akkoma/test/pleroma/web/activity_pub/mrf/steal_emoji_policy_test.exs

# Pleroma: A lightweight social networking server
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicyTest do
  use Pleroma.DataCase

  alias Pleroma.Config
  alias Pleroma.Emoji
  alias Pleroma.Emoji.Pack
  alias Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy

  defp has_pack?() do
    case Pack.load_pack("stolen") do
      {:ok, _pack} -> true
      {:error, :enoent} -> false
    end
  end

  defp has_emoji?(shortcode) do
    case Pack.load_pack("stolen") do
      {:ok, pack} -> Map.has_key?(pack.files, shortcode)
      {:error, :enoent} -> false
    end
  end

  setup do
    emoji_path = [:instance, :static_dir] |> Config.get() |> Path.join("emoji/stolen")

    Emoji.reload()

    message = %{
      "type" => "Create",
      "object" => %{
        "emoji" => [{"firedfox", "https://example.org/emoji/firedfox.png"}],
        "actor" => "https://example.org/users/admin"
      }
    }

    on_exit(fn ->
      File.rm_rf!(emoji_path)
    end)

    [message: message]
  end

  test "does nothing by default", %{message: message} do
    refute "firedfox" in installed()

    assert {:ok, _message} = StealEmojiPolicy.filter(message)

    refute "firedfox" in installed()
  end

  test "Steals emoji on unknown shortcode from allowed remote host", %{
    message: message
  } do
    refute "firedfox" in installed()
    refute has_pack?()

    Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox.png"} ->
      %Tesla.Env{
        status: 200,
        body: File.read!("test/fixtures/image.jpg"),
        url: "https://example.org/emoji/firedfox.png"
      }
    end)

    clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)

    assert {:ok, _message} = StealEmojiPolicy.filter(message)

    assert "firedfox" in installed()
    assert has_pack?()

    assert has_emoji?("firedfox")
  end

  test "rejects invalid shortcodes" do
    message = %{
      "type" => "Create",
      "object" => %{
        "emoji" => [{"fired/fox", "https://example.org/emoji/firedfox"}],
        "actor" => "https://example.org/users/admin"
      }
    }

    Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox"} ->
      %Tesla.Env{
        status: 200,
        body: File.read!("test/fixtures/image.jpg"),
        url: "https://example.org/emoji/firedfox.png"
      }
    end)

    clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)

    refute "firedfox" in installed()
    refute has_pack?()

    assert {:ok, _message} = StealEmojiPolicy.filter(message)

    refute "fired/fox" in installed()
    refute has_emoji?("fired/fox")
  end

  test "prefers content-type header for extension" do
    message = %{
      "type" => "Create",
      "object" => %{
        "emoji" => [{"firedfox", "https://example.org/emoji/firedfox.fud"}],
        "actor" => "https://example.org/users/admin"
      }
    }

    Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox.fud"} ->
      %Tesla.Env{
        status: 200,
        body: File.read!("test/fixtures/image.jpg"),
        url: "https://example.org/emoji/firedfox.wevp",
        headers: [{"content-type", "image/gif"}]
      }
    end)

    clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)

    assert {:ok, _message} = StealEmojiPolicy.filter(message)

    assert "firedfox" in installed()
    assert has_emoji?("firedfox")
  end

  test "reject regex shortcode", %{message: message} do
    refute "firedfox" in installed()

    clear_config(:mrf_steal_emoji,
      hosts: ["example.org"],
      size_limit: 284_468,
      rejected_shortcodes: [~r/firedfox/]
    )

    assert {:ok, _message} = StealEmojiPolicy.filter(message)

    refute "firedfox" in installed()
  end

  test "reject string shortcode", %{message: message} do
    refute "firedfox" in installed()

    clear_config(:mrf_steal_emoji,
      hosts: ["example.org"],
      size_limit: 284_468,
      rejected_shortcodes: ["firedfox"]
    )

    assert {:ok, _message} = StealEmojiPolicy.filter(message)

    refute "firedfox" in installed()
  end

  test "reject if size is above the limit", %{message: message} do
    refute "firedfox" in installed()

    Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox.png"} ->
      %Tesla.Env{
        status: 200,
        body: File.read!("test/fixtures/image.jpg"),
        url: "https://example.org/emoji/firedfox.png"
      }
    end)

    clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 50_000)

    assert {:ok, _message} = StealEmojiPolicy.filter(message)

    refute "firedfox" in installed()
  end

  test "reject if host returns error", %{message: message} do
    refute "firedfox" in installed()

    Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox.png"} ->
      {:ok,
       %Tesla.Env{status: 404, body: "Not found", url: "https://example.org/emoji/firedfox.png"}}
    end)

    clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)

    ExUnit.CaptureLog.capture_log(fn ->
      assert {:ok, _message} = StealEmojiPolicy.filter(message)
    end) =~ "MRF.StealEmojiPolicy: Failed to fetch https://example.org/emoji/firedfox.png"

    refute "firedfox" in installed()
  end

  defp installed, do: Emoji.get_all() |> Enum.map(fn {k, _} -> k end)
end
MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00			`# Pleroma: A lightweight social networking server`
Bump Copyright to 2021 grep -rl '# Copyright © .* Pleroma' * \| xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;' 2021-01-13 06:49:20 +00:00			`# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>`
MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00			`# SPDX-License-Identifier: AGPL-3.0-only`

			`defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicyTest do`
			`use Pleroma.DataCase`

			`alias Pleroma.Config`
insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`alias Pleroma.Emoji`
test: use pack functions to check for emoji The hardocded path and filenames assumptions will be broken with the next commit. 2024-03-09 21:39:25 +00:00			`alias Pleroma.Emoji.Pack`
MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00			`alias Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy`

test: use pack functions to check for emoji The hardocded path and filenames assumptions will be broken with the next commit. 2024-03-09 21:39:25 +00:00			`defp has_pack?() do`
			`case Pack.load_pack("stolen") do`
			`{:ok, _pack} -> true`
			`{:error, :enoent} -> false`
			`end`
			`end`

			`defp has_emoji?(shortcode) do`
			`case Pack.load_pack("stolen") do`
			`{:ok, pack} -> Map.has_key?(pack.files, shortcode)`
			`{:error, :enoent} -> false`
			`end`
			`end`

MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00			`setup do`
insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`emoji_path = [:instance, :static_dir] \|> Config.get() \|> Path.join("emoji/stolen")`
MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00
insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`Emoji.reload()`
MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00
			`message = %{`
			`"type" => "Create",`
			`"object" => %{`
			`"emoji" => [{"firedfox", "https://example.org/emoji/firedfox.png"}],`
			`"actor" => "https://example.org/users/admin"`
			`}`
			`}`

insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`on_exit(fn ->`
			`File.rm_rf!(emoji_path)`
			`end)`
MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00
test: use pack functions to check for emoji The hardocded path and filenames assumptions will be broken with the next commit. 2024-03-09 21:39:25 +00:00			`[message: message]`
MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00			`end`

insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`test "does nothing by default", %{message: message} do`
			`refute "firedfox" in installed()`
MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00
insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`assert {:ok, _message} = StealEmojiPolicy.filter(message)`

			`refute "firedfox" in installed()`
			`end`
MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00
insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`test "Steals emoji on unknown shortcode from allowed remote host", %{`
test: use pack functions to check for emoji The hardocded path and filenames assumptions will be broken with the next commit. 2024-03-09 21:39:25 +00:00			`message: message`
insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`} do`
			`refute "firedfox" in installed()`
test: use pack functions to check for emoji The hardocded path and filenames assumptions will be broken with the next commit. 2024-03-09 21:39:25 +00:00			`refute has_pack?()`
MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00
StealEmojiPolicyTest: Make mocks explicit. 2021-11-14 10:44:24 +00:00			`Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox.png"} ->`
StealEmoji: use Content-Type and reject non-images E.g. *key’s emoji URLs typically don’t have file extensions, but until now we just slapped ".png" at its end hoping for the best. Furthermore, this gives us a chance to actually reject non-images, which before was not feasible exatly due to those extension-less URLs 2024-03-07 22:35:05 +00:00			`%Tesla.Env{`
			`status: 200,`
			`body: File.read!("test/fixtures/image.jpg"),`
			`url: "https://example.org/emoji/firedfox.png"`
			`}`
StealEmojiPolicyTest: Make mocks explicit. 2021-11-14 10:44:24 +00:00			`end)`

insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)`
MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00
insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`assert {:ok, _message} = StealEmojiPolicy.filter(message)`

