Save downloaded media as "unknown" if its media type is not supported

2023-01-14 00:46:49 +00:00 · 2023-01-14 00:46:49 +00:00 · 85dbb6f392
parent 51cb72d142
commit 85dbb6f392
3 changed files with 27 additions and 9 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -14,6 +14,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Accept webfinger requests where `resource` is actor ID.
 - Adeed support for `as:Public` audience identifier.

+### Changed
+
+- Save downloaded media as "unknown" if its media type is not supported.
+
 ### Removed

 - `/api/v1/accounts/move_followers` API endpoint.
--- a/src/activitypub/fetcher/fetchers.rs
+++ b/src/activitypub/fetcher/fetchers.rs
@ -12,7 +12,11 @@ use crate::http_signatures::create::{
    create_http_signature,
    HttpSignatureError,
 };
-use crate::utils::files::{save_file, sniff_media_type};
+use crate::utils::files::{
+    save_file,
+    sniff_media_type,
+    SUPPORTED_MEDIA_TYPES,
+};
 use crate::utils::urls::guess_protocol;
 use crate::webfinger::types::{ActorAddress, JsonResourceDescriptor};

@ -118,7 +122,20 @@ pub async fn fetch_file(
    if file_data.len() > FILE_MAX_SIZE as usize {
        return Err(FetchError::OtherError("file is too large"));
    };
-    let maybe_media_type = sniff_media_type(&file_data);
+    let maybe_media_type = sniff_media_type(&file_data)
+        // Remove media type if it is not supported to prevent XSS
+        .filter(|media_type| {
+            if SUPPORTED_MEDIA_TYPES.contains(&media_type.as_str()) {
+                true
+            } else {
+                log::info!(
+                    "unsupported media type {}: {}",
+                    media_type,
+                    url,
+                );
+                false
+            }
+        });
    let file_name = save_file(
        file_data.to_vec(),
        output_dir,
--- a/src/activitypub/handlers/create.rs
+++ b/src/activitypub/handlers/create.rs
@ -175,7 +175,7 @@ pub async fn handle_note(
            };
            let attachment_url = attachment.url
                .ok_or(ValidationError("attachment URL is missing"))?;
-            let (file_name, media_type) = fetch_file(
+            let (file_name, maybe_media_type) = fetch_file(
                instance,
                &attachment_url,
                media_dir,
@ -185,22 +185,19 @@ pub async fn handle_note(
                    ValidationError("failed to fetch attachment")
                })?;
            log::info!("downloaded attachment {}", attachment_url);
-            downloaded.push((
-                file_name,
-                attachment.media_type.or(media_type),
-            ));
+            downloaded.push((file_name, maybe_media_type));
            // Stop downloading if limit is reached
            if downloaded.len() >= ATTACHMENTS_MAX_NUM {
                log::warn!("too many attachments");
                break;
            };
        };
-        for (file_name, media_type) in downloaded {
+        for (file_name, maybe_media_type) in downloaded {
            let db_attachment = create_attachment(
                db_client,
                &author.id,
                file_name,
-                media_type,
+                maybe_media_type,
            ).await?;
            attachments.push(db_attachment.id);
        };