From 7d624c4750dcf53d48cc65874c832513f2b03fbc Mon Sep 17 00:00:00 2001
From: "Haelwenn (lanodan) Monnier" <contact@hacktivis.me>
Date: Tue, 20 Feb 2024 08:45:48 +0100
Subject: StealEmojiPolicy: Sanitize shortcodes

Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3245
---
 lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'lib')

diff --git a/lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex b/lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex
index 237dfefa5..fa6b595ea 100644
--- a/lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex
+++ b/lib/pleroma/web/activity_pub/mrf/steal_emoji_policy.ex
@@ -36,6 +36,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
 
         extension = if extension == "", do: ".png", else: extension
 
+        shortcode = Path.basename(shortcode)
         file_path = Path.join(emoji_dir_path, shortcode <> extension)
 
         case File.write(file_path, response.body) do
@@ -78,6 +79,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
       new_emojis =
         foreign_emojis
         |> Enum.reject(fn {shortcode, _url} -> shortcode in installed_emoji end)
+        |> Enum.reject(fn {shortcode, _url} -> String.contains?(shortcode, ["/", "\\"]) end)
         |> Enum.filter(fn {shortcode, _url} ->
           reject_emoji? =
             [:mrf_steal_emoji, :rejected_shortcodes]
-- 
cgit v1.2.3