Add extra warnings if the uploader is on the same domain as the main application

2024-04-02 10:20:59 +01:00 · 2024-04-02 10:20:59 +01:00 · 4cd299bd83
parent 2d439034ca
commit 4cd299bd83
2 changed files with 56 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -39,6 +39,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - our litepub JSON-LD schema is now served with the correct content type
 - remote APNG attachments are now recognised as images

+## Upgrade Notes
+
+- As mentioned in "Changed", `Pleroma.Upload, :base_url` **MUST** be configured. Uploads will fail without it.
+- Same with media proxy.
+
 ## 2024.02

 ## Added
--- a/lib/pleroma/config/deprecation_warnings.ex
+++ b/lib/pleroma/config/deprecation_warnings.ex
@ -182,7 +182,9 @@ defmodule Pleroma.Config.DeprecationWarnings do
      check_quarantined_instances_tuples(),
      check_transparency_exclusions_tuples(),
      check_simple_policy_tuples(),
-      check_http_adapter()
+      check_http_adapter(),
+      check_uploader_base_url_set(),
+      check_uploader_base_url_is_not_base_domain()
    ]
    |> Enum.reduce(:ok, fn
      :ok, :ok -> :ok
@ -337,4 +339,52 @@ defmodule Pleroma.Config.DeprecationWarnings do
      :ok
    end
  end
+
+  def check_uploader_base_url_set() do
+    base_url = Pleroma.Config.get([Pleroma.Upload, :base_url])
+
+    if base_url do
+      :ok
+    else
+      Logger.error("""
+      !!!WARNING!!!
+      Your config does not specify a base_url for uploads!
+      Please make the following change:\n
+      \n* `config :pleroma, Pleroma.Upload, base_url: "https://example.com/media/`
+      \n
+      \nPlease note that it is HEAVILY recommended to use a subdomain to host user-uploaded media! 
+      """)
+
+      :error
+    end
+  end
+
+  def check_uploader_base_url_is_not_base_domain() do
+    uploader_host =
+      [Pleroma.Upload, :base_url]
+      |> Pleroma.Config.get()
+      |> URI.parse()
+      |> Map.get(:host)
+
+    akkoma_host =
+      [Pleroma.Web.Endpoint, :url]
+      |> Pleroma.Config.get()
+      |> IO.inspect()
+      |> Keyword.get(:host)
+
+    if uploader_host == akkoma_host do
+      Logger.error("""
+      !!!WARNING!!!
+      Your Akkoma Host and your Upload base_url's host are the same!
+      This can potentially be insecure!
+
+      It is HIGHLY recommended that you migrate your media uploads
+      to a subdomain at your earliest convenience
+      """)
+
+      :error
+    else
+      :ok
+    end
+  end
 end