Add OnlyMedia upload filter change to changelog

Original: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3897

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## Unreleased
+
+- Added a new configuration option to the MediaProxy feature that allows the blocking of specific domains from using the media proxy or being explicitly allowed by the Content-Security-Policy.
+  - Please make sure instances you wanted to block media from are not in the MediaProxy `whitelist`, and instead use `blocklist`.
+- `OnlyMedia` Upload Filter to simplify restricting uploads to audio, image, and video types
+
 ## 2023.05
 
 ## Added

config/config.exs

@@ -443,7 +443,8 @@
     # Note: max_read_duration defaults to Pleroma.ReverseProxy.max_read_duration_default/1
     max_read_duration: 30_000
   ],
-  whitelist: []
+  whitelist: [],
+  blocklist: []
 
 config :pleroma, Pleroma.Web.MediaProxy.Invalidation.Http,
   method: :purge,

config/description.exs

@@ -1558,7 +1558,21 @@
       %{
         key: :whitelist,
         type: {:list, :string},
-        description: "List of hosts with scheme to bypass the MediaProxy",
+        description: """
+        List of hosts with scheme to bypass the MediaProxy.\n
+        The media will be fetched by the client, directly from the remote server.\n
+        To allow this, it will Content-Security-Policy exceptions for each instance listed.\n
+        This is to be used for instances you trust and do not want to cache media for.
+        """,
+        suggestions: ["http://example.com"]
+      },
+      %{
+        key: :blocklist,
+        type: {:list, :string},
+        description: """
+        List of hosts with scheme which will not go through the MediaProxy, and will not be explicitly allowed by the Content-Security-Policy.
+        This is to be used for instances where you do not want their media to go through your server or to be accessed by clients.
+        """,
         suggestions: ["http://example.com"]
       }
     ]

docker-resources/build.sh

@@ -1,4 +1,4 @@
 #!/bin/sh
 
-docker-compose build --build-arg UID=$(id -u) --build-arg GID=$(id -g) akkoma
-docker-compose build --build-arg UID=$(id -u) --build-arg GID=$(id -g) db
+docker compose build --build-arg UID=$(id -u) --build-arg GID=$(id -g) akkoma
+docker compose build --build-arg UID=$(id -u) --build-arg GID=$(id -g) db

docker-resources/manage.sh

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-docker-compose run --rm akkoma $@
+docker compose run --rm akkoma $@

docs/docs/configuration/cheatsheet.md

@@ -615,6 +615,12 @@ This filter only strips the GPS and location metadata with Exiftool leaving colo
 
 No specific configuration.
 
+#### Pleroma.Upload.Filter.OnlyMedia
+
+This filter rejects uploads that are not identified with Content-Type matching audio/\*, image/\*, or video/\*
+
+No specific configuration.
+
 #### Pleroma.Upload.Filter.Mogrify
 
 * `args`: List of actions for the `mogrify` command like `"strip"` or `["strip", "auto-orient", {"implode", "1"}]`.

