Compare commits
15 Commits
82c5b76c07
...
4970c87317
Author | SHA1 | Date | |
---|---|---|---|
4970c87317 | |||
|
1f4be2b349 | ||
|
b631180b38 | ||
|
cc848b78dc | ||
|
77d57c974a | ||
|
fc10e07ffb | ||
|
ff2f3862ab | ||
|
57f7453748 | ||
|
5ac2b7417d | ||
|
c37561214a | ||
|
76e408e42d | ||
|
22df32b3f5 | ||
|
bd7381f2f4 | ||
|
4befb3b1d0 | ||
|
18a0c923d0 |
@ -32,7 +32,13 @@ before_script:
|
|||||||
after_script:
|
after_script:
|
||||||
- rm -rf _build/*/lib/pleroma
|
- rm -rf _build/*/lib/pleroma
|
||||||
|
|
||||||
|
.using-ci-base:
|
||||||
|
tags:
|
||||||
|
- amd64
|
||||||
|
|
||||||
build:
|
build:
|
||||||
|
extends:
|
||||||
|
- .using-ci-base
|
||||||
stage: build
|
stage: build
|
||||||
only:
|
only:
|
||||||
changes: &build_changes_policy
|
changes: &build_changes_policy
|
||||||
@ -44,6 +50,8 @@ build:
|
|||||||
- mix compile --force
|
- mix compile --force
|
||||||
|
|
||||||
spec-build:
|
spec-build:
|
||||||
|
extends:
|
||||||
|
- .using-ci-base
|
||||||
stage: test
|
stage: test
|
||||||
only:
|
only:
|
||||||
changes:
|
changes:
|
||||||
@ -57,6 +65,8 @@ spec-build:
|
|||||||
- mix pleroma.openapi_spec spec.json
|
- mix pleroma.openapi_spec spec.json
|
||||||
|
|
||||||
benchmark:
|
benchmark:
|
||||||
|
extends:
|
||||||
|
- .using-ci-base
|
||||||
stage: benchmark
|
stage: benchmark
|
||||||
when: manual
|
when: manual
|
||||||
variables:
|
variables:
|
||||||
@ -71,6 +81,8 @@ benchmark:
|
|||||||
- mix pleroma.load_testing
|
- mix pleroma.load_testing
|
||||||
|
|
||||||
unit-testing:
|
unit-testing:
|
||||||
|
extends:
|
||||||
|
- .using-ci-base
|
||||||
stage: test
|
stage: test
|
||||||
only:
|
only:
|
||||||
changes: *build_changes_policy
|
changes: *build_changes_policy
|
||||||
@ -94,6 +106,8 @@ unit-testing:
|
|||||||
path: coverage.xml
|
path: coverage.xml
|
||||||
|
|
||||||
unit-testing-erratic:
|
unit-testing-erratic:
|
||||||
|
extends:
|
||||||
|
- .using-ci-base
|
||||||
stage: test
|
stage: test
|
||||||
retry: 2
|
retry: 2
|
||||||
allow_failure: true
|
allow_failure: true
|
||||||
@ -129,6 +143,8 @@ unit-testing-erratic:
|
|||||||
# - mix test --trace --only federated
|
# - mix test --trace --only federated
|
||||||
|
|
||||||
unit-testing-rum:
|
unit-testing-rum:
|
||||||
|
extends:
|
||||||
|
- .using-ci-base
|
||||||
stage: test
|
stage: test
|
||||||
only:
|
only:
|
||||||
changes: *build_changes_policy
|
changes: *build_changes_policy
|
||||||
@ -162,6 +178,8 @@ lint:
|
|||||||
- mix format --check-formatted
|
- mix format --check-formatted
|
||||||
|
|
||||||
analysis:
|
analysis:
|
||||||
|
extends:
|
||||||
|
- .using-ci-base
|
||||||
stage: test
|
stage: test
|
||||||
only:
|
only:
|
||||||
changes: *build_changes_policy
|
changes: *build_changes_policy
|
||||||
|
11
CHANGELOG.md
11
CHANGELOG.md
@ -14,6 +14,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
|
|
||||||
|
## 2.5.54
|
||||||
|
|
||||||
|
## Security
|
||||||
|
- Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
|
||||||
|
|
||||||
|
## 2.5.3
|
||||||
|
|
||||||
|
### Security
|
||||||
|
- Emoji pack loader sanitizes pack names
|
||||||
|
- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
|
||||||
|
|
||||||
## 2.5.2
|
## 2.5.2
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
1
changelog.d/akkoma-xml-remote-entities.security
Normal file
1
changelog.d/akkoma-xml-remote-entities.security
Normal file
@ -0,0 +1 @@
|
|||||||
|
Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
|
1
changelog.d/emoji-pack-sanitization.security
Normal file
1
changelog.d/emoji-pack-sanitization.security
Normal file
@ -0,0 +1 @@
|
|||||||
|
Emoji pack loader sanitizes pack names
|
1
changelog.d/otp_perms.security
Normal file
1
changelog.d/otp_perms.security
Normal file
@ -0,0 +1 @@
|
|||||||
|
- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
|
@ -266,12 +266,20 @@ defmodule Mix.Tasks.Pleroma.Instance do
|
|||||||
config_dir = Path.dirname(config_path)
|
config_dir = Path.dirname(config_path)
|
||||||
psql_dir = Path.dirname(psql_path)
|
psql_dir = Path.dirname(psql_path)
