Merge branch 'validate-host' into 'develop'

Validate Host header for MediaProxy and Uploads

See merge request pleroma/pleroma!3896
This commit is contained in:
Haelwenn 2023-05-31 00:50:01 +00:00
commit d998a114e2
6 changed files with 116 additions and 2 deletions

1
changelog.d/3896.add Normal file
View file

@ -0,0 +1 @@
Validate Host header for MediaProxy and Uploads and return a 302 if the base_url has changed

View file

@ -12,6 +12,7 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyController do
alias Pleroma.Web.MediaProxy alias Pleroma.Web.MediaProxy
alias Plug.Conn alias Plug.Conn
plug(:validate_host)
plug(:sandbox) plug(:sandbox)
def remote(conn, %{"sig" => sig64, "url" => url64}) do def remote(conn, %{"sig" => sig64, "url" => url64}) do
@ -205,6 +206,30 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyController do
Config.get([:media_proxy, :proxy_opts], []) Config.get([:media_proxy, :proxy_opts], [])
end end
defp validate_host(conn, _params) do
%{scheme: proxy_scheme, host: proxy_host, port: proxy_port} =
MediaProxy.base_url() |> URI.parse()
if match?(^proxy_host, conn.host) do
conn
else
redirect_url =
%URI{
scheme: proxy_scheme,
host: proxy_host,
port: proxy_port,
path: conn.request_path,
query: conn.query_string
}
|> URI.to_string()
|> String.trim_trailing("?")
conn
|> Phoenix.Controller.redirect(external: redirect_url)
|> halt()
end
end
defp sandbox(conn, _params) do defp sandbox(conn, _params) do
conn conn
|> merge_resp_headers([{"content-security-policy", "sandbox;"}]) |> merge_resp_headers([{"content-security-policy", "sandbox;"}])

View file

@ -46,12 +46,32 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do
config = Pleroma.Config.get(Pleroma.Upload) config = Pleroma.Config.get(Pleroma.Upload)
with uploader <- Keyword.fetch!(config, :uploader), %{scheme: media_scheme, host: media_host, port: media_port} =
Pleroma.Upload.base_url() |> URI.parse()
with {:valid_host, true} <- {:valid_host, match?(^media_host, conn.host)},
uploader <- Keyword.fetch!(config, :uploader),
proxy_remote = Keyword.get(config, :proxy_remote, false), proxy_remote = Keyword.get(config, :proxy_remote, false),
{:ok, get_method} <- uploader.get_file(file), {:ok, get_method} <- uploader.get_file(file),
false <- media_is_banned(conn, get_method) do false <- media_is_banned(conn, get_method) do
get_media(conn, get_method, proxy_remote, opts) get_media(conn, get_method, proxy_remote, opts)
else else
{:valid_host, false} ->
redirect_url =
%URI{
scheme: media_scheme,
host: media_host,
port: media_port,
path: conn.request_path,
query: conn.query_string
}
|> URI.to_string()
|> String.trim_trailing("?")
conn
|> Phoenix.Controller.redirect(external: redirect_url)
|> halt()
_ -> _ ->
conn conn
|> send_resp(:internal_server_error, dgettext("errors", "Failed")) |> send_resp(:internal_server_error, dgettext("errors", "Failed"))

View file

@ -54,6 +54,40 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyControllerTest do
} = get(conn, "/proxy/hhgfh/eeee/fff") } = get(conn, "/proxy/hhgfh/eeee/fff")
end end
test "it returns a 302 for invalid host", %{conn: conn} do
new_proxy_base = "http://mp.localhost/"
%{scheme: new_proxy_scheme, host: new_proxy_host, port: new_proxy_port} =
URI.parse(new_proxy_base)
clear_config([:media_proxy, :base_url], new_proxy_base)
proxy_url =
MediaProxy.encode_url("https://pleroma.social/logo.jpeg")
|> URI.parse()
|> Map.put(:host, "wronghost")
|> URI.to_string()
expected_url =
URI.parse(proxy_url)
|> Map.put(:host, new_proxy_host)
|> Map.put(:port, new_proxy_port)
|> Map.put(:scheme, new_proxy_scheme)
|> URI.to_string()
with_mock Pleroma.ReverseProxy,
call: fn _conn, _url, _opts -> %Conn{status: :success} end do
%{resp_headers: resp_headers, status: status} = get(conn, proxy_url)
assert status == 302
assert Enum.any?(
resp_headers,
&(&1 == {"location", expected_url})
)
end
end
test "redirects to valid url when filename is invalidated", %{conn: conn, url: url} do test "redirects to valid url when filename is invalidated", %{conn: conn, url: url} do
invalid_url = String.replace(url, "test.png", "test-file.png") invalid_url = String.replace(url, "test.png", "test-file.png")
response = get(conn, invalid_url) response = get(conn, invalid_url)

View file

@ -40,4 +40,35 @@ defmodule Pleroma.Web.Plugs.UploadedMediaPlugTest do
&(&1 == {"content-disposition", ~s[inline; filename="\\"cofe\\".gif"]}) &(&1 == {"content-disposition", ~s[inline; filename="\\"cofe\\".gif"]})
) )
end end
test "denies access to media if wrong Host", %{
attachment_url: attachment_url
} do
conn = get(build_conn(), attachment_url)
assert conn.status == 200
new_media_base = "http://media.localhost:8080"
%{scheme: new_media_scheme, host: new_media_host, port: new_media_port} =
URI.parse(new_media_base)
clear_config([Pleroma.Upload, :base_url], new_media_base)
conn = get(build_conn(), attachment_url)
expected_url =
URI.parse(attachment_url)
|> Map.put(:host, new_media_host)
|> Map.put(:port, new_media_port)
|> Map.put(:scheme, new_media_scheme)
|> URI.to_string()
assert conn.status == 302
assert Enum.any?(
conn.resp_headers,
&(&1 == {"location", expected_url})
)
end
end end

View file

@ -120,6 +120,9 @@ defmodule Pleroma.Web.ConnCase do
Mox.verify_on_exit!() Mox.verify_on_exit!()
{:ok, conn: Phoenix.ConnTest.build_conn()} {:ok,
conn:
Phoenix.ConnTest.build_conn()
|> Map.put(:host, Pleroma.Web.Endpoint.host())}
end end
end end