From d9ae9b676c2963466cbb8e440711db1759e25c31 Mon Sep 17 00:00:00 2001
From: Lain Soykaf <lain@lain.com>
Date: Mon, 10 Mar 2025 18:56:43 +0400
Subject: InstanceStatic: Extra-sanitize emoji

---
 test/pleroma/web/plugs/instance_static_test.exs | 40 ++++++++++++++++++++++---
 1 file changed, 36 insertions(+), 4 deletions(-)

(limited to 'test')

diff --git a/test/pleroma/web/plugs/instance_static_test.exs b/test/pleroma/web/plugs/instance_static_test.exs
index ee0dd4acb..e8cf17f3f 100644
--- a/test/pleroma/web/plugs/instance_static_test.exs
+++ b/test/pleroma/web/plugs/instance_static_test.exs
@@ -63,15 +63,47 @@ defmodule Pleroma.Web.Plugs.InstanceStaticTest do
     assert html_response(index, 200) == "<h1>rabbit hugs as a service</h1>"
   end
 
-  test "sanitizes content-types for potentially dangerous file extensions" do
+  test "does not sanitize dangerous files in general, as there can be html and javascript files legitimately in this folder" do
     # Create a file with a potentially dangerous extension (.json)
     # This mimics an attacker trying to serve ActivityPub JSON with a static file
     File.mkdir!(@dir <> "/static")
     File.write!(@dir <> "/static/malicious.json", "{\"type\": \"ActivityPub\"}")
 
-    # Request the malicious file
     conn = get(build_conn(), "/static/malicious.json")
 
+    assert conn.status == 200
+
+    content_type =
+      Enum.find_value(conn.resp_headers, fn
+        {"content-type", value} -> value
+        _ -> nil
+      end)
+
+    assert content_type == "application/json"
+
+    File.write!(@dir <> "/static/safe.jpg", "fake image data")
+
+    conn = get(build_conn(), "/static/safe.jpg")
+
+    assert conn.status == 200
+
+    # Get the content-type
+    content_type =
+      Enum.find_value(conn.resp_headers, fn
+        {"content-type", value} -> value
+        _ -> nil
+      end)
+
+    assert content_type == "image/jpeg"
+  end
+
+  test "always sanitizes emojis to images" do
+    File.mkdir!(@dir <> "/emoji")
+    File.write!(@dir <> "/emoji/malicious.html", "<script>HACKED</script>")
+
+    # Request the malicious file
+    conn = get(build_conn(), "/emoji/malicious.html")
+
     # Verify the file was served (status 200)
     assert conn.status == 200
 
@@ -87,10 +119,10 @@ defmodule Pleroma.Web.Plugs.InstanceStaticTest do
     assert content_type == "application/octet-stream"
 
     # Create a file with an allowed extension (.jpg)
-    File.write!(@dir <> "/static/safe.jpg", "fake image data")
+    File.write!(@dir <> "/emoji/safe.jpg", "fake image data")
 
     # Request the safe file
-    conn = get(build_conn(), "/static/safe.jpg")
+    conn = get(build_conn(), "/emoji/safe.jpg")
 
     # Verify the file was served (status 200)
     assert conn.status == 200
-- 
cgit v1.2.3