|
||||||
|
|
||||||
|
# Note: Distros requiring group read (0o750) on those directories should
|
||||||
|
# pre-create the directories.
|
||||||
[config_dir, psql_dir, static_dir, uploads_dir]
|
[config_dir, psql_dir, static_dir, uploads_dir]
|
||||||
|> Enum.reject(&File.exists?/1)
|
|> Enum.reject(&File.exists?/1)
|
||||||
|> Enum.map(&File.mkdir_p!/1)
|
|> Enum.each(fn dir ->
|
||||||
|
File.mkdir_p!(dir)
|
||||||
|
File.chmod!(dir, 0o700)
|
||||||
|
end)
|
||||||
|
|
||||||
shell_info("Writing config to #{config_path}.")
|
shell_info("Writing config to #{config_path}.")
|
||||||
|
|
||||||
|
# Sadly no fchmod(2) equivalent in Elixir…
|
||||||
|
File.touch!(config_path)
|
||||||
|
File.chmod!(config_path, 0o640)
|
||||||
File.write(config_path, result_config)
|
File.write(config_path, result_config)
|
||||||
shell_info("Writing the postgres script to #{psql_path}.")
|
shell_info("Writing the postgres script to #{psql_path}.")
|
||||||
File.write(psql_path, result_psql)
|
File.write(psql_path, result_psql)
|
||||||
@ -290,8 +298,7 @@ defmodule Mix.Tasks.Pleroma.Instance do
|
|||||||
else
|
else
|
||||||
shell_error(
|
shell_error(
|
||||||
"The task would have overwritten the following files:\n" <>
|
"The task would have overwritten the following files:\n" <>
|
||||||
(Enum.map(will_overwrite, &"- #{&1}\n") |> Enum.join("")) <>
|
Enum.map_join(will_overwrite, &"- #{&1}\n") <> "Rerun with `--force` to overwrite them."
|
||||||
"Rerun with `--force` to overwrite them."
|
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -20,6 +20,20 @@ defmodule Pleroma.Config.ReleaseRuntimeProvider do
|
|||||||
|
|
||||||
with_runtime_config =
|
with_runtime_config =
|
||||||
if File.exists?(config_path) do
|
if File.exists?(config_path) do
|
||||||
|
# <https://git.pleroma.social/pleroma/pleroma/-/issues/3135>
|
||||||
|
%File.Stat{mode: mode} = File.lstat!(config_path)
|
||||||
|
|
||||||
|
if Bitwise.band(mode, 0o007) > 0 do
|
||||||
|
raise "Configuration at #{config_path} has world-permissions, execute the following: chmod o= #{config_path}"
|
||||||
|
end
|
||||||
|
|
||||||
|
if Bitwise.band(mode, 0o020) > 0 do
|
||||||
|
raise "Configuration at #{config_path} has group-wise write permissions, execute the following: chmod g-w #{config_path}"
|
||||||
|
end
|
||||||
|
|
||||||
|
# Note: Elixir doesn't provides a getuid(2)
|
||||||
|
# so cannot forbid group-read only when config is owned by us
|
||||||
|
|
||||||
runtime_config = Config.Reader.read!(config_path)
|
runtime_config = Config.Reader.read!(config_path)
|
||||||
|
|
||||||
with_defaults
|
with_defaults
|
||||||
|
@ -285,6 +285,7 @@ defmodule Pleroma.Emoji.Pack do
|
|||||||
|
|
||||||
@spec load_pack(String.t()) :: {:ok, t()} | {:error, :file.posix()}
|
@spec load_pack(String.t()) :: {:ok, t()} | {:error, :file.posix()}
|
||||||
def load_pack(name) do
|
def load_pack(name) do
|
||||||
|
name = Path.basename(name)
|
||||||
pack_file = Path.join([emoji_path(), name, "pack.json"])
|
pack_file = Path.join([emoji_path(), name, "pack.json"])
|
||||||
|
|
||||||
with {:ok, _} <- File.stat(pack_file),
|
with {:ok, _} <- File.stat(pack_file),
|
||||||
|
@ -130,6 +130,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
|
|||||||
|> add_csp_param(script_src)
|
|> add_csp_param(script_src)
|
||||||
|> add_csp_param(insecure)
|
|> add_csp_param(insecure)
|
||||||
|> add_csp_param(report)
|
|> add_csp_param(report)
|
||||||
|
|> add_csp_param("frame-src https://music.yandere.cc")
|
||||||
|> :erlang.iolist_to_binary()