docs/docs/installation/debian_based_en.md

@@ -23,23 +23,7 @@ sudo apt full-upgrade
 sudo apt install git build-essential postgresql postgresql-contrib cmake libmagic-dev
 ```
 
-### Install Elixir and Erlang
-
-* Install Elixir and Erlang (you might need to use backports or [asdf](https://github.com/asdf-vm/asdf) on old systems):
-
-```shell
-sudo apt update
-sudo apt install elixir erlang-dev erlang-nox
-```
-
-
-### Optional packages: [`docs/installation/optional/media_graphics_packages.md`](../installation/optional/media_graphics_packages.md)
-
-```shell
-sudo apt install imagemagick ffmpeg libimage-exiftool-perl
-```
-
-### Install AkkomaBE
+### Create the akkoma user
 
 * Add a new system user for the Akkoma service:
 
@@ -49,7 +33,67 @@ sudo useradd -r -s /bin/false -m -d /var/lib/akkoma -U akkoma
 
 **Note**: To execute a single command as the Akkoma system user, use `sudo -Hu akkoma command`. You can also switch to a shell by using `sudo -Hu akkoma $SHELL`. If you don’t have and want `sudo` on your system, you can use `su` as root user (UID 0) for a single command by using `su -l akkoma -s $SHELL -c 'command'` and `su -l akkoma -s $SHELL` for starting a shell.
 
-* Git clone the AkkomaBE repository from stable-branch and make the Akkoma user the owner of the directory:
+### Install Elixir and Erlang
+
+If your distribution packages a recent enough version of Elixir, you can install it directly from the distro repositories and skip to the next section of the guide:
+
+```shell
+sudo apt install elixir erlang-dev erlang-nox
+```
+
+Otherwise use [asdf](https://github.com/asdf-vm/asdf) to install the latest versions of Elixir and Erlang.
+
+First, install some dependencies needed to build Elixir and Erlang:
+```shell
+sudo apt install curl unzip build-essential autoconf m4 libncurses5-dev libssh-dev unixodbc-dev xsltproc libxml2-utils libncurses-dev
+```
+
+Then login to the `akkoma` user and install asdf:
+```shell
+git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.11.3
+```
+
+Add the following lines to `~/.bashrc`:
+```shell
+. "$HOME/.asdf/asdf.sh"
+# asdf completions
+. "$HOME/.asdf/completions/asdf.bash"
+```
+
+Restart the shell:
+```shell
+exec $SHELL
+```
+
+Next install Erlang:
+```shell
+asdf plugin add erlang https://github.com/asdf-vm/asdf-erlang.git
+export KERL_CONFIGURE_OPTIONS="--disable-debug --without-javac"
+asdf install erlang 25.3.2.1
+asdf global erlang 25.3.2.1
+```
+
+Now install Elixir:
+```shell
+asdf plugin-add elixir https://github.com/asdf-vm/asdf-elixir.git
+asdf install elixir 1.14.5-otp-25
+asdf global elixir 1.14.5-otp-25
+```
+
+Confirm that Elixir is installed correctly by checking the version:
+```shell
+elixir --version
+```
+
+### Optional packages: [`docs/installation/optional/media_graphics_packages.md`](../installation/optional/media_graphics_packages.md)
+
+```shell
+sudo apt install imagemagick ffmpeg libimage-exiftool-perl
+```
+
+### Install AkkomaBE
+
+* Log into the `akkoma` user and clone the AkkomaBE repository from the stable branch and make the Akkoma user the owner of the directory:
 
 ```shell
 sudo mkdir -p /opt/akkoma

docs/docs/installation/docker_en.md

@@ -10,7 +10,7 @@ If you want to migrate from or OTP to docker, check out [the migration guide](./
 
 ### Prepare the system
 
-* Install docker and docker-compose
+* Install docker and docker compose
   * [Docker](https://docs.docker.com/engine/install/) 
   * [Docker-compose](https://docs.docker.com/compose/install/)
   * This will usually just be a repository installation and a package manager invocation.
@@ -26,7 +26,7 @@ echo "DOCKER_USER=$(id -u):$(id -g)" >> .env
 ```
 
 This probably won't need to be changed, it's only there to set basic environment
-variables for the docker-compose file.
+variables for the docker compose file.
 
 ### Building the container
 
@@ -65,9 +65,9 @@ cp config/generated_config.exs config/prod.secret.exs
 We need to run a few commands on the database container, this isn't too bad
 
 ```bash
-docker-compose run --rm --user akkoma -d db 
+docker compose run --rm --user akkoma -d db 
 # Note down the name it gives here, it will be something like akkoma_db_run
-docker-compose run --rm akkoma psql -h db -U akkoma -f config/setup_db.psql
+docker compose run --rm akkoma psql -h db -U akkoma -f config/setup_db.psql
 docker stop akkoma_db_run # Replace with the name you noted down
 ```
 
@@ -84,17 +84,17 @@ We're going to run it in the foreground on the first run, just to make sure
 everything start up.
 
