Commit graph

53 commits

Author SHA1 Message Date
d6d838cbe8 StealEmoji: check remote size before downloading
To save on bandwith and avoid OOMs with large files.
Ofc, this relies on the remote server
 (a) sending a content-length header and
 (b) being honest about the size.

Common fedi servers seem to provide the header and (b) at least raises
the required privilege of an malicious actor to a server infrastructure
admin of an explicitly allowed host.

A more complete defense which still works when faced with
a malicious server requires changes in upstream Finch;
see https://github.com/sneako/finch/issues/224
2024-03-18 22:33:10 -01:00
6d003e1acd test/steal_emoji: consolidate configuration setup 2024-03-18 22:33:10 -01:00
d1ce5fd911 test/steal_emoji: reduce code duplication with mock macro 2024-03-18 22:33:10 -01:00
ee5ce87825 test: use pack functions to check for emoji
The hardocded path and filenames assumptions
will be broken with the next commit.
2024-03-18 22:33:10 -01:00
a8c6c780b4 StealEmoji: use Content-Type and reject non-images
E.g. *key’s emoji URLs typically don’t have file extensions, but
until now we just slapped ".png" at its end hoping for the best.

Furthermore, this gives us a chance to actually reject non-images,
which before was not feasible exatly due to those extension-less URLs
2024-03-18 22:33:10 -01:00
Haelwenn (lanodan) Monnier
7d94476dd6 StealEmojiPolicy: Sanitize shortcodes
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3245
2024-02-20 11:19:00 +01:00
e99e2407f3 Add background_removal to SimplePolicy MRF 2024-02-16 16:36:45 +01:00
e47c50666d Fix obfuscation of short domains
Fixes AkkomaGang/akkoma#645
2024-02-02 14:50:13 +00:00
64e233ca20 Tag Mock-tests as "mocked" and run them seperately 2023-08-04 12:50:50 +01:00
98cb255d12 Support elixir1.15
OTP builds to 1.15

Changelog entry

Ensure policies are fully loaded

Fix :warn

use main branch for linkify

Fix warn in tests

Migrations for phoenix 1.17

Revert "Migrations for phoenix 1.17"

This reverts commit 6a3b2f15b74ea5e33150529385215b7a531f3999.

Oban upgrade

Add default empty whitelist

mix format

limit test to amd64

OTP 26 tests for 1.15

use OTP_VERSION tag

baka

just 1.15

Massive deps update

Update locale, deps

Mix format

shell????

multiline???

?

max cases 1

use assert_recieve

don't put_env in async tests

don't async conn/fs tests

mix format

FIx some uploader issues

Fix tests
2023-08-03 17:44:09 +01:00
8c208f751d Fix filtering out incorrect addresses 2023-05-23 13:46:25 +01:00
037f881187 Fix create processing in direct message disabled 2023-05-23 13:16:20 +01:00
d310f99d6a Add MRFs for direct message manipulation 2023-05-22 23:53:44 +01:00
9db4c2429f Remove FollowBotPolicy 2022-12-09 19:59:27 +00:00
6f83ae27aa extend reject MRF to check if originating instance is blocked 2022-12-09 19:57:29 +00:00
ilja
1f863f0a36 Fix MRF policies to also work with Update
Objects who got updated would just pass through several of the MRF policies, undoing moderation in some situations.
In the relevant cases we now check not only for Create activities, but also Update activities.

I checked which ones checked explicitly on type Create using `grep '"type" => "Create"' lib/pleroma/web/activity_pub/mrf/*`.

The following from that list have not been changed:
* lib/pleroma/web/activity_pub/mrf/follow_bot_policy.ex
    * Not relevant for moderation
* lib/pleroma/web/activity_pub/mrf/keyword_policy.ex
    * Already had a test for Update
* lib/pleroma/web/activity_pub/mrf/object_age_policy.ex
    * In practice only relevant when fetching old objects (e.g. through Like or Announce). These are always wrapped in a Create.
* lib/pleroma/web/activity_pub/mrf/reject_non_public.ex
    * We don't allow changing scope with Update, so not relevant here
2022-12-08 23:22:05 +01:00
ilja
ce517ff4e5 Fix tagpolicy to also work with Update
Objects who got updated would just pass the TagPolicy, undoing the moderation that was set in place for the Actor.
Now we check not only for Create activities, but also Update activities.
2022-12-08 21:53:42 +01:00
5bb95256ee weirdly no, images should not have classes 2022-11-26 21:15:10 +00:00
c379618b34 Add tests, changelog entry 2022-11-26 20:52:49 +00:00
7bbaa8f8e0 automatically trim loading *. prefixes on domain blocks 2022-11-07 22:33:18 +00:00
31ad09010e Fix regex usage in MRF (#254)
fixes #235
fixes #228