|
|> :erlang.iolist_to_binary()
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -29,7 +29,10 @@ defmodule Pleroma.Web.XML do
|
|||||||
{doc, _rest} =
|
{doc, _rest} =
|
||||||
text
|
text
|
||||||
|> :binary.bin_to_list()
|
|> :binary.bin_to_list()
|
||||||
|> :xmerl_scan.string(quiet: true)
|
|> :xmerl_scan.string(
|
||||||
|
quiet: true,
|
||||||
|
fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end
|
||||||
|
)
|
||||||
|
|
||||||
{:ok, doc}
|
{:ok, doc}
|
||||||
rescue
|
rescue
|
||||||
|
2
mix.exs
2
mix.exs
@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
|
|||||||
def project do
|
def project do
|
||||||
[
|
[
|
||||||
app: :pleroma,
|
app: :pleroma,
|
||||||
version: version("2.5.2"),
|
version: version("2.5.4"),
|
||||||
elixir: "~> 1.11",
|
elixir: "~> 1.11",
|
||||||
elixirc_paths: elixirc_paths(Mix.env()),
|
elixirc_paths: elixirc_paths(Mix.env()),
|
||||||
compilers: [:phoenix, :gettext] ++ Mix.compilers(),
|
compilers: [:phoenix, :gettext] ++ Mix.compilers(),
|
||||||
|
8
mix.lock
8
mix.lock
@ -23,12 +23,12 @@
|
|||||||
"crontab": {:hex, :crontab, "1.1.8", "2ce0e74777dfcadb28a1debbea707e58b879e6aa0ffbf9c9bb540887bce43617", [:mix], [{:ecto, "~> 1.0 or ~> 2.0 or ~> 3.0", [hex: :ecto, repo: "hexpm", optional: true]}], "hexpm"},
|
"crontab": {:hex, :crontab, "1.1.8", "2ce0e74777dfcadb28a1debbea707e58b879e6aa0ffbf9c9bb540887bce43617", [:mix], [{:ecto, "~> 1.0 or ~> 2.0 or ~> 3.0", [hex: :ecto, repo: "hexpm", optional: true]}], "hexpm"},
|
||||||
"custom_base": {:hex, :custom_base, "0.2.1", "4a832a42ea0552299d81652aa0b1f775d462175293e99dfbe4d7dbaab785a706", [:mix], [], "hexpm", "8df019facc5ec9603e94f7270f1ac73ddf339f56ade76a721eaa57c1493ba463"},
|
"custom_base": {:hex, :custom_base, "0.2.1", "4a832a42ea0552299d81652aa0b1f775d462175293e99dfbe4d7dbaab785a706", [:mix], [], "hexpm", "8df019facc5ec9603e94f7270f1ac73ddf339f56ade76a721eaa57c1493ba463"},
|
||||||
"db_connection": {:hex, :db_connection, "2.4.2", "f92e79aff2375299a16bcb069a14ee8615c3414863a6fef93156aee8e86c2ff3", [:mix], [{:connection, "~> 1.0", [hex: :connection, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "4fe53ca91b99f55ea249693a0229356a08f4d1a7931d8ffa79289b145fe83668"},
|
"db_connection": {:hex, :db_connection, "2.4.2", "f92e79aff2375299a16bcb069a14ee8615c3414863a6fef93156aee8e86c2ff3", [:mix], [{:connection, "~> 1.0", [hex: :connection, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "4fe53ca91b99f55ea249693a0229356a08f4d1a7931d8ffa79289b145fe83668"},
|
||||||
"decimal": {:hex, :decimal, "2.0.0", "a78296e617b0f5dd4c6caf57c714431347912ffb1d0842e998e9792b5642d697", [:mix], [], "hexpm", "34666e9c55dea81013e77d9d87370fe6cb6291d1ef32f46a1600230b1d44f577"},
|
"decimal": {:hex, :decimal, "2.1.1", "5611dca5d4b2c3dd497dec8f68751f1f1a54755e8ed2a966c2633cf885973ad6", [:mix], [], "hexpm", "53cfe5f497ed0e7771ae1a475575603d77425099ba5faef9394932b35020ffcc"},
|
||||||
"deep_merge": {:hex, :deep_merge, "1.0.0", "b4aa1a0d1acac393bdf38b2291af38cb1d4a52806cf7a4906f718e1feb5ee961", [:mix], [], "hexpm", "ce708e5f094b9cd4e8f2be4f00d2f4250c4095be93f8cd6d018c753894885430"},
|
"deep_merge": {:hex, :deep_merge, "1.0.0", "b4aa1a0d1acac393bdf38b2291af38cb1d4a52806cf7a4906f718e1feb5ee961", [:mix], [], "hexpm", "ce708e5f094b9cd4e8f2be4f00d2f4250c4095be93f8cd6d018c753894885430"},
|
||||||
"earmark": {:hex, :earmark, "1.4.22", "ea3e45c6359446dc308be0a64ce82a03260d973de7d0625a762e6d352ff57958", [:mix], [{:earmark_parser, "~> 1.4.23", [hex: :earmark_parser, repo: "hexpm", optional: false]}], "hexpm", "1caf5145665a42fd76d5317286b0c171861fb1c04f86ab103dde76868814fdfb"},
