Merge pull request 'mediaproxy: proxy network-path references' (#903) from Oneric/akkoma:mediaproxy_networkpathref into develop

Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/903

lib/pleroma/web/media_proxy.ex

@@ -40,6 +40,7 @@ def put_in_banned_urls(url) when is_binary(url) do
   end
 
   def url(url) when is_nil(url) or url == "", do: nil
+  def url("//" <> _ = url), do: url("https:" <> url)
   def url("/" <> _ = url), do: url
 
   def url(url) do
@@ -55,7 +56,10 @@ def url_proxiable?(url) do
     not local?(url) and not whitelisted?(url) and not blocked?(url) and http_scheme?(url)
   end
 
-  def preview_url(url, preview_params \\ []) do
+  def preview_url(url, preview_params \\ [])
+  def preview_url("//" <> _ = url, pparams), do: preview_url("https:" <> url, pparams)
+
+  def preview_url(url, preview_params) do
     if preview_enabled?() and url_proxiable?(url) do
       encode_preview_url(url, preview_params)
     else

priv/scrubbers/media_proxy.ex

@@ -13,6 +13,10 @@ def scrub_attribute(:img, {"src", "http" <> target}) do
     {"src", media_url}
   end
 
+  def scrub_attribute(:img, {"src", "//" <> target}) do
+    scrub_attribute(:img, {"src", "https://" <> target})
+  end
+
   def scrub_attribute(_tag, attribute), do: attribute
 
   def scrub({:img, attributes, children}) do

test/pleroma/web/mastodon_api/views/status_view_test.exs

@@ -509,6 +509,44 @@ test "create mentions from the 'to' field" do
     assert mention.url == recipient_ap_id
   end
 
+  test "inlined images are media proxied" do
+    clear_config([:media_proxy, :enabled], true)
+    user = insert(:user)
+
+    {:ok, activity} =
+      CommonAPI.post(user, %{
+        content_type: "text/html",
+        status: "hii <img src=\"https://example.org/a.png\" />"
+      })
+
+    activity = Repo.get(Activity, activity.id)
+    status = StatusView.render("show.json", activity: activity)
+
+    assert_schema(status, "Status", Pleroma.Web.ApiSpec.spec())
+
+    assert status[:content] =~
+             ~r/^hii <img src="https?:\/\/[^\/]+\/proxy\/[^\/]+\/aHR0cHM6Ly9leGFtcGxlLm9yZy9hLnBuZw\/a.png"/
+  end
+
+  test "inlined images using network-path ref are media proxied" do
+    clear_config([:media_proxy, :enabled], true)
+    user = insert(:user)
+
+    {:ok, activity} =
+      CommonAPI.post(user, %{
+        content_type: "text/html",
+        status: "hii <img src=\"//example.org/a.png\" />"
+      })
+
+    activity = Repo.get(Activity, activity.id)
+    status = StatusView.render("show.json", activity: activity)
+
+    assert_schema(status, "Status", Pleroma.Web.ApiSpec.spec())
+
+    assert status[:content] =~
+             ~r/^hii <img src="https?:\/\/[^\/]+\/proxy\/[^\/]+\/aHR0cHM6Ly9leGFtcGxlLm9yZy9hLnBuZw\/a.png"/
+  end
+
   test "create mentions from the 'tag' field" do
     recipient = insert(:user)
     cc = insert_pair(:user) |> Enum.map(& &1.ap_id)

test/pleroma/web/media_proxy_test.exs

@@ -55,6 +55,20 @@ test "encodes and decodes URL" do
       assert decode_result(encoded) == url
     end
 
+    test "encodes and decodes a network-path reference URL as HTTPS" do
+      url = "//example.org/static/logo.png"
+      encoded = MediaProxy.url(url)
+
+      assert String.starts_with?(
+               encoded,
+               Config.get([:media_proxy, :base_url], Pleroma.Web.Endpoint.url())
+             )
+
+      assert String.ends_with?(encoded, "/logo.png")
+
+      assert decode_result(encoded) == "https:" <> url
+    end
+
     test "encodes and decodes URL without a path" do
       url = "https://pleroma.soykaf.com"
       encoded = MediaProxy.url(url)