Commit graph

57 commits

Author SHA1 Message Date
Oneric be5440c5e8 mrf/steal_emoji: fix size limit check
Headers are strings, but this expected to already get an int
thus always failing the comparison if the header was set.

Fixes mistake in d6d838cbe8
2024-06-05 20:11:53 +02:00
floatingghost 8e60177466 Merge pull request 'MRF.InlineQuotePolicy: Add link to post URL, not ID' (#733) from erincandescent/akkoma:quote-url into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/733
2024-04-12 17:02:52 +00:00
Erin Shepherd 75d9e2b375 MRF.InlineQuotePolicy: Add link to post URL, not ID
"id" is used for the canonical link to the AS2 representation of an object.
"url" is typically used for the canonical link to the HTTP representation.
It is what we use, for example, when following the "external source" link
in the frontend. However, it's not the link we include in the post contents
for quote posts.

Using URL instead means we include a more user-friendly URL for Mastodon,
and a working (in the browser) URL for Threads
2024-04-12 13:23:50 +02:00
FloatingGhost 9c53a3390e Ensure we have the emoji base path 2024-04-02 14:12:03 +01:00
Oneric d6d838cbe8 StealEmoji: check remote size before downloading
To save on bandwith and avoid OOMs with large files.
Ofc, this relies on the remote server
 (a) sending a content-length header and
 (b) being honest about the size.

Common fedi servers seem to provide the header and (b) at least raises
the required privilege of an malicious actor to a server infrastructure
admin of an explicitly allowed host.

A more complete defense which still works when faced with
a malicious server requires changes in upstream Finch;
see https://github.com/sneako/finch/issues/224
2024-03-18 22:33:10 -01:00
Oneric 6d003e1acd test/steal_emoji: consolidate configuration setup 2024-03-18 22:33:10 -01:00
Oneric d1ce5fd911 test/steal_emoji: reduce code duplication with mock macro 2024-03-18 22:33:10 -01:00
Oneric ee5ce87825 test: use pack functions to check for emoji
The hardocded path and filenames assumptions
will be broken with the next commit.
2024-03-18 22:33:10 -01:00
Oneric a8c6c780b4 StealEmoji: use Content-Type and reject non-images
E.g. *key’s emoji URLs typically don’t have file extensions, but
until now we just slapped ".png" at its end hoping for the best.

Furthermore, this gives us a chance to actually reject non-images,
which before was not feasible exatly due to those extension-less URLs
2024-03-18 22:33:10 -01:00
Haelwenn (lanodan) Monnier 7d94476dd6 StealEmojiPolicy: Sanitize shortcodes
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3245
2024-02-20 11:19:00 +01:00
Oneric e99e2407f3 Add background_removal to SimplePolicy MRF 2024-02-16 16:36:45 +01:00
Oneric e47c50666d Fix obfuscation of short domains
Fixes https://akkoma.dev/AkkomaGang/akkoma/issues/645
2024-02-02 14:50:13 +00:00
FloatingGhost 64e233ca20 Tag Mock-tests as "mocked" and run them seperately 2023-08-04 12:50:50 +01:00
FloatingGhost 98cb255d12 Support elixir1.15
OTP builds to 1.15

Changelog entry

Ensure policies are fully loaded

Fix :warn

use main branch for linkify

Fix warn in tests

Migrations for phoenix 1.17

Revert "Migrations for phoenix 1.17"

This reverts commit 6a3b2f15b7.

Oban upgrade

Add default empty whitelist

mix format

limit test to amd64

OTP 26 tests for 1.15

use OTP_VERSION tag

baka

just 1.15

Massive deps update

Update locale, deps

Mix format

shell????

multiline???

?

max cases 1

use assert_recieve

don't put_env in async tests

don't async conn/fs tests

mix format

FIx some uploader issues

Fix tests
2023-08-03 17:44:09 +01:00
FloatingGhost 8c208f751d Fix filtering out incorrect addresses 2023-05-23 13:46:25 +01:00
FloatingGhost 037f881187 Fix create processing in direct message disabled 2023-05-23 13:16:20 +01:00
FloatingGhost d310f99d6a Add MRFs for direct message manipulation 2023-05-22 23:53:44 +01:00
FloatingGhost 9db4c2429f Remove FollowBotPolicy 2022-12-09 19:59:27 +00:00
FloatingGhost 6f83ae27aa extend reject MRF to check if originating instance is blocked 2022-12-09 19:57:29 +00:00
ilja 1f863f0a36 Fix MRF policies to also work with Update
Objects who got updated would just pass through several of the MRF policies, undoing moderation in some situations.
In the relevant cases we now check not only for Create activities, but also Update activities.

I checked which ones checked explicitly on type Create using `grep '"type" => "Create"' lib/pleroma/web/activity_pub/mrf/*`.

