Merge branch 'bugfix/rich-media-uri-validation' into 'develop'

rich media: don't crawl bogus URIs See merge request !864

Merge branch 'bugfix/rich-media-uri-validation' into 'develop'
rich media: don't crawl bogus URIs See merge request !864
682cc94d · Haelwenn · d45dbdce · b7aa1ea9 · 682cc94d · 682cc94d
Commit 682cc94d authored Mar 05, 2019 by Haelwenn
--- a/lib/pleroma/web/rich_media/helpers.ex
+++ b/lib/pleroma/web/rich_media/helpers.ex
@@ -8,10 +8,24 @@ defmodule Pleroma.Web.RichMedia.Helpers do
  alias Pleroma.HTML
  alias Pleroma.Web.RichMedia.Parser

+  defp validate_page_url(page_url) when is_binary(page_url) do
+    if AutoLinker.Parser.is_url?(page_url, true) do
+      URI.parse(page_url) |> validate_page_url
+    else
+      :error
+    end
+  end
+
+  defp validate_page_url(%URI{authority: nil}), do: :error
+  defp validate_page_url(%URI{scheme: nil}), do: :error
+  defp validate_page_url(%URI{}), do: :ok
+  defp validate_page_url(_), do: :error
+
  def fetch_data_for_activity(%Activity{} = activity) do
    with true <- Pleroma.Config.get([:rich_media, :enabled]),
         %Object{} = object <- Object.normalize(activity.data["object"]),
         {:ok, page_url} <- HTML.extract_first_external_url(object, object.data["content"]),
+         :ok <- validate_page_url(page_url),
         {:ok, rich_media} <- Parser.parse(page_url) do
      %{page_url: page_url, rich_media: rich_media}
    else

--- a/test/web/rich_media/helpers_test.exs
+++ b/test/web/rich_media/helpers_test.exs
+defmodule Pleroma.Web.RichMedia.HelpersTest do
+  use Pleroma.DataCase
+
+  alias Pleroma.Web.CommonAPI
+
+  import Pleroma.Factory
+  import Tesla.Mock
+
+  setup do
+    mock(fn env -> apply(HttpRequestMock, :request, [env]) end)
+    :ok
+  end
+
+  test "refuses to crawl incomplete URLs" do
+    user = insert(:user)
+
+    {:ok, activity} =
+      CommonAPI.post(user, %{
+        "status" => "[test](example.com/ogp)",
+        "content_type" => "text/markdown"
+      })
+
+    Pleroma.Config.put([:rich_media, :enabled], true)
+
+    assert %{} == Pleroma.Web.RichMedia.Helpers.fetch_data_for_activity(activity)
+
+    Pleroma.Config.put([:rich_media, :enabled], false)
+  end
+
+  test "refuses to crawl malformed URLs" do
+    user = insert(:user)
+
+    {:ok, activity} =
+      CommonAPI.post(user, %{
+        "status" => "[test](example.com[]/ogp)",
+        "content_type" => "text/markdown"
+      })
+
+    Pleroma.Config.put([:rich_media, :enabled], true)
+
+    assert %{} == Pleroma.Web.RichMedia.Helpers.fetch_data_for_activity(activity)
+
+    Pleroma.Config.put([:rich_media, :enabled], false)
+  end
+
+  test "crawls valid, complete URLs" do
+    user = insert(:user)
+
+    {:ok, activity} =
+      CommonAPI.post(user, %{
+        "status" => "[test](http://example.com/ogp)",
+        "content_type" => "text/markdown"
+      })
+
+    Pleroma.Config.put([:rich_media, :enabled], true)
+
+    assert %{page_url: "http://example.com/ogp", rich_media: _} =
+             Pleroma.Web.RichMedia.Helpers.fetch_data_for_activity(activity)
+
+    Pleroma.Config.put([:rich_media, :enabled], false)
+  end
+end