|
"earmark": {:hex, :earmark, "1.4.22", "ea3e45c6359446dc308be0a64ce82a03260d973de7d0625a762e6d352ff57958", [:mix], [{:earmark_parser, "~> 1.4.23", [hex: :earmark_parser, repo: "hexpm", optional: false]}], "hexpm", "1caf5145665a42fd76d5317286b0c171861fb1c04f86ab103dde76868814fdfb"},
|
||||||
"earmark_parser": {:hex, :earmark_parser, "1.4.29", "149d50dcb3a93d9f3d6f3ecf18c918fb5a2d3c001b5d3305c926cddfbd33355b", [:mix], [], "hexpm", "4902af1b3eb139016aed210888748db8070b8125c2342ce3dcae4f38dcc63503"},
|
"earmark_parser": {:hex, :earmark_parser, "1.4.29", "149d50dcb3a93d9f3d6f3ecf18c918fb5a2d3c001b5d3305c926cddfbd33355b", [:mix], [], "hexpm", "4902af1b3eb139016aed210888748db8070b8125c2342ce3dcae4f38dcc63503"},
|
||||||
"eblurhash": {:hex, :eblurhash, "1.2.2", "7da4255aaea984b31bb71155f673257353b0e0554d0d30dcf859547e74602582", [:rebar3], [], "hexpm", "8c20ca00904de023a835a9dcb7b7762fed32264c85a80c3cafa85288e405044c"},
|
"eblurhash": {:hex, :eblurhash, "1.2.2", "7da4255aaea984b31bb71155f673257353b0e0554d0d30dcf859547e74602582", [:rebar3], [], "hexpm", "8c20ca00904de023a835a9dcb7b7762fed32264c85a80c3cafa85288e405044c"},
|
||||||
"ecto": {:hex, :ecto, "3.9.2", "017db3bc786ff64271108522c01a5d3f6ba0aea5c84912cfb0dd73bf13684108", [:mix], [{:decimal, "~> 1.6 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "21466d5177e09e55289ac7eade579a642578242c7a3a9f91ad5c6583337a9d15"},
|
"ecto": {:hex, :ecto, "3.9.6", "2f420c173efcb2e22fa4f8fc41e75e02b3c5bd4cffef12085cae5418c12e530d", [:mix], [{:decimal, "~> 1.6 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "df17bc06ba6f78a7b764e4a14ef877fe5f4499332c5a105ace11fe7013b72c84"},
|
||||||
"ecto_enum": {:hex, :ecto_enum, "1.4.0", "d14b00e04b974afc69c251632d1e49594d899067ee2b376277efd8233027aec8", [:mix], [{:ecto, ">= 3.0.0", [hex: :ecto, repo: "hexpm", optional: false]}, {:ecto_sql, "> 3.0.0", [hex: :ecto_sql, repo: "hexpm", optional: false]}, {:mariaex, ">= 0.0.0", [hex: :mariaex, repo: "hexpm", optional: true]}, {:postgrex, ">= 0.0.0", [hex: :postgrex, repo: "hexpm", optional: true]}], "hexpm", "8fb55c087181c2b15eee406519dc22578fa60dd82c088be376d0010172764ee4"},
|
"ecto_enum": {:hex, :ecto_enum, "1.4.0", "d14b00e04b974afc69c251632d1e49594d899067ee2b376277efd8233027aec8", [:mix], [{:ecto, ">= 3.0.0", [hex: :ecto, repo: "hexpm", optional: false]}, {:ecto_sql, "> 3.0.0", [hex: :ecto_sql, repo: "hexpm", optional: false]}, {:mariaex, ">= 0.0.0", [hex: :mariaex, repo: "hexpm", optional: true]}, {:postgrex, ">= 0.0.0", [hex: :postgrex, repo: "hexpm", optional: true]}], "hexpm", "8fb55c087181c2b15eee406519dc22578fa60dd82c088be376d0010172764ee4"},
|
||||||
"ecto_psql_extras": {:hex, :ecto_psql_extras, "0.7.4", "5d43fd088d39a158c860b17e8d210669587f63ec89ea122a4654861c8c6e2db4", [:mix], [{:ecto_sql, "~> 3.4", [hex: :ecto_sql, repo: "hexpm", optional: false]}, {:postgrex, ">= 0.15.7", [hex: :postgrex, repo: "hexpm", optional: false]}, {:table_rex, "~> 3.1.1", [hex: :table_rex, repo: "hexpm", optional: false]}], "hexpm", "311db02f1b772e3d0dc7f56a05044b5e1499d78ed6abf38885e1ca70059449e5"},
|
"ecto_psql_extras": {:hex, :ecto_psql_extras, "0.7.4", "5d43fd088d39a158c860b17e8d210669587f63ec89ea122a4654861c8c6e2db4", [:mix], [{:ecto_sql, "~> 3.4", [hex: :ecto_sql, repo: "hexpm", optional: false]}, {:postgrex, ">= 0.15.7", [hex: :postgrex, repo: "hexpm", optional: false]}, {:table_rex, "~> 3.1.1", [hex: :table_rex, repo: "hexpm", optional: false]}], "hexpm", "311db02f1b772e3d0dc7f56a05044b5e1499d78ed6abf38885e1ca70059449e5"},