			`assert "firedfox" in installed()`
test: use pack functions to check for emoji The hardocded path and filenames assumptions will be broken with the next commit. 2024-03-09 21:39:25 +00:00			`assert has_pack?()`
insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00
test: use pack functions to check for emoji The hardocded path and filenames assumptions will be broken with the next commit. 2024-03-09 21:39:25 +00:00			`assert has_emoji?("firedfox")`
insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`end`

test: use pack functions to check for emoji The hardocded path and filenames assumptions will be broken with the next commit. 2024-03-09 21:39:25 +00:00			`test "rejects invalid shortcodes" do`
StealEmojiPolicy: Sanitize shortcodes Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3245 2024-02-20 07:45:48 +00:00			`message = %{`
			`"type" => "Create",`
			`"object" => %{`
			`"emoji" => [{"fired/fox", "https://example.org/emoji/firedfox"}],`
			`"actor" => "https://example.org/users/admin"`
			`}`
			`}`

			`Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox"} ->`
StealEmoji: use Content-Type and reject non-images E.g. *key’s emoji URLs typically don’t have file extensions, but until now we just slapped ".png" at its end hoping for the best. Furthermore, this gives us a chance to actually reject non-images, which before was not feasible exatly due to those extension-less URLs 2024-03-07 22:35:05 +00:00			`%Tesla.Env{`
			`status: 200,`
			`body: File.read!("test/fixtures/image.jpg"),`
			`url: "https://example.org/emoji/firedfox.png"`
			`}`
StealEmojiPolicy: Sanitize shortcodes Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3245 2024-02-20 07:45:48 +00:00			`end)`

			`clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)`

			`refute "firedfox" in installed()`
test: use pack functions to check for emoji The hardocded path and filenames assumptions will be broken with the next commit. 2024-03-09 21:39:25 +00:00			`refute has_pack?()`
StealEmojiPolicy: Sanitize shortcodes Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3245 2024-02-20 07:45:48 +00:00
			`assert {:ok, _message} = StealEmojiPolicy.filter(message)`

			`refute "fired/fox" in installed()`
test: use pack functions to check for emoji The hardocded path and filenames assumptions will be broken with the next commit. 2024-03-09 21:39:25 +00:00			`refute has_emoji?("fired/fox")`
StealEmojiPolicy: Sanitize shortcodes Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3245 2024-02-20 07:45:48 +00:00			`end`

test: use pack functions to check for emoji The hardocded path and filenames assumptions will be broken with the next commit. 2024-03-09 21:39:25 +00:00			`test "prefers content-type header for extension" do`
StealEmoji: use Content-Type and reject non-images E.g. *key’s emoji URLs typically don’t have file extensions, but until now we just slapped ".png" at its end hoping for the best. Furthermore, this gives us a chance to actually reject non-images, which before was not feasible exatly due to those extension-less URLs 2024-03-07 22:35:05 +00:00			`message = %{`
			`"type" => "Create",`
			`"object" => %{`
			`"emoji" => [{"firedfox", "https://example.org/emoji/firedfox.fud"}],`
			`"actor" => "https://example.org/users/admin"`
			`}`
			`}`

			`Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox.fud"} ->`
			`%Tesla.Env{`
			`status: 200,`
			`body: File.read!("test/fixtures/image.jpg"),`
			`url: "https://example.org/emoji/firedfox.wevp",`
			`headers: [{"content-type", "image/gif"}]`
			`}`
			`end)`

			`clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)`

			`assert {:ok, _message} = StealEmojiPolicy.filter(message)`

			`assert "firedfox" in installed()`
test: use pack functions to check for emoji The hardocded path and filenames assumptions will be broken with the next commit. 2024-03-09 21:39:25 +00:00			`assert has_emoji?("firedfox")`
StealEmoji: use Content-Type and reject non-images E.g. *key’s emoji URLs typically don’t have file extensions, but until now we just slapped ".png" at its end hoping for the best. Furthermore, this gives us a chance to actually reject non-images, which before was not feasible exatly due to those extension-less URLs 2024-03-07 22:35:05 +00:00			`end`