 ```bash
-docker-compose up
+docker compose up
 ```
 
 If everything went well, you should be able to access your instance at http://localhost:4000
 
-You can `ctrl-c` out of the docker-compose now to shutdown the server.
+You can `ctrl-c` out of the docker compose now to shutdown the server.
 
 ### Running in the background
 
 ```bash
-docker-compose up -d
+docker compose up -d
 ```
 
 ### Create your first user
@@ -125,8 +125,8 @@ cp docker-resources/Caddyfile.example docker-resources/Caddyfile
 
 Then edit the TLD in your caddyfile to the domain you're serving on.
 
-Uncomment the `caddy` section in the docker-compose file,
-then run `docker-compose up -d` again.
+Uncomment the `caddy` section in the docker compose file,
+then run `docker compose up -d` again.
 
 #### Running a reverse proxy on the host
 
@@ -152,7 +152,7 @@ git pull
 ./docker-resources/manage.sh mix deps.get
 ./docker-resources/manage.sh mix compile
 ./docker-resources/manage.sh mix ecto.migrate
-docker-compose restart akkoma db
+docker compose restart akkoma db
 ```
 
 #### Further reading

docs/docs/installation/migrating_to_akkoma.md

@@ -117,4 +117,16 @@ To fix this, run:
     mix pleroma.config delete pleroma frontends
     ```
 
-which will remove the config from the database. Things should work now.
+which will remove the config from the database. Things should work now.
+
+## Migrating back to Pleroma
+
+Akkoma is a hard fork of Pleroma. As such, migrating back is not guaranteed to always work. But if you want to migrate back to Pleroma, you can always try. Just note that you may run into unexpected issues and you're basically on your own. The following are some tips that may help, but note that these are barely tested, so proceed at your own risk.
+
+First you will need to roll back the database migrations. The latest migration both Akkoma and Pleroma still have in common should be 20210416051708, so roll back to that. If you run from source, that should be
+
+```sh
+MIX_ENV=prod mix ecto.rollback --to 20210416051708
+```
+
+Then switch back to Pleroma for updates (similar to how was done to migrate to Akkoma), and remove the front-ends. The front-ends are installed in the `frontends` folder in the [static directory](../configuration/static_dir.md). Once you are back to Pleroma, you will need to run the database migrations again. See the Pleroma documentation for this.

docs/docs/installation/migrating_to_docker_en.md

@@ -10,7 +10,7 @@ You probably should, in the first instance.
 
 ### Prepare the system
 
-* Install docker and docker-compose
+* Install docker and docker compose
     * [Docker](https://docs.docker.com/engine/install/)
     * [Docker-compose](https://docs.docker.com/compose/install/)
     * This will usually just be a repository installation and a package manager invocation.
@@ -46,7 +46,7 @@ For *most* from-source installs it'll already be there.
 And the same with `uploads`, make sure your uploads (if you have them on disk) are
 located at `uploads/` in the akkoma source directory.
 
-If you have them on a different disk, you will need to mount that disk into the docker-compose file,
+If you have them on a different disk, you will need to mount that disk into the docker compose file,
 with an entry that looks like this:
 
 ```yaml
@@ -66,7 +66,7 @@ echo "DOCKER_USER=$(id -u):$(id -g)" >> .env
 ```
 
 This probably won't need to be changed, it's only there to set basic environment
-variables for the docker-compose file.
+variables for the docker compose file.
 
 === "From source"
 
@@ -126,21 +126,21 @@ mkdir pgdata
 Now we can import our database to the container.
 
 ```bash
-docker-compose run --rm --user akkoma -d db 
-docker-compose run --rm akkoma pg_restore -v -U akkoma -j $(grep -c ^processor /proc/cpuinfo) -d akkoma -h db akkoma_backup.sql
+docker compose run --rm --user akkoma -d db 
+docker compose run --rm akkoma pg_restore -v -U akkoma -j $(grep -c ^processor /proc/cpuinfo) -d akkoma -h db akkoma_backup.sql
 ```
 
 ### Reverse proxies
 
 If you're just reusing your old proxy, you may have to uncomment the line in
-the docker-compose file under `ports`. You'll find it.
+the docker compose file under `ports`. You'll find it.
 
 Otherwise, you can use the same setup as the [docker installation guide](./docker_en.md#reverse-proxies).
 