|
||||||
"ecto_sql": {:hex, :ecto_sql, "3.9.0", "2bb21210a2a13317e098a420a8c1cc58b0c3421ab8e3acfa96417dab7817918c", [:mix], [{:db_connection, "~> 2.5 or ~> 2.4.1", [hex: :db_connection, repo: "hexpm", optional: false]}, {:ecto, "~> 3.9.0", [hex: :ecto, repo: "hexpm", optional: false]}, {:myxql, "~> 0.6.0", [hex: :myxql, repo: "hexpm", optional: true]}, {:postgrex, "~> 0.16.0 or ~> 1.0", [hex: :postgrex, repo: "hexpm", optional: true]}, {:tds, "~> 2.1.1 or ~> 2.2", [hex: :tds, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4.0 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "a8f3f720073b8b1ac4c978be25fa7960ed7fd44997420c304a4a2e200b596453"},
|
"ecto_sql": {:hex, :ecto_sql, "3.9.0", "2bb21210a2a13317e098a420a8c1cc58b0c3421ab8e3acfa96417dab7817918c", [:mix], [{:db_connection, "~> 2.5 or ~> 2.4.1", [hex: :db_connection, repo: "hexpm", optional: false]}, {:ecto, "~> 3.9.0", [hex: :ecto, repo: "hexpm", optional: false]}, {:myxql, "~> 0.6.0", [hex: :myxql, repo: "hexpm", optional: true]}, {:postgrex, "~> 0.16.0 or ~> 1.0", [hex: :postgrex, repo: "hexpm", optional: true]}, {:tds, "~> 2.1.1 or ~> 2.2", [hex: :tds, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4.0 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "a8f3f720073b8b1ac4c978be25fa7960ed7fd44997420c304a4a2e200b596453"},
|
||||||
@ -59,7 +59,7 @@
|
|||||||
"httpoison": {:hex, :httpoison, "1.8.0", "6b85dea15820b7804ef607ff78406ab449dd78bed923a49c7160e1886e987a3d", [:mix], [{:hackney, "~> 1.17", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm", "28089eaa98cf90c66265b6b5ad87c59a3729bea2e74e9d08f9b51eb9729b3c3a"},
|
"httpoison": {:hex, :httpoison, "1.8.0", "6b85dea15820b7804ef607ff78406ab449dd78bed923a49c7160e1886e987a3d", [:mix], [{:hackney, "~> 1.17", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm", "28089eaa98cf90c66265b6b5ad87c59a3729bea2e74e9d08f9b51eb9729b3c3a"},
|
||||||
"idna": {:hex, :idna, "6.1.1", "8a63070e9f7d0c62eb9d9fcb360a7de382448200fbbd1b106cc96d3d8099df8d", [:rebar3], [{:unicode_util_compat, "~>0.7.0", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm", "92376eb7894412ed19ac475e4a86f7b413c1b9fbb5bd16dccd57934157944cea"},
|
"idna": {:hex, :idna, "6.1.1", "8a63070e9f7d0c62eb9d9fcb360a7de382448200fbbd1b106cc96d3d8099df8d", [:rebar3], [{:unicode_util_compat, "~>0.7.0", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm", "92376eb7894412ed19ac475e4a86f7b413c1b9fbb5bd16dccd57934157944cea"},
|
||||||
"inet_cidr": {:hex, :inet_cidr, "1.0.4", "a05744ab7c221ca8e395c926c3919a821eb512e8f36547c062f62c4ca0cf3d6e", [:mix], [], "hexpm", "64a2d30189704ae41ca7dbdd587f5291db5d1dda1414e0774c29ffc81088c1bc"},
|
"inet_cidr": {:hex, :inet_cidr, "1.0.4", "a05744ab7c221ca8e395c926c3919a821eb512e8f36547c062f62c4ca0cf3d6e", [:mix], [], "hexpm", "64a2d30189704ae41ca7dbdd587f5291db5d1dda1414e0774c29ffc81088c1bc"},
|
||||||
"jason": {:hex, :jason, "1.4.0", "e855647bc964a44e2f67df589ccf49105ae039d4179db7f6271dfd3843dc27e6", [:mix], [{:decimal, "~> 1.0 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "79a3791085b2a0f743ca04cec0f7be26443738779d09302e01318f97bdb82121"},
|
"jason": {:hex, :jason, "1.4.1", "af1504e35f629ddcdd6addb3513c3853991f694921b1b9368b0bd32beb9f1b63", [:mix], [{:decimal, "~> 1.0 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "fbb01ecdfd565b56261302f7e1fcc27c4fb8f32d56eab74db621fc154604a7a1"},
|
||||||
