mirror of
https://git.pleroma.social/pleroma/pleroma.git
synced 2025-01-10 17:25:26 +00:00
Merge branch 'issue/3126' into 'develop'
MediaProxyController: Apply CSP sandbox See merge request pleroma/pleroma!3890
This commit is contained in:
parent
4339230f64
commit
b36263e5ff
3 changed files with 24 additions and 0 deletions
1
changelog.d/3126.fix
Normal file
1
changelog.d/3126.fix
Normal file
|
@ -0,0 +1 @@
|
||||||
|
MediaProxy responses now return a sandbox CSP header
|
|
@ -12,6 +12,8 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyController do
|
||||||
alias Pleroma.Web.MediaProxy
|
alias Pleroma.Web.MediaProxy
|
||||||
alias Plug.Conn
|
alias Plug.Conn
|
||||||
|
|
||||||
|
plug(:sandbox)
|
||||||
|
|
||||||
def remote(conn, %{"sig" => sig64, "url" => url64}) do
|
def remote(conn, %{"sig" => sig64, "url" => url64}) do
|
||||||
with {_, true} <- {:enabled, MediaProxy.enabled?()},
|
with {_, true} <- {:enabled, MediaProxy.enabled?()},
|
||||||
{:ok, url} <- MediaProxy.decode_url(sig64, url64),
|
{:ok, url} <- MediaProxy.decode_url(sig64, url64),
|
||||||
|
@ -202,4 +204,9 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyController do
|
||||||
defp media_proxy_opts do
|
defp media_proxy_opts do
|
||||||
Config.get([:media_proxy, :proxy_opts], [])
|
Config.get([:media_proxy, :proxy_opts], [])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
defp sandbox(conn, _params) do
|
||||||
|
conn
|
||||||
|
|> merge_resp_headers([{"content-security-policy", "sandbox;"}])
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -6,7 +6,9 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyControllerTest do
|
||||||
use Pleroma.Web.ConnCase
|
use Pleroma.Web.ConnCase
|
||||||
|
|
||||||
import Mock
|
import Mock
|
||||||
|
import Mox
|
||||||
|
|
||||||
|
alias Pleroma.ReverseProxy.ClientMock
|
||||||
alias Pleroma.Web.MediaProxy
|
alias Pleroma.Web.MediaProxy
|
||||||
alias Plug.Conn
|
alias Plug.Conn
|
||||||
|
|
||||||
|
@ -74,6 +76,20 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyControllerTest do
|
||||||
assert %Conn{status: 404, resp_body: "Not Found"} = get(conn, url)
|
assert %Conn{status: 404, resp_body: "Not Found"} = get(conn, url)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "it applies sandbox CSP to MediaProxy requests", %{conn: conn} do
|
||||||
|
media_url = "https://lain.com/image.png"
|
||||||
|
media_proxy_url = MediaProxy.encode_url(media_url)
|
||||||
|
|
||||||
|
ClientMock
|
||||||
|
|> expect(:request, fn :get, ^media_url, _, _, _ ->
|
||||||
|
{:ok, 200, [{"content-type", "image/png"}]}
|
||||||
|
end)
|
||||||
|
|
||||||
|
%Conn{resp_headers: headers} = get(conn, media_proxy_url)
|
||||||
|
|
||||||
|
assert {"content-security-policy", "sandbox;"} in headers
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "Media Preview Proxy" do
|
describe "Media Preview Proxy" do
|
||||||
|
|
Loading…
Reference in a new issue