 ### Let's go
 
 ```bash
-docker-compose up -d
+docker compose up -d
 ```
 
 You should now be at the same point as you were before, but with a docker install.

installation/akkoma.service

@@ -8,6 +8,8 @@ Restart=on-failure
 
 ; Uncomment this if you're on Arch Linux
 ; Environment="PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl"
+; Uncomment if using asdf to manage Elixir and Erlang
+; Environment="PATH=/var/lib/akkoma/.asdf/shims:/var/lib/akkoma/.asdf/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 
 ; Name of the user that runs the Akkoma service.
 User=akkoma
@@ -24,6 +26,8 @@ Environment="HOME=/var/lib/akkoma"
 WorkingDirectory=/opt/akkoma
 ; Path to the Mix binary.
 ExecStart=/usr/bin/mix phx.server
+; If using asdf comment the above line and uncomment the one below instead
+; ExecStart=/var/lib/akkoma/.asdf/shims/mix phx.server
 
 ; Some security directives.
 ; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.

lib/pleroma/application.ex

@@ -262,11 +262,14 @@ defp http_children do
     proxy = Pleroma.HTTP.AdapterHelper.format_proxy(proxy_url)
     pool_size = Config.get([:http, :pool_size])
 
+    :public_key.cacerts_load()
+
     config =
       [:http, :adapter]
       |> Config.get([])
       |> Pleroma.HTTP.AdapterHelper.add_pool_size(pool_size)
       |> Pleroma.HTTP.AdapterHelper.maybe_add_proxy_pool(proxy)
+      |> Pleroma.HTTP.AdapterHelper.maybe_add_cacerts(:public_key.cacerts_get())
       |> Keyword.put(:name, MyFinch)
 
     [{Finch, config}]

lib/pleroma/http/adapter_helper.ex

@@ -47,6 +47,17 @@ def maybe_add_proxy_pool(opts, proxy) do
     |> put_in([:pools, :default, :conn_opts, :proxy], proxy)
   end
 
+  def maybe_add_cacerts(opts, nil), do: opts
+
+  def maybe_add_cacerts(opts, cacerts) do
+    opts
+    |> maybe_add_pools()
+    |> maybe_add_default_pool()
+    |> maybe_add_conn_opts()
+    |> maybe_add_transport_opts()
+    |> put_in([:pools, :default, :conn_opts, :transport_opts, :cacerts], cacerts)
+  end
+
   def add_pool_size(opts, pool_size) do
     opts
     |> maybe_add_pools()
@@ -82,6 +93,16 @@ defp maybe_add_conn_opts(opts) do
     end
   end
 
+  defp maybe_add_transport_opts(opts) do
+    transport_opts = get_in(opts, [:pools, :default, :conn_opts, :transport_opts])
+
+    unless is_nil(transport_opts) do
+      opts
+    else
+      put_in(opts, [:pools, :default, :conn_opts, :transport_opts], [])
+    end
+  end
+
   @doc """
   Merge default connection & adapter options with received ones.
   """

lib/pleroma/upload/filter.ex

@@ -38,9 +38,9 @@ def filter([filter | rest], upload) do
       {:ok, :noop} ->
         filter(rest, upload)
 
-      error ->
-        Logger.error("#{__MODULE__}: Filter #{filter} failed: #{inspect(error)}")
-        error
+      {:error, e} ->
+        Logger.error("#{__MODULE__}: Filter #{filter} failed: #{inspect(e)}")
+        {:error, e}
     end
   end
 end

lib/pleroma/upload/filter/only_media.ex

@@ -0,0 +1,20 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2023 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Upload.Filter.OnlyMedia do
+  @behaviour Pleroma.Upload.Filter
+  alias Pleroma.Upload
+
+  def filter(%Upload{content_type: content_type}) do
+    [type, _subtype] = String.split(content_type, "/")
+
+    if type in ["image", "video", "audio"] do
+      {:ok, :noop}
+    else
+      {:error, "Disallowed content-type: #{content_type}"}
+    end
+  end
+
+  def filter(_), do: {:ok, :noop}
+end

lib/pleroma/web/api_spec/operations/account_operation.ex

@@ -767,7 +767,7 @@ defp array_of_relationships do
           "showing_reblogs" => true,
           "followed_by" => true,
           "blocking" => false,
-          "blocked_by" => true,
+          "blocked_by" => false,
           "muting" => false,
           "muting_notifications" => false,
           "note" => "",
@@ -783,7 +783,7 @@ defp array_of_relationships do
           "showing_reblogs" => true,
           "followed_by" => true,
           "blocking" => false,
-          "blocked_by" => true,
+          "blocked_by" => false,
           "muting" => true,
           "muting_notifications" => false,
           "note" => "",