"joken": {:hex, :joken, "2.3.0", "62a979c46f2c81dcb8ddc9150453b60d3757d1ac393c72bb20fc50a7b0827dc6", [:mix], [{:jose, "~> 1.10", [hex: :jose, repo: "hexpm", optional: false]}], "hexpm", "57b263a79c0ec5d536ac02d569c01e6b4de91bd1cb825625fe90eab4feb7bc1e"},
|
"joken": {:hex, :joken, "2.3.0", "62a979c46f2c81dcb8ddc9150453b60d3757d1ac393c72bb20fc50a7b0827dc6", [:mix], [{:jose, "~> 1.10", [hex: :jose, repo: "hexpm", optional: false]}], "hexpm", "57b263a79c0ec5d536ac02d569c01e6b4de91bd1cb825625fe90eab4feb7bc1e"},
|
||||||
"jose": {:hex, :jose, "1.11.1", "59da64010c69aad6cde2f5b9248b896b84472e99bd18f246085b7b9fe435dcdb", [:mix, :rebar3], [], "hexpm", "078f6c9fb3cd2f4cfafc972c814261a7d1e8d2b3685c0a76eb87e158efff1ac5"},
|
"jose": {:hex, :jose, "1.11.1", "59da64010c69aad6cde2f5b9248b896b84472e99bd18f246085b7b9fe435dcdb", [:mix, :rebar3], [], "hexpm", "078f6c9fb3cd2f4cfafc972c814261a7d1e8d2b3685c0a76eb87e158efff1ac5"},
|
||||||
"jumper": {:hex, :jumper, "1.0.1", "3c00542ef1a83532b72269fab9f0f0c82bf23a35e27d278bfd9ed0865cecabff", [:mix], [], "hexpm", "318c59078ac220e966d27af3646026db9b5a5e6703cb2aa3e26bcfaba65b7433"},
|
"jumper": {:hex, :jumper, "1.0.1", "3c00542ef1a83532b72269fab9f0f0c82bf23a35e27d278bfd9ed0865cecabff", [:mix], [], "hexpm", "318c59078ac220e966d27af3646026db9b5a5e6703cb2aa3e26bcfaba65b7433"},
|
||||||
@ -114,7 +114,7 @@
|
|||||||
"recon": {:hex, :recon, "2.5.1", "430ffa60685ac1efdfb1fe4c97b8767c92d0d92e6e7c3e8621559ba77598678a", [:mix, :rebar3], [], "hexpm", "5721c6b6d50122d8f68cccac712caa1231f97894bab779eff5ff0f886cb44648"},
|
"recon": {:hex, :recon, "2.5.1", "430ffa60685ac1efdfb1fe4c97b8767c92d0d92e6e7c3e8621559ba77598678a", [:mix, :rebar3], [], "hexpm", "5721c6b6d50122d8f68cccac712caa1231f97894bab779eff5ff0f886cb44648"},
|
||||||
"remote_ip": {:git, "https://git.pleroma.social/pleroma/remote_ip.git", "b647d0deecaa3acb140854fe4bda5b7e1dc6d1c8", [ref: "b647d0deecaa3acb140854fe4bda5b7e1dc6d1c8"]},
|
"remote_ip": {:git, "https://git.pleroma.social/pleroma/remote_ip.git", "b647d0deecaa3acb140854fe4bda5b7e1dc6d1c8", [ref: "b647d0deecaa3acb140854fe4bda5b7e1dc6d1c8"]},
|
||||||
"sleeplocks": {:hex, :sleeplocks, "1.1.1", "3d462a0639a6ef36cc75d6038b7393ae537ab394641beb59830a1b8271faeed3", [:rebar3], [], "hexpm", "84ee37aeff4d0d92b290fff986d6a95ac5eedf9b383fadfd1d88e9b84a1c02e1"},
|
"sleeplocks": {:hex, :sleeplocks, "1.1.1", "3d462a0639a6ef36cc75d6038b7393ae537ab394641beb59830a1b8271faeed3", [:rebar3], [], "hexpm", "84ee37aeff4d0d92b290fff986d6a95ac5eedf9b383fadfd1d88e9b84a1c02e1"},
|
||||||
"ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.6", "cf344f5692c82d2cd7554f5ec8fd961548d4fd09e7d22f5b62482e5aeaebd4b0", [:make, :mix, :rebar3], [], "hexpm", "bdb0d2471f453c88ff3908e7686f86f9be327d065cc1ec16fa4540197ea04680"},
|
"ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.7", "354c321cf377240c7b8716899e182ce4890c5938111a1296add3ec74cf1715df", [:make, :mix, :rebar3], [], "hexpm", "fe4c190e8f37401d30167c8c405eda19469f34577987c76dde613e838bbc67f8"},
|
||||||
"sweet_xml": {:hex, :sweet_xml, "0.7.2", "4729f997286811fabdd8288f8474e0840a76573051062f066c4b597e76f14f9f", [:mix], [], "hexpm", "6894e68a120f454534d99045ea3325f7740ea71260bc315f82e29731d570a6e8"},
|
"sweet_xml": {:hex, :sweet_xml, "0.7.2", "4729f997286811fabdd8288f8474e0840a76573051062f066c4b597e76f14f9f", [:mix], [], "hexpm", "6894e68a120f454534d99045ea3325f7740ea71260bc315f82e29731d570a6e8"},
|
||||||
