distraction.party/test/pleroma/web
Oneric 0ec62acb9d Always insert Dedupe upload filter
This actually was already intended before to eradict all future
path-traversal-style exploits and to fix issues with some
characters like akkoma#610 in 0b2ec0ccee. However, Dedupe and
AnonymizeFilename got mixed up. The latter only anonymises the name
in Content-Disposition headers GET parameters (with link_name),
_not_ the upload path.

Even without Dedupe, the upload path is prefixed by an UUID,
so it _should_ already be hard to guess for attackers. But now
we actually can be sure no path shenanigangs occur, uploads
reliably work and save some disk space.

While this makes the final path predictable, this prediction is
not exploitable. Insertion of a back-reference to the upload
itself requires pulling off a successfull preimage attack against
SHA-256, which is deemed infeasible for the foreseeable futures.

Dedupe was already included in the default list in config.exs
since 28cfb2c37a, but this will get overridde by whatever the
config generated by the "pleroma.instance gen" task chose.

Upload+delete tests running in parallel using Dedupe might be flaky, but
this was already true before and needs its own commit to fix eventually.
2024-03-18 22:33:10 -01:00
..
activity_pub Always insert Dedupe upload filter 2024-03-18 22:33:10 -01:00
admin_api Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
akkoma_api Fix OpenAPI spec for preferred_frontend endpoint 2024-02-03 14:27:45 +01:00
api_spec Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
auth Support elixir1.15 2023-08-03 17:44:09 +01:00
common_api Use actual ISO8601 timestamps for masto API (#425) 2023-01-09 22:12:28 +00:00
feed Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
mastodon_api Merge pull request 'Return last_status_at as date, not datetime' (#681) from katafrakt/akkoma:fix-last-status-at into develop 2024-02-17 11:37:19 +00:00
media_proxy Tag Mock-tests as "mocked" and run them seperately 2023-08-04 12:50:50 +01:00
metadata Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
o_auth update tests for oauth consumer 2023-12-17 21:48:19 +00:00
o_status Support elixir1.15 2023-08-03 17:44:09 +01:00
pleroma_api Always insert Dedupe upload filter 2024-03-18 22:33:10 -01:00
plugs Tag Mock-tests as "mocked" and run them seperately 2023-08-04 12:50:50 +01:00
preload/providers Remove precompiled javascript (#55) 2022-07-08 13:03:18 +00:00
push Support elixir1.15 2023-08-03 17:44:09 +01:00
rich_media Support elixir1.15 2023-08-03 17:44:09 +01:00
static_fe Add tests for static-fe metadata tags 2024-02-21 00:33:32 +00:00
twitter_api Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
views Support elixir1.15 2023-08-03 17:44:09 +01:00
web_finger Fix signature checking 2023-08-07 16:17:17 +01:00
common_api_test.exs Add ability to auto-approve followbacks 2024-02-13 15:42:37 +01:00
embed_controller_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
fallback_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
federator_test.exs Tag Mock-tests as "mocked" and run them seperately 2023-08-04 12:50:50 +01:00
gettext_test.exs Fix incorrect fallback when English is set to first language 2022-06-29 20:47:10 +01:00
manifest_controller_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
masto_fe_controller_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
media_proxy_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
mongoose_im_controller_test.exs Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
node_info_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
rel_me_test.exs Add more information about failed verifications 2023-03-10 03:51:24 +00:00
streamer_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
uploader_controller_test.exs Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
web_finger_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
xml_test.exs Add XML matcher 2023-08-07 11:12:14 +01:00