StealEmojiPolicy: fix String rejected_shortcodes * rejected_shortcodes is defined as a list of strings in the configuration description. As such, database-based configuration was led to handle those settings as strings, and not as the actually expected type, Regex. * This caused each message passing through this MRF, if a rejected shortcode was set and the emoji did not exist already on the instance, to fail federating, as an exception was raised, swiftly caught and mostly silenced. * This commit fixes the issue by introducing new behavior: strings are now handled as perfect matches for an emoji shortcode (meaning that if the emoji-to-be-pulled's shortcode is in the blacklist, it will be rejected), while still supporting Regex types as before. 2022-05-18 19:25:10 +00:00			`test "reject regex shortcode", %{message: message} do`
insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`refute "firedfox" in installed()`

			`clear_config(:mrf_steal_emoji,`
			`hosts: ["example.org"],`
			`size_limit: 284_468,`
			`rejected_shortcodes: [~r/firedfox/]`
			`)`

			`assert {:ok, _message} = StealEmojiPolicy.filter(message)`

			`refute "firedfox" in installed()`
			`end`

StealEmojiPolicy: fix String rejected_shortcodes * rejected_shortcodes is defined as a list of strings in the configuration description. As such, database-based configuration was led to handle those settings as strings, and not as the actually expected type, Regex. * This caused each message passing through this MRF, if a rejected shortcode was set and the emoji did not exist already on the instance, to fail federating, as an exception was raised, swiftly caught and mostly silenced. * This commit fixes the issue by introducing new behavior: strings are now handled as perfect matches for an emoji shortcode (meaning that if the emoji-to-be-pulled's shortcode is in the blacklist, it will be rejected), while still supporting Regex types as before. 2022-05-18 19:25:10 +00:00			`test "reject string shortcode", %{message: message} do`
			`refute "firedfox" in installed()`

			`clear_config(:mrf_steal_emoji,`
			`hosts: ["example.org"],`
			`size_limit: 284_468,`
			`rejected_shortcodes: ["firedfox"]`
			`)`

			`assert {:ok, _message} = StealEmojiPolicy.filter(message)`

			`refute "firedfox" in installed()`
			`end`

insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`test "reject if size is above the limit", %{message: message} do`
			`refute "firedfox" in installed()`

StealEmojiPolicyTest: Make mocks explicit. 2021-11-14 10:44:24 +00:00			`Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox.png"} ->`
StealEmoji: use Content-Type and reject non-images E.g. *key’s emoji URLs typically don’t have file extensions, but until now we just slapped ".png" at its end hoping for the best. Furthermore, this gives us a chance to actually reject non-images, which before was not feasible exatly due to those extension-less URLs 2024-03-07 22:35:05 +00:00			`%Tesla.Env{`
			`status: 200,`
			`body: File.read!("test/fixtures/image.jpg"),`
			`url: "https://example.org/emoji/firedfox.png"`
			`}`
StealEmojiPolicyTest: Make mocks explicit. 2021-11-14 10:44:24 +00:00			`end)`

insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 50_000)`

			`assert {:ok, _message} = StealEmojiPolicy.filter(message)`

			`refute "firedfox" in installed()`
			`end`

			`test "reject if host returns error", %{message: message} do`
			`refute "firedfox" in installed()`

			`Tesla.Mock.mock(fn %{method: :get, url: "https://example.org/emoji/firedfox.png"} ->`
StealEmoji: use Content-Type and reject non-images E.g. *key’s emoji URLs typically don’t have file extensions, but until now we just slapped ".png" at its end hoping for the best. Furthermore, this gives us a chance to actually reject non-images, which before was not feasible exatly due to those extension-less URLs 2024-03-07 22:35:05 +00:00			`{:ok,`
			`%Tesla.Env{status: 404, body: "Not found", url: "https://example.org/emoji/firedfox.png"}}`
insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00			`end)`

			`clear_config(:mrf_steal_emoji, hosts: ["example.org"], size_limit: 284_468)`

			`ExUnit.CaptureLog.capture_log(fn ->`
			`assert {:ok, _message} = StealEmojiPolicy.filter(message)`
			`end) =~ "MRF.StealEmojiPolicy: Failed to fetch https://example.org/emoji/firedfox.png"`

			`refute "firedfox" in installed()`
MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00			`end`
insreasing test coverage for StealEmojiPolicy 2020-12-25 08:30:36 +00:00
			`defp installed, do: Emoji.get_all() \|> Enum.map(fn {k, _} -> k end)`
MRF.StealEmojiPolicy: New Policy Inspired by https://git.pleroma.social/moonman/emoji-stealer-mrf/-/blob/master/steal_emoji_policy.ex 2020-04-14 16:59:04 +00:00			`end`