"swoosh": {:hex, :swoosh, "1.8.2", "af9a22ab2c0d20b266f61acca737fa11a121902de9466a39e91bacdce012101c", [:mix], [{:cowboy, "~> 1.1 or ~> 2.4", [hex: :cowboy, repo: "hexpm", optional: true]}, {:ex_aws, "~> 2.1", [hex: :ex_aws, repo: "hexpm", optional: true]}, {:finch, "~> 0.6", [hex: :finch, repo: "hexpm", optional: true]}, {:gen_smtp, "~> 0.13 or ~> 1.0", [hex: :gen_smtp, repo: "hexpm", optional: true]}, {:hackney, "~> 1.9", [hex: :hackney, repo: "hexpm", optional: true]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:mail, "~> 0.2", [hex: :mail, repo: "hexpm", optional: true]}, {:mime, "~> 1.1 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_cowboy, ">= 1.0.0", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4.2 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "d058ba750eafadb6c09a84a352c14c5d1eeeda6e84945fcc95785b7f3067b7db"},
|
"swoosh": {:hex, :swoosh, "1.8.2", "af9a22ab2c0d20b266f61acca737fa11a121902de9466a39e91bacdce012101c", [:mix], [{:cowboy, "~> 1.1 or ~> 2.4", [hex: :cowboy, repo: "hexpm", optional: true]}, {:ex_aws, "~> 2.1", [hex: :ex_aws, repo: "hexpm", optional: true]}, {:finch, "~> 0.6", [hex: :finch, repo: "hexpm", optional: true]}, {:gen_smtp, "~> 0.13 or ~> 1.0", [hex: :gen_smtp, repo: "hexpm", optional: true]}, {:hackney, "~> 1.9", [hex: :hackney, repo: "hexpm", optional: true]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:mail, "~> 0.2", [hex: :mail, repo: "hexpm", optional: true]}, {:mime, "~> 1.1 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_cowboy, ">= 1.0.0", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4.2 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "d058ba750eafadb6c09a84a352c14c5d1eeeda6e84945fcc95785b7f3067b7db"},
|
||||||
"syslog": {:hex, :syslog, "1.1.0", "6419a232bea84f07b56dc575225007ffe34d9fdc91abe6f1b2f254fd71d8efc2", [:rebar3], [], "hexpm", "4c6a41373c7e20587be33ef841d3de6f3beba08519809329ecc4d27b15b659e1"},
|
"syslog": {:hex, :syslog, "1.1.0", "6419a232bea84f07b56dc575225007ffe34d9fdc91abe6f1b2f254fd71d8efc2", [:rebar3], [], "hexpm", "4c6a41373c7e20587be33ef841d3de6f3beba08519809329ecc4d27b15b659e1"},
|
||||||
|
File diff suppressed because one or more lines are too long
3
test/fixtures/xml_external_entities.xml
vendored
Normal file
3
test/fixtures/xml_external_entities.xml
vendored
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
|
||||||
|
<stockCheck><productId>&xxe;</productId></stockCheck>
|
@ -17,6 +17,8 @@ defmodule Pleroma.Config.ReleaseRuntimeProviderTest do
|
|||||||
end
|
end
|
||||||
|
|
||||||
test "merged runtime config" do
|
test "merged runtime config" do
|
||||||
|
assert :ok == File.chmod!("test/fixtures/config/temp.secret.exs", 0o640)
|
||||||
|
|
||||||
merged =
|
merged =
|
||||||
ReleaseRuntimeProvider.load([], config_path: "test/fixtures/config/temp.secret.exs")
|
ReleaseRuntimeProvider.load([], config_path: "test/fixtures/config/temp.secret.exs")
|
||||||
|
|
||||||
@ -25,6 +27,8 @@ defmodule Pleroma.Config.ReleaseRuntimeProviderTest do
|
|||||||
end
|
end
|
||||||
|
|
||||||
test "merged exported config" do
|
test "merged exported config" do
|
||||||
|
assert :ok == File.chmod!("test/fixtures/config/temp.exported_from_db.secret.exs", 0o640)
|
||||||
|
|
||||||
ExUnit.CaptureIO.capture_io(fn ->
|
ExUnit.CaptureIO.capture_io(fn ->
|
||||||
merged =
|
merged =
|
||||||
ReleaseRuntimeProvider.load([],
|
ReleaseRuntimeProvider.load([],
|
||||||
@ -37,6 +41,9 @@ defmodule Pleroma.Config.ReleaseRuntimeProviderTest do
|
|||||||
end
|
end
|
||||||
|
|
||||||
test "runtime config is merged with exported config" do
|
test "runtime config is merged with exported config" do
|
||||||
|
