FediMovies/fedimovies
1
1
Fork 0
Code Issues 3 Pull requests Projects Releases Packages Activity

Save downloaded media as "unknown" if its media type is not supported

Browse source
This commit is contained in:
silverpill 2023-01-14 00:46:49 +00:00
parent 51cb72d142
commit 85dbb6f392
3 changed files with 27 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -14,6 +14,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Accept webfinger requests where `resource` is actor ID. - Accept webfinger requests where `resource` is actor ID.
- Adeed support for `as:Public` audience identifier. - Adeed support for `as:Public` audience identifier.
### Changed
- Save downloaded media as "unknown" if its media type is not supported.
### Removed ### Removed
- `/api/v1/accounts/move_followers` API endpoint. - `/api/v1/accounts/move_followers` API endpoint.

21
src/activitypub/fetcher/fetchers.rs
View file

@ -12,7 +12,11 @@ use crate::http_signatures::create::{
create_http_signature, create_http_signature,
HttpSignatureError, HttpSignatureError,
}; };
use crate::utils::files::{save_file, sniff_media_type}; use crate::utils::files::{
save_file,
sniff_media_type,
SUPPORTED_MEDIA_TYPES,
};
use crate::utils::urls::guess_protocol; use crate::utils::urls::guess_protocol;
use crate::webfinger::types::{ActorAddress, JsonResourceDescriptor}; use crate::webfinger::types::{ActorAddress, JsonResourceDescriptor};
@ -118,7 +122,20 @@ pub async fn fetch_file(
if file_data.len() > FILE_MAX_SIZE as usize { if file_data.len() > FILE_MAX_SIZE as usize {
return Err(FetchError::OtherError("file is too large")); return Err(FetchError::OtherError("file is too large"));
}; };
let maybe_media_type = sniff_media_type(&file_data); let maybe_media_type = sniff_media_type(&file_data)
// Remove media type if it is not supported to prevent XSS
.filter(|media_type| {
if SUPPORTED_MEDIA_TYPES.contains(&media_type.as_str()) {
true
} else {
log::info!(
"unsupported media type {}: {}",
media_type,
url,
);
false
}
});
let file_name = save_file( let file_name = save_file(
file_data.to_vec(), file_data.to_vec(),
output_dir, output_dir,

11
src/activitypub/handlers/create.rs
View file

@ -175,7 +175,7 @@ pub async fn handle_note(
}; };
let attachment_url = attachment.url let attachment_url = attachment.url
.ok_or(ValidationError("attachment URL is missing"))?; .ok_or(ValidationError("attachment URL is missing"))?;
let (file_name, media_type) = fetch_file( let (file_name, maybe_media_type) = fetch_file(
instance, instance,
&attachment_url, &attachment_url,
media_dir, media_dir,
@ -185,22 +185,19 @@ pub async fn handle_note(
ValidationError("failed to fetch attachment") ValidationError("failed to fetch attachment")
})?; })?;
log::info!("downloaded attachment {}", attachment_url); log::info!("downloaded attachment {}", attachment_url);
downloaded.push(( downloaded.push((file_name, maybe_media_type));
file_name,
attachment.media_type.or(media_type),
));
// Stop downloading if limit is reached // Stop downloading if limit is reached
if downloaded.len() >= ATTACHMENTS_MAX_NUM { if downloaded.len() >= ATTACHMENTS_MAX_NUM {
log::warn!("too many attachments"); log::warn!("too many attachments");
break; break;
}; };
}; };
for (file_name, media_type) in downloaded { for (file_name, maybe_media_type) in downloaded {
let db_attachment = create_attachment( let db_attachment = create_attachment(
db_client, db_client,
&author.id, &author.id,
file_name, file_name,
media_type, maybe_media_type,
).await?; ).await?;
attachments.push(db_attachment.id); attachments.push(db_attachment.id);
}; };