itepechi/akkoma
1
0
Fork 0
Code Issues Pull requests Releases Activity
akkoma/test/pleroma/web
History
Oneric 066d5b48ed Fix Content-Type sanitisation for emoji and local uploads 
This was accidentally broken in c8e0f7848b
due to a one-letter mistake in the plug option name and an absence of
tests. Therefore it was once again possible to serve e.g. Javascript or
CSS payloads via uploads and emoji.
However due to other protections it was still NOT possible for anyone to
serve any payload with an ActivityPub Content-Type. With the CSP policy
hardening from previous JS payload exloits predating the Content-Type
sanitisation, there is currently no known way of abusing this weakened
Content-Type sanitisation, but should be fixed regardless.

This commit fixes the option name and adds tests to ensure
such a regression doesn't occur again in the future.

Reported-by: Lain Soykaf <lain@lain.com>
2025-03-10 19:45:26 +01:00
..
activity_pub bump version 2025-03-01 16:36:04 +00:00
admin_api Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
akkoma_api Fix OpenAPI spec for preferred_frontend endpoint 2024-02-03 14:27:45 +01:00
api_spec Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
auth Support elixir1.15 2023-08-03 17:44:09 +01:00
common_api Don't try to handle non-media objects as media 2024-05-22 20:30:23 +02:00
feed Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
mastodon_api stats: use cheaper peers query 2025-01-07 20:27:28 +01:00
media_proxy Tag Mock-tests as "mocked" and run them seperately 2023-08-04 12:50:50 +01:00
metadata check if data is visible before embedding it in OG tags 2024-04-12 05:16:47 +01:00
o_auth update tests for oauth consumer 2023-12-17 21:48:19 +00:00
o_status Support elixir1.15 2023-08-03 17:44:09 +01:00
pleroma_api Always insert Dedupe upload filter 2024-03-18 22:33:10 -01:00
plugs Fix about a million tests 2024-10-26 05:05:48 +01:00
preload/providers Remove precompiled javascript (#55) 2022-07-08 13:03:18 +00:00
push Hide logs during test unless a test fails 2024-06-27 18:29:45 +02:00
rich_media cosmetic/rich_media/parser: fix typo 2025-02-14 22:10:25 +01:00
static_fe Add tests for static-fe metadata tags 2024-02-21 00:33:32 +00:00
twitter_api Don't spam logs about deleted users 2025-01-07 20:27:28 +01:00
views Support elixir1.15 2023-08-03 17:44:09 +01:00
web_finger WebFingerControllerTest: Restore host after test. 2024-05-22 19:27:51 +01:00
common_api_test.exs Purge obsolete ap_enabled indicator 2025-01-07 20:27:26 +01:00
content_type_sanitisation_test.exs Fix Content-Type sanitisation for emoji and local uploads 2025-03-10 19:45:26 +01:00
embed_controller_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
fallback_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
federator_test.exs Don’t reattempt insertion of already known objects 2025-01-07 20:27:27 +01:00
gettext_test.exs Fix incorrect fallback when English is set to first language 2022-06-29 20:47:10 +01:00
manifest_controller_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
masto_fe_controller_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
media_proxy_test.exs Only proxy HTTP and HTTP urls via Media Proxy 2024-12-16 20:35:12 -06:00
mongoose_im_controller_test.exs Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
node_info_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
rel_me_test.exs Add more information about failed verifications 2023-03-10 03:51:24 +00:00
router_test.exs add a snapshot test for api prefixes 2025-02-23 16:51:48 +00:00
streamer_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
uploader_controller_test.exs Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
web_finger_test.exs Hide logs during test unless a test fails 2024-06-27 18:29:45 +02:00
xml_test.exs Add XML matcher 2023-08-07 11:12:14 +01:00