distraction.party/test/pleroma/web/metadata/providers/open_graph_test.exs
Floatingghost 05f8179d08 check if data is visible before embedding it in OG tags
previously we would uncritically take data and format it into
tags for static-fe and the like - however, instances can be
configured to disallow unauthenticated access to these resources.

this means that OG tags as a vector for information leakage.

_technically_ this should only occur if you have both
restrict_unauthenticated *AND* you run static-fe, which makes no
sense since static-fe is for unauthenticated people in particular,
but hey ho.
2024-04-12 05:16:47 +01:00

213 lines
7.1 KiB
Elixir

# Pleroma: A lightweight social networking server
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Metadata.Providers.OpenGraphTest do
use Pleroma.DataCase, async: false
import Pleroma.Factory
alias Pleroma.Web.Metadata.Providers.OpenGraph
setup do: clear_config([Pleroma.Web.Metadata, :unfurl_nsfw])
setup do: clear_config([Pleroma.Upload, :uploader], Pleroma.Uploaders.Local)
setup do: clear_config([:restrict_unauthenticated, :profiles, :local])
setup do: clear_config([:restrict_unauthenticated, :activities, :local])
test "it renders all supported types of attachments and skips unknown types" do
user = insert(:user)
note =
insert(:note, %{
data: %{
"actor" => user.ap_id,
"tag" => [],
"id" => "https://pleroma.gov/objects/whatever",
"content" => "pleroma in a nutshell",
"attachment" => [
%{
"url" => [
%{
"mediaType" => "image/png",
"href" => "https://pleroma.gov/tenshi.png",
"height" => 1024,
"width" => 1280
}
]
},
%{
"url" => [
%{
"mediaType" => "application/octet-stream",
"href" => "https://pleroma.gov/fqa/badapple.sfc"
}
]
},
%{
"url" => [
%{
"mediaType" => "video/webm",
"href" => "https://pleroma.gov/about/juche.webm",
"height" => 600,
"width" => 800
}
]
},
%{
"url" => [
%{
"mediaType" => "audio/basic",
"href" => "http://www.gnu.org/music/free-software-song.au"
}
]
}
]
}
})
result = OpenGraph.build_tags(%{object: note, url: note.data["id"], user: user})
assert Enum.all?(
[
{:meta, [property: "og:image", content: "https://pleroma.gov/tenshi.png"], []},
{:meta, [property: "og:image:width", content: "1280"], []},
{:meta, [property: "og:image:height", content: "1024"], []},
{:meta,
[property: "og:audio", content: "http://www.gnu.org/music/free-software-song.au"],
[]},
{:meta, [property: "og:video", content: "https://pleroma.gov/about/juche.webm"],
[]},
{:meta, [property: "og:video:width", content: "800"], []},
{:meta, [property: "og:video:height", content: "600"], []}
],
fn element -> element in result end
)
end
test "it does not render attachments if post is nsfw" do
clear_config([Pleroma.Web.Metadata, :unfurl_nsfw], false)
user = insert(:user, avatar: %{"url" => [%{"href" => "https://pleroma.gov/tenshi.png"}]})
note =
insert(:note, %{
data: %{
"actor" => user.ap_id,
"id" => "https://pleroma.gov/objects/whatever",
"content" => "#cuteposting #nsfw #hambaga",
"tag" => ["cuteposting", "nsfw", "hambaga"],
"sensitive" => true,
"attachment" => [
%{
"url" => [
%{"mediaType" => "image/png", "href" => "https://misskey.microsoft/corndog.png"}
]
}
]
}
})
result = OpenGraph.build_tags(%{object: note, url: note.data["id"], user: user})
assert {:meta, [property: "og:image", content: "https://pleroma.gov/tenshi.png"], []} in result
refute {:meta, [property: "og:image", content: "https://misskey.microsoft/corndog.png"], []} in result
end
test "video attachments have image thumbnail with WxH metadata with Preview Proxy enabled" do
clear_config([:media_proxy, :enabled], true)
clear_config([:media_preview_proxy, :enabled], true)
user = insert(:user)
note =
insert(:note, %{
data: %{
"actor" => user.ap_id,
"id" => "https://pleroma.gov/objects/whatever",
"content" => "test video post",
"sensitive" => false,
"attachment" => [
%{
"url" => [
%{
"mediaType" => "video/webm",
"href" => "https://pleroma.gov/about/juche.webm",
"height" => 600,
"width" => 800
}
]
}
]
}
})
result = OpenGraph.build_tags(%{object: note, url: note.data["id"], user: user})
assert {:meta, [property: "og:image:width", content: "800"], []} in result
assert {:meta, [property: "og:image:height", content: "600"], []} in result
assert {:meta,
[
property: "og:image",
content:
"http://localhost:4001/proxy/preview/LzAnlke-l5oZbNzWsrHfprX1rGw/aHR0cHM6Ly9wbGVyb21hLmdvdi9hYm91dC9qdWNoZS53ZWJt/juche.webm"
], []} in result
end
test "video attachments have no image thumbnail with Preview Proxy disabled" do
clear_config([:media_proxy, :enabled], true)
clear_config([:media_preview_proxy, :enabled], false)
user = insert(:user)
note =
insert(:note, %{
data: %{
"actor" => user.ap_id,
"id" => "https://pleroma.gov/objects/whatever",
"content" => "test video post",
"sensitive" => false,
"attachment" => [
%{
"url" => [
%{
"mediaType" => "video/webm",
"href" => "https://pleroma.gov/about/juche.webm",
"height" => 600,
"width" => 800
}
]
}
]
}
})
result = OpenGraph.build_tags(%{object: note, url: note.data["id"], user: user})
refute {:meta, [property: "og:image:width", content: "800"], []} in result
refute {:meta, [property: "og:image:height", content: "600"], []} in result
refute {:meta,
[
property: "og:image",
content:
"http://localhost:4001/proxy/preview/LzAnlke-l5oZbNzWsrHfprX1rGw/aHR0cHM6Ly9wbGVyb21hLmdvdi9hYm91dC9qdWNoZS53ZWJt/juche.webm"
], []} in result
end
test "it does not render users if profiles are marked as restricted" do
clear_config([:restrict_unauthenticated, :profiles, :local], true)
user = insert(:user)
result = OpenGraph.build_tags(%{user: user})
assert Enum.empty?(result)
end
test "it does not activities users if they are marked as restricted" do
clear_config([:restrict_unauthenticated, :activities, :local], true)
user = insert(:user)
note = insert(:note, data: %{"actor" => user.ap_id})
result = OpenGraph.build_tags(%{object: note, url: note.data["id"], user: user})
assert {:meta, [property: "og:description", content: "Content cannot be displayed."], []} in result
end
end