summary}} = message) do
     if Enum.any?(Pleroma.Config.get([:mrf_keyword, :reject]), fn pattern ->
-         string_matches?(content, pattern)
+         string_matches?(content, pattern) or string_matches?(summary, pattern)
        end) do
       {:reject, nil}
     else
@@ -22,10 +22,12 @@ defmodule Pleroma.Web.ActivityPub.MRF.KeywordPolicy do
     end
   end
 
-  defp check_ftl_removal(%{"to" => to, "object" => %{"content" => content}} = message) do
+  defp check_ftl_removal(
+         %{"to" => to, "object" => %{"content" => content, "summary" => summary}} = message
+       ) do
     if "https://www.w3.org/ns/activitystreams#Public" in to and
          Enum.any?(Pleroma.Config.get([:mrf_keyword, :federated_timeline_removal]), fn pattern ->
-           string_matches?(content, pattern)
+           string_matches?(content, pattern) or string_matches?(summary, pattern)
          end) do
       to = List.delete(to, "https://www.w3.org/ns/activitystreams#Public")
       cc = ["https://www.w3.org/ns/activitystreams#Public" | message["cc"] || []]
@@ -41,14 +43,20 @@ defmodule Pleroma.Web.ActivityPub.MRF.KeywordPolicy do
     end
   end
 
-  defp check_replace(%{"object" => %{"content" => content}} = message) do
-    content =
-      Enum.reduce(Pleroma.Config.get([:mrf_keyword, :replace]), content, fn {pattern, replacement},
-                                                                            acc ->
-        String.replace(acc, pattern, replacement)
+  defp check_replace(%{"object" => %{"content" => content, "summary" => summary}} = message) do
+    {content, summary} =
+      Enum.reduce(Pleroma.Config.get([:mrf_keyword, :replace]), {content, summary}, fn {pattern,
+                                                                                        replacement},
+                                                                                       {content_acc,
+                                                                                        summary_acc} ->
+        {String.replace(content_acc, pattern, replacement),
+         String.replace(summary_acc, pattern, replacement)}
       end)
 
-    {:ok, put_in(message["object"]["content"], content)}
+    {:ok,
+     message
+     |> put_in(["object", "content"], content)
+     |> put_in(["object", "summary"], summary)}
   end
 
   @impl true
diff --git a/lib/pleroma/web/rich_media/parser.ex b/lib/pleroma/web/rich_media/parser.ex
index 38f1cdeec..4341141df 100644
--- a/lib/pleroma/web/rich_media/parser.ex
+++ b/lib/pleroma/web/rich_media/parser.ex
@@ -9,6 +9,13 @@ defmodule Pleroma.Web.RichMedia.Parser do
     Pleroma.Web.RichMedia.Parsers.OEmbed
   ]
 
+  @hackney_options [
+    pool: :media,
+    timeout: 2_000,
+    recv_timeout: 2_000,
+    max_body: 2_000_000
+  ]
+
   def parse(nil), do: {:error, "No URL provided"}
 
   if Mix.env() == :test do
@@ -28,7 +35,7 @@ defmodule Pleroma.Web.RichMedia.Parser do
 
   defp parse_url(url) do
     try do
-      {:ok, %Tesla.Env{body: html}} = Pleroma.HTTP.get(url, [], adapter: [pool: :media])
+      {:ok, %Tesla.Env{body: html}} = Pleroma.HTTP.get(url, [], adapter: @hackney_options)
 
       html |> maybe_parse() |> clean_parsed_data() |> check_parsed_data()
     rescue