itepechi/akkoma
1
0
Fork 0
Code Issues Pull requests Releases Activity
akkoma/test/pleroma
History
Oneric 066d5b48ed Fix Content-Type sanitisation for emoji and local uploads 
This was accidentally broken in c8e0f7848b
due to a one-letter mistake in the plug option name and an absence of
tests. Therefore it was once again possible to serve e.g. Javascript or
CSS payloads via uploads and emoji.
However due to other protections it was still NOT possible for anyone to
serve any payload with an ActivityPub Content-Type. With the CSP policy
hardening from previous JS payload exloits predating the Content-Type
sanitisation, there is currently no known way of abusing this weakened
Content-Type sanitisation, but should be fixed regardless.

This commit fixes the option name and adds tests to ensure
such a regression doesn't occur again in the future.

Reported-by: Lain Soykaf <lain@lain.com>
2025-03-10 19:45:26 +01:00
..
activity Prune old Update activities 2024-02-17 16:57:40 +01:00
akkoma Tag Mock-tests as "mocked" and run them seperately 2023-08-04 12:50:50 +01:00
collections Only allow exact id matches 2024-03-25 14:05:05 -01:00
config Rename StripLocation to StripMetadata for temporal-proofing reasons 2024-04-16 20:37:00 +02:00
conversation fix flaky participation_test.exs 2022-10-23 12:33:31 +02:00
docs backend-i18n (#121) 2022-07-27 21:56:59 +00:00
ecto_type/activity_pub/object_validators
emails Correct email links to be absolute URLs 2023-11-02 11:49:03 +00:00
emoji allow for OTP code changes in :zip 2024-10-30 14:43:18 +00:00
http Add pool timeouts 2024-06-09 17:20:29 +01:00
instances Don't mess with the cache on metadata update 2022-11-08 10:39:01 +00:00
integration Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
mfa Put matchers in matchers subpackage 2023-08-06 15:53:04 +01:00
migration_helper purge chat and shout endpoints 2022-07-21 11:29:28 +01:00
object Merge remote-tracking branch 'oneric/varfixes' into develop 2024-10-30 15:15:00 +00:00
password
repo/migrations Another keyword.equal? check 2023-08-06 16:36:18 +01:00
search Raise minimum PostgreSQL version to 12 2024-06-07 16:21:09 +02:00
translators Add MRFs for direct message manipulation 2023-05-22 23:53:44 +01:00
upload strip_metadata: skip BMP files 2024-06-27 18:29:45 +02:00
uploaders Tag Mock-tests as "mocked" and run them seperately 2023-08-04 12:50:50 +01:00
user Add tests for SigninKey module 2025-02-14 22:10:25 +01:00
web Fix Content-Type sanitisation for emoji and local uploads 2025-03-10 19:45:26 +01:00
workers Protected against counterfeit local docs being posted 2025-02-14 22:10:25 +01:00
activity_test.exs meilisearch: respect meili’s result ranking 2024-05-29 23:17:27 +00:00
announcement_read_relationship_test.exs Merge branch 'from/upstream-develop/tusooa/server-announcements' into 'develop' (#85) 2022-07-18 13:08:36 +00:00
announcement_test.exs Merge branch 'from/upstream-develop/tusooa/server-announcements' into 'develop' (#85) 2022-07-18 13:08:36 +00:00
application_requirements_test.exs Tag Mock-tests as "mocked" and run them seperately 2023-08-04 12:50:50 +01:00
bookmark_test.exs
captcha_test.exs
config_db_test.exs Remove proxy_remote vestiges 2024-06-16 01:21:52 +02:00
config_test.exs
conversation_test.exs
emoji_test.exs Fix emoji qualification (#124) 2022-07-28 12:02:36 +00:00
filter_test.exs
following_relationship_test.exs
formatter_test.exs CI: Bump lint stage to elixir-1.12 2021-10-06 08:11:05 +02:00
frontend_test.exs
hashtag_test.exs
healthcheck_test.exs Add unordered list equality matcher 2023-08-06 15:58:11 +01:00
html_test.exs Fix broken tests 2024-06-09 17:35:47 +01:00
http_test.exs Move rescue to the HTTP request itself 2024-06-04 14:30:16 +01:00
instances_test.exs Add Signed Fetch Statistics (#312) 2022-11-26 19:22:56 +00:00
iso639_test.exs add inbound language test 2023-01-11 15:42:13 +00:00
job_queue_monitor_test.exs Support elixir1.15 2023-08-03 17:44:09 +01:00
list_test.exs
marker_test.exs
mfa_test.exs argon2 password hashing (#406) 2022-12-30 02:46:58 +00:00
moderation_log_test.exs CI: Bump lint stage to elixir-1.12 2021-10-06 08:11:05 +02:00
notification_test.exs Tag Mock-tests as "mocked" and run them seperately 2023-08-04 12:50:50 +01:00
object_test.exs Always insert Dedupe upload filter 2024-03-18 22:33:10 -01:00
otp_version_test.exs
pagination_test.exs
password_test.exs argon2 password hashing (#406) 2022-12-30 02:46:58 +00:00
registration_test.exs
repo_test.exs
report_note_test.exs
reverse_proxy_test.exs Sanitise Content-Type of media proxy URLs 2024-03-18 22:33:10 -01:00
runtime_test.exs
safe_jsonb_set_test.exs
scheduled_activity_test.exs
signature_test.exs signature: refetch key upon verification failure 2025-02-21 19:37:27 +01:00
stats_test.exs
upload_test.exs Always insert Dedupe upload filter 2024-03-18 22:33:10 -01:00
user_invite_token_test.exs
user_note_test.exs Add user_note_test.exs. 2023-05-12 02:18:24 +00:00
user_relationship_test.exs Tag Mock-tests as "mocked" and run them seperately 2023-08-04 12:50:50 +01:00
user_search_test.exs mix format 2024-10-26 05:05:48 +01:00
user_test.exs signature: drop unecessary round trip over user 2025-02-14 22:10:25 +01:00
utils_test.exs extend custom runtime system (#108) 2022-07-24 16:42:43 +00:00
xml_builder_test.exs