Compare commits

..

4 Commits

Author SHA1 Message Date
53cf9d4e20 Updated csp parameters 2024-04-09 17:42:49 -07:00
Haelwenn
fb4aa9f725 Merge branch 'release/2.6.2' into 'stable'
Security Release 2.6.2

See merge request pleroma/pleroma!4074
2024-02-20 08:43:07 +00:00
Haelwenn (lanodan) Monnier
be075a4336
Security release 2.6.2 2024-02-20 09:16:36 +01:00
Haelwenn (lanodan) Monnier
ac977bdb1c
StealEmojiPolicy: Sanitize shortcodes
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3245
2024-02-20 09:14:02 +01:00
4 changed files with 34 additions and 1 deletions

View File

@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## 2.6.2
### Security
- MRF StealEmojiPolicy: Sanitize shortcodes (thanks to Hazel K for the report
## 2.6.1 ## 2.6.1
### Changed ### Changed
- - Document maximum supported version of Erlang & Elixir - - Document maximum supported version of Erlang & Elixir

View File

@ -34,6 +34,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
|> Path.basename() |> Path.basename()
|> Path.extname() |> Path.extname()
shortcode = Path.basename(shortcode)
file_path = Path.join(emoji_dir_path, shortcode <> (extension || ".png")) file_path = Path.join(emoji_dir_path, shortcode <> (extension || ".png"))
case File.write(file_path, response.body) do case File.write(file_path, response.body) do
@ -76,6 +77,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
new_emojis = new_emojis =
foreign_emojis foreign_emojis
|> Enum.reject(fn {shortcode, _url} -> shortcode in installed_emoji end) |> Enum.reject(fn {shortcode, _url} -> shortcode in installed_emoji end)
|> Enum.reject(fn {shortcode, _url} -> String.contains?(shortcode, ["/", "\\"]) end)
|> Enum.filter(fn {shortcode, _url} -> |> Enum.filter(fn {shortcode, _url} ->
reject_emoji? = reject_emoji? =
[:mrf_steal_emoji, :rejected_shortcodes] [:mrf_steal_emoji, :rejected_shortcodes]

View File

@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
def project do def project do
[ [
app: :pleroma, app: :pleroma,
version: version("2.6.1"), version: version("2.6.2"),
elixir: "~> 1.11", elixir: "~> 1.11",
elixirc_paths: elixirc_paths(Mix.env()), elixirc_paths: elixirc_paths(Mix.env()),
compilers: [:phoenix] ++ Mix.compilers(), compilers: [:phoenix] ++ Mix.compilers(),

View File

@ -60,6 +60,32 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicyTest do
|> File.exists?() |> File.exists?()
end end
test "rejects invalid shortcodes", %{path: path} do
message = %{
"type" => "Create",
"object" => %{
"emoji" => [{"fired/fox", "https://example.org/emoji/firedfox"}],
"actor" => "https://example.org/users/admin"
}
}
fullpath = Path.join(path, "fired/fox.png")
Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox"} ->
%Tesla.Env{status: 200, body: File.read!("test/fixtures/image.jpg")}
end)
clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)
refute "firedfox" in installed()
refute File.exists?(path)
assert {:ok, _message} = StealEmojiPolicy.filter(message)
refute "fired/fox" in installed()
refute File.exists?(fullpath)
end
test "reject regex shortcode", %{message: message} do test "reject regex shortcode", %{message: message} do
refute "firedfox" in installed() refute "firedfox" in installed()