assert :ok == File.chmod!("test/fixtures/config/temp.secret.exs", 0o640)
|
||||||
|
assert :ok == File.chmod!("test/fixtures/config/temp.exported_from_db.secret.exs", 0o640)
|
||||||
|
|
||||||
merged =
|
merged =
|
||||||
ReleaseRuntimeProvider.load([],
|
ReleaseRuntimeProvider.load([],
|
||||||
config_path: "test/fixtures/config/temp.secret.exs",
|
config_path: "test/fixtures/config/temp.secret.exs",
|
||||||
|
@ -90,4 +90,8 @@ defmodule Pleroma.Emoji.PackTest do
|
|||||||
|
|
||||||
assert updated_pack.files_count == 1
|
assert updated_pack.files_count == 1
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "load_pack/1 ignores path traversal in a forged pack name", %{pack: pack} do
|
||||||
|
assert {:ok, ^pack} = Pack.load_pack("../../../../../dump_pack")
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
@ -65,7 +65,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier.EmojiReactHandlingTest do
|
|||||||
object = Object.get_by_ap_id(data["object"])
|
object = Object.get_by_ap_id(data["object"])
|
||||||
|
|
||||||
assert object.data["reaction_count"] == 1
|
assert object.data["reaction_count"] == 1
|
||||||
assert match?([[emoji, _]], object.data["reactions"])
|
assert match?([[^emoji, _]], object.data["reactions"])
|
||||||
end
|
end
|
||||||
|
|
||||||
test "it reject invalid emoji reactions" do
|
test "it reject invalid emoji reactions" do
|
||||||
|
@ -375,7 +375,7 @@ defmodule Pleroma.Web.MastodonAPI.UpdateCredentialsTest do
|
|||||||
"pleroma_background_image" => new_background_oversized
|
"pleroma_background_image" => new_background_oversized
|
||||||
})
|
})
|
||||||
|
|
||||||
assert user_response = json_response_and_validate_schema(res, 413)
|
assert _user_response = json_response_and_validate_schema(res, 413)
|
||||||
assert user.background == %{}
|
assert user.background == %{}
|
||||||
|
|
||||||
clear_config([:instance, :upload_limit], upload_limit)
|
clear_config([:instance, :upload_limit], upload_limit)
|
||||||
|
@ -180,5 +180,28 @@ defmodule Pleroma.Web.WebFingerTest do
|
|||||||
|
|
||||||
{:ok, _data} = WebFinger.finger("pekorino@pawoo.net")
|
{:ok, _data} = WebFinger.finger("pekorino@pawoo.net")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "refuses to process XML remote entities" do
|
||||||
|
Tesla.Mock.mock(fn
|
||||||
|
%{
|
||||||
|
url: "https://pawoo.net/.well-known/webfinger?resource=acct:pekorino@pawoo.net"
|
||||||
|
} ->
|
||||||
|
{:ok,
|
||||||
|
%Tesla.Env{
|
||||||
|
status: 200,
|
||||||
|
body: File.read!("test/fixtures/xml_external_entities.xml"),
|
||||||
|
headers: [{"content-type", "application/xrd+xml"}]
|
||||||
|
}}
|
||||||
|
|
||||||
|
%{url: "https://pawoo.net/.well-known/host-meta"} ->
|
||||||
|
{:ok,
|
||||||
|
%Tesla.Env{
|
||||||
|
status: 200,
|
||||||
|
body: File.read!("test/fixtures/tesla_mock/pawoo.net_host_meta")
|
||||||
|
}}
|
||||||
|
end)
|
||||||
|
|
||||||
|
assert :error = WebFinger.finger("pekorino@pawoo.net")
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
10
test/pleroma/web/xml_test.exs
Normal file
10
test/pleroma/web/xml_test.exs
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
defmodule Pleroma.Web.XMLTest do
|
||||||
|
use Pleroma.DataCase, async: true
|
||||||
|
|
||||||
|
alias Pleroma.Web.XML
|
||||||
|
|
||||||
|
test "refuses to load external entities from XML" do
|
||||||
|
data = File.read!("test/fixtures/xml_external_entities.xml")
|
||||||
|
assert(:error == XML.parse_document(data))
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue
Block a user