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#254
2022-11-06 23:50:32 +00:00
2641dcdd15 Post editing (#202)
Rebased from #103

Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#202
2022-09-06 19:24:02 +00:00
85137f591f Add ability to obfuscate domains in MRF transparency 2022-08-27 11:57:57 +01:00
1419eee5df Quote posting (#113)
Reviewed-on: AkkomaGang/akkoma#113
2022-07-25 16:30:06 +00:00
0f132b802d purge chat and shout endpoints 2022-07-21 11:29:28 +01:00
8f140deb8f StealEmojiPolicy: fix String rejected_shortcodes
* rejected_shortcodes is defined as a list of strings in the
  configuration description. As such, database-based configuration was
  led to handle those settings as strings, and not as the actually
  expected type, Regex.
* This caused each message passing through this MRF, if a rejected
  shortcode was set and the emoji did not exist already on the instance,
  to fail federating, as an exception was raised, swiftly caught and
  mostly silenced.
* This commit fixes the issue by introducing new behavior: strings are
  now handled as perfect matches for an emoji shortcode (meaning that if
  the emoji-to-be-pulled's shortcode is in the blacklist, it will be
  rejected), while still supporting Regex types as before.
2022-06-29 20:47:45 +01:00
Ilja
661d0ba481 Also use actor_type to determine if an account is a bot in antiFollowbotPolicy 2022-06-29 20:47:44 +01:00
af1bd3af59 mix format 2022-06-14 17:43:45 +01:00
6e1d9c63da allow %{source} dict in no_empty 2022-06-14 17:41:25 +01:00
Lain Soykaf
2dea4a8c04 StealEmojiPolicyTest: Make mocks explicit. 2021-11-14 11:44:24 +01:00
Haelwenn (lanodan) Monnier
c64eae40a2
ObjectAgePolicy: Fix pattern matching on published 2021-08-10 07:41:06 +02:00
Ilja
4ba0beb60c
Make mrfSimple work with tuples
* Changed SimplePolicy
* I also grepped in test/ for ':mrf_simple' to see what other things could be affected
2021-08-06 07:58:58 +02:00
Alex Gleason
f2134e605b
Merge remote-tracking branch 'pleroma/develop' into cycles-base-url 2021-05-31 16:49:46 -05:00
Alex Gleason
51a9f97e87
Deprecate Pleroma.Web.base_url/0
Use Pleroma.Web.Endpoint.url/0 directly instead. Reduces compiler cycles.
2021-05-31 16:48:03 -05:00
Alex Gleason
926a233cc4
Merge remote-tracking branch 'upstream/develop' into simplepolicy-announce-leak 2021-04-30 14:21:17 -05:00
Alex Gleason
c16c7fdb87
SimplePolicy: filter string Objects 2021-04-30 14:20:54 -05:00
Alex Gleason
3d742c3c1a
SimplePolicy: filter nested objects 2021-04-30 14:20:37 -05:00
16a7ffb1ea Fix function calls due to module name change 2021-03-30 11:10:44 -05:00
bfcdcd4f69 Temp file leaked, oops 2021-03-30 11:10:44 -05:00
03f38ac4eb Prefer FollowBot naming convention vs Followbot 2021-03-30 11:10:44 -05:00
fef4f3772c More tests to validate Followbot is behaving 2021-03-30 11:10:44 -05:00
f73d166785 Only need to validate a follow request is generated for now 2021-03-30 11:10:44 -05:00
Haelwenn (lanodan) Monnier
3bc7d12271
Remove sensitive-property setting #nsfw, create HashtagPolicy 2021-02-27 21:26:17 +01:00
55a13fc360 MRF NoEmptyPolicy: Deny posts from local users if there is no content or only mentions.
Helps prevent accidental button mashes from submitting incomplete posts
2021-02-08 15:32:47 -06:00
e854c35e65 Convert tests to all use clear_config instead of Pleroma.Config.put 2021-01-26 11:58:43 -06:00
Haelwenn (lanodan) Monnier
c4439c630f
Bump Copyright to 2021
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;'
2021-01-13 07:49:50 +01:00
Alexander Strizhakov
7bfb041658
insreasing test coverage for StealEmojiPolicy 2020-12-27 21:53:30 +03:00
lain
9ba60f70d2 Tests: Make as many tests as possible async.
In general, tests that match these criteria can be made async:

- Doesn't use real Cachex.
- Doesn't write to the Config / Application Environment.
- Uses Mock. Using Mox is fine.
- Uses the streamer.
2020-12-21 12:21:40 +01:00
Mark Felder
3283d0805f Use Jason instead of Poison in tests 2020-11-23 13:28:55 -06:00
Alexander Strizhakov
8d218ebaf5
Moving some background jobs into simple tasks
- fetching activity data
- attachment prefetching
- using limiter to prevent overload
2020-11-11 13:39:49 +03:00