The following from that list have not been changed:
* lib/pleroma/web/activity_pub/mrf/follow_bot_policy.ex
    * Not relevant for moderation
* lib/pleroma/web/activity_pub/mrf/keyword_policy.ex
    * Already had a test for Update
* lib/pleroma/web/activity_pub/mrf/object_age_policy.ex
    * In practice only relevant when fetching old objects (e.g. through Like or Announce). These are always wrapped in a Create.
* lib/pleroma/web/activity_pub/mrf/reject_non_public.ex
    * We don't allow changing scope with Update, so not relevant here
2022-12-08 23:22:05 +01:00
ilja ce517ff4e5 Fix tagpolicy to also work with Update
Objects who got updated would just pass the TagPolicy, undoing the moderation that was set in place for the Actor.
Now we check not only for Create activities, but also Update activities.
2022-12-08 21:53:42 +01:00
FloatingGhost 5bb95256ee weirdly no, images should not have classes 2022-11-26 21:15:10 +00:00
FloatingGhost c379618b34 Add tests, changelog entry 2022-11-26 20:52:49 +00:00
FloatingGhost 7bbaa8f8e0 automatically trim loading *. prefixes on domain blocks 2022-11-07 22:33:18 +00:00
floatingghost 31ad09010e Fix regex usage in MRF (#254)
fixes #235
fixes #228

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/254
2022-11-06 23:50:32 +00:00
floatingghost 2641dcdd15 Post editing (#202)
Rebased from #103

Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/202
2022-09-06 19:24:02 +00:00
FloatingGhost 85137f591f Add ability to obfuscate domains in MRF transparency 2022-08-27 11:57:57 +01:00
floatingghost 1419eee5df Quote posting (#113)
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/113
2022-07-25 16:30:06 +00:00
FloatingGhost 0f132b802d purge chat and shout endpoints 2022-07-21 11:29:28 +01:00
Hélène 8f140deb8f StealEmojiPolicy: fix String rejected_shortcodes
* rejected_shortcodes is defined as a list of strings in the
  configuration description. As such, database-based configuration was
  led to handle those settings as strings, and not as the actually
  expected type, Regex.
* This caused each message passing through this MRF, if a rejected
  shortcode was set and the emoji did not exist already on the instance,
  to fail federating, as an exception was raised, swiftly caught and
  mostly silenced.
* This commit fixes the issue by introducing new behavior: strings are
  now handled as perfect matches for an emoji shortcode (meaning that if
  the emoji-to-be-pulled's shortcode is in the blacklist, it will be
  rejected), while still supporting Regex types as before.
2022-06-29 20:47:45 +01:00
Ilja 661d0ba481 Also use actor_type to determine if an account is a bot in antiFollowbotPolicy 2022-06-29 20:47:44 +01:00
FloatingGhost af1bd3af59 mix format 2022-06-14 17:43:45 +01:00
FloatingGhost 6e1d9c63da allow %{source} dict in no_empty 2022-06-14 17:41:25 +01:00
Lain Soykaf 2dea4a8c04 StealEmojiPolicyTest: Make mocks explicit. 2021-11-14 11:44:24 +01:00
Haelwenn (lanodan) Monnier c64eae40a2
ObjectAgePolicy: Fix pattern matching on published 2021-08-10 07:41:06 +02:00
Ilja 4ba0beb60c
Make mrfSimple work with tuples
* Changed SimplePolicy
* I also grepped in test/ for ':mrf_simple' to see what other things could be affected
2021-08-06 07:58:58 +02:00
Alex Gleason f2134e605b
Merge remote-tracking branch 'pleroma/develop' into cycles-base-url 2021-05-31 16:49:46 -05:00
Alex Gleason 51a9f97e87
Deprecate Pleroma.Web.base_url/0
Use Pleroma.Web.Endpoint.url/0 directly instead. Reduces compiler cycles.
2021-05-31 16:48:03 -05:00
Alex Gleason 926a233cc4
Merge remote-tracking branch 'upstream/develop' into simplepolicy-announce-leak 2021-04-30 14:21:17 -05:00
Alex Gleason c16c7fdb87
SimplePolicy: filter string Objects 2021-04-30 14:20:54 -05:00
Alex Gleason 3d742c3c1a
SimplePolicy: filter nested objects 2021-04-30 14:20:37 -05:00
Mark Felder 16a7ffb1ea Fix function calls due to module name change 2021-03-30 11:10:44 -05:00
Mark Felder bfcdcd4f69 Temp file leaked, oops 2021-03-30 11:10:44 -05:00
Mark Felder 03f38ac4eb Prefer FollowBot naming convention vs Followbot 2021-03-30 11:10:44 -05:00
Mark Felder fef4f3772c More tests to validate Followbot is behaving 2021-03-30 11:10:44 -05:00
Mark Felder f73d166785 Only need to validate a follow request is generated for now 2021-03-30 11:10:44 -05:00
Haelwenn (lanodan) Monnier 3bc7d12271
Remove sensitive-property setting #nsfw, create HashtagPolicy 2021-02-27 21:26:17 +01:00
Mark Felder 55a13fc360 MRF NoEmptyPolicy: Deny posts from local users if there is no content or only mentions.
Helps prevent accidental button mashes from submitting incomplete posts
2021-02-08 15:32:47 -06:00
Mark Felder e854c35e65 Convert tests to all use clear_config instead of Pleroma.Config.put 2021-01-26 11:58:43 -06:00
Haelwenn (lanodan) Monnier c4439c630f
Bump Copyright to 2021
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;'
2021-01-13 07:49:50 +01:00