lib/pleroma/web/api_spec/schemas/account_relationship.ex

@@ -13,7 +13,10 @@ defmodule Pleroma.Web.ApiSpec.Schemas.AccountRelationship do
     description: "Relationship between current account and requested account",
     type: :object,
     properties: %{
-      blocked_by: %Schema{type: :boolean},
+      blocked_by: %Schema{
+        type: :boolean,
+        description: "Represents being blocked by this user. Always false."
+      },
       blocking: %Schema{type: :boolean},
       domain_blocking: %Schema{type: :boolean},
       endorsed: %Schema{type: :boolean},

lib/pleroma/web/mastodon_api/views/account_view.ex

@@ -124,14 +124,7 @@ def render(
           target,
           &User.blocks_user?(&1, &2)
         ),
-      blocked_by:
-        UserRelationship.exists?(
-          user_relationships,
-          :block,
-          target,
-          reading_user,
-          &User.blocks_user?(&1, &2)
-        ),
+      blocked_by: false,
       muting:
         UserRelationship.exists?(
           user_relationships,

lib/pleroma/web/media_proxy.ex

@@ -52,7 +52,7 @@ def url(url) do
 
   @spec url_proxiable?(String.t()) :: boolean()
   def url_proxiable?(url) do
-    not local?(url) and not whitelisted?(url)
+    not local?(url) and not whitelisted?(url) and not blocked?(url)
   end
 
   def preview_url(url, preview_params \\ []) do
@@ -83,6 +83,11 @@ def whitelisted?(url) do
     domain in mediaproxy_whitelist_domains
   end
 
+  def blocked?(url) do
+    %{host: domain} = URI.parse(url)
+    domain in Config.get([:media_proxy, :whitelist])
+  end
+
   defp maybe_get_domain_from_url("http" <> _ = url) do
     URI.parse(url).host
   end

mix.exs

@@ -203,7 +203,8 @@ defp deps do
       {:excoveralls, "0.15.1", only: :test},
       {:mox, "~> 1.0", only: :test},
       {:websockex, "~> 0.4.3", only: :test},
-      {:dialyxir, "~> 1.0", only: [:dev], runtime: false}
+      {:dialyxir, "~> 1.0", only: [:dev], runtime: false},
+      {:mint, "~> 1.5.1", override: true}
     ] ++ oauth_deps()
   end
 

priv/repo/migrations/20211125110126_force_pinned_objects_to_exist.exs

@@ -1,11 +1,19 @@
 defmodule Pleroma.Repo.Migrations.ForcePinnedObjectsToExist do
   use Ecto.Migration
 
-  def change do
+  def up do
     execute("UPDATE users SET pinned_objects = '{}' WHERE pinned_objects IS NULL")
 
     alter table("users") do
       modify(:pinned_objects, :map, null: false, default: %{})
     end
   end
+
+  def down do
+    alter table("users") do
+      modify(:pinned_objects, :map, null: true, default: nil)
+    end
+
+    execute("UPDATE users SET pinned_objects = NULL WHERE pinned_objects = '{}'")
+  end
 end

priv/repo/migrations/20220108213213_add_mastofe_settings.exs

@@ -1,9 +1,15 @@
 defmodule Pleroma.Repo.Migrations.AddMastofeSettings do
   use Ecto.Migration
 
-  def change do
+  def up do
     alter table(:users) do
       add_if_not_exists(:mastofe_settings, :map)
     end
   end
+
+  def down do
+    alter table(:users) do
+      remove_if_exists(:mastofe_settings, :map)
+    end
+  end
 end

priv/repo/migrations/20220302013920_add_language_to_users.exs

@@ -1,9 +1,15 @@
 defmodule Pleroma.Repo.Migrations.AddLanguageToUsers do
   use Ecto.Migration
 
