From 4cd299bd8380241894bf4399cb9e61edd4067c2b Mon Sep 17 00:00:00 2001
From: FloatingGhost <hannah@coffee-and-dreams.uk>
Date: Tue, 2 Apr 2024 10:20:59 +0100
Subject: [PATCH] Add extra warnings if the uploader is on the same domain as
 the main application

---
 CHANGELOG.md                               |  5 +++
 lib/pleroma/config/deprecation_warnings.ex | 52 +++++++++++++++++++++-
 2 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3d15caf51..71b13739b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -39,6 +39,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - our litepub JSON-LD schema is now served with the correct content type
 - remote APNG attachments are now recognised as images
 
+## Upgrade Notes
+
+- As mentioned in "Changed", `Pleroma.Upload, :base_url` **MUST** be configured. Uploads will fail without it.
+- Same with media proxy.
+
 ## 2024.02
 
 ## Added
diff --git a/lib/pleroma/config/deprecation_warnings.ex b/lib/pleroma/config/deprecation_warnings.ex
index beb3f5e7f..3161f5907 100644
--- a/lib/pleroma/config/deprecation_warnings.ex
+++ b/lib/pleroma/config/deprecation_warnings.ex
@@ -182,7 +182,9 @@ defmodule Pleroma.Config.DeprecationWarnings do
       check_quarantined_instances_tuples(),
       check_transparency_exclusions_tuples(),
       check_simple_policy_tuples(),
-      check_http_adapter()
+      check_http_adapter(),
+      check_uploader_base_url_set(),
+      check_uploader_base_url_is_not_base_domain()
     ]
     |> Enum.reduce(:ok, fn
       :ok, :ok -> :ok
@@ -337,4 +339,52 @@ defmodule Pleroma.Config.DeprecationWarnings do
       :ok
     end
   end
+
+  def check_uploader_base_url_set() do
+    base_url = Pleroma.Config.get([Pleroma.Upload, :base_url])
+
+    if base_url do
+      :ok
+    else
+      Logger.error("""
+      !!!WARNING!!!
+      Your config does not specify a base_url for uploads!
+      Please make the following change:\n
+      \n* `config :pleroma, Pleroma.Upload, base_url: "https://example.com/media/`
+      \n
+      \nPlease note that it is HEAVILY recommended to use a subdomain to host user-uploaded media! 
+      """)
+
+      :error
+    end
+  end
+
+  def check_uploader_base_url_is_not_base_domain() do
+    uploader_host =
+      [Pleroma.Upload, :base_url]
+      |> Pleroma.Config.get()
+      |> URI.parse()
+      |> Map.get(:host)
+
+    akkoma_host =
+      [Pleroma.Web.Endpoint, :url]
+      |> Pleroma.Config.get()
+      |> IO.inspect()
+      |> Keyword.get(:host)
+
+    if uploader_host == akkoma_host do
+      Logger.error("""
+      !!!WARNING!!!
+      Your Akkoma Host and your Upload base_url's host are the same!
+      This can potentially be insecure!
+
+      It is HIGHLY recommended that you migrate your media uploads
+      to a subdomain at your earliest convenience
+      """)
+
+      :error
+    else
+      :ok
+    end
+  end
 end