-  def change do
+  def up do
     alter table(:users) do
       add_if_not_exists(:language, :string)
     end
   end
+
+  def down do
+    alter table(:users) do
+      remove_if_exists(:language, :string)
+    end
+  end
 end

test/pleroma/upload/filter/only_media_test.exs

@@ -0,0 +1,32 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2023 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Upload.Filter.OnlyMediaTest do
+  use Pleroma.DataCase, async: true
+
+  alias Pleroma.Upload
+  alias Pleroma.Upload.Filter.OnlyMedia
+
+  test "Allows media Content-Type" do
+    ["audio/mpeg", "image/jpeg", "video/mp4"]
+    |> Enum.each(fn type ->
+      upload = %Upload{
+        content_type: type
+      }
+
+      assert {:ok, :noop} = OnlyMedia.filter(upload)
+    end)
+  end
+
+  test "Disallows non-media Content-Type" do
+    ["application/javascript", "application/pdf", "text/html"]
+    |> Enum.each(fn type ->
+      upload = %Upload{
+        content_type: type
+      }
+
+      assert {:error, _} = OnlyMedia.filter(upload)
+    end)
+  end
+end

test/pleroma/web/mastodon_api/views/account_view_test.exs

@@ -397,7 +397,22 @@ test "represent a relationship for the blocking and blocked user" do
       expected =
         Map.merge(
           @blank_response,
-          %{following: false, blocking: true, blocked_by: true, id: to_string(other_user.id)}
+          %{following: false, blocking: true, blocked_by: false, id: to_string(other_user.id)}
+        )
+
+      test_relationship_rendering(user, other_user, expected)
+    end
+
+    test "blocks are not visible to the blocked user" do
+      user = insert(:user)
+      other_user = insert(:user)
+
+      {:ok, _user_relationship} = User.block(other_user, user)
+
+      expected =
+        Map.merge(
+          @blank_response,
+          %{following: false, blocking: false, blocked_by: false, id: to_string(other_user.id)}
         )
 
       test_relationship_rendering(user, other_user, expected)

test/pleroma/web/media_proxy_test.exs

@@ -199,6 +199,15 @@ test "mediaproxy whitelist" do
       assert unencoded == url
     end
 
+    test "mediaproxy blocklist" do
+      clear_config([:media_proxy, :whitelist], ["https://google.com"])
+      clear_config([:media_proxy, :blocklist], ["https://feld.me"])
+      url = "https://feld.me/foo.png"
+
+      unencoded = MediaProxy.url(url)
+      assert unencoded == url
+    end
+
     # TODO: delete after removing support bare domains for media proxy whitelist
     test "mediaproxy whitelist bare domains whitelist (deprecated)" do
       clear_config([:media_proxy, :whitelist], ["google.com", "feld.me"])
@@ -220,6 +229,18 @@ test "does not change whitelisted urls" do
       assert String.starts_with?(encoded, media_url)
     end
 
+    test "does not change blocked urls" do
+      clear_config([:media_proxy, :whitelist], ["mycdn.akamai.com"])
+      clear_config([:media_proxy, :base_url], "https://cache.pleroma.social")
+
+      media_url = "https://mycdn.akamai.com"
+
+      url = "#{media_url}/static/logo.png"
+      encoded = MediaProxy.url(url)
+
+      assert String.starts_with?(encoded, media_url)
+    end
+
     test "ensure Pleroma.Upload base_url is always whitelisted" do
       media_url = "https://media.pleroma.social"
       clear_config([Pleroma.Upload, :base_url], media_url)

test/pleroma/web/plugs/http_security_plug_test.exs

@@ -128,6 +128,12 @@ test "with media_proxy bare domains whitelist (deprecated)", %{conn: conn} do
       clear_config([:media_proxy, :whitelist], ["example4.com", "example5.com"])
       assert_media_img_src(conn, "example5.com example4.com")
     end
+
+    test "with media_proxy blocklist", %{conn: conn} do
+      clear_config([:media_proxy, :whitelist], ["https://example6.com", "https://example7.com"])
+      clear_config([:media_proxy, :blocklist], ["https://example8.com"])
+      assert_media_img_src(conn, "https://example7.com https://example6.com")
+    end
   end
 
   defp assert_media_img_src(conn, url) do