mirror of
https://akkoma.dev/AkkomaGang/akkoma.git
synced 2024-12-03 02:05:24 +00:00
0ec62acb9d
This actually was already intended before to eradict all future path-traversal-style exploits and to fix issues with some characters like akkoma#610 in0b2ec0ccee
. However, Dedupe and AnonymizeFilename got mixed up. The latter only anonymises the name in Content-Disposition headers GET parameters (with link_name), _not_ the upload path. Even without Dedupe, the upload path is prefixed by an UUID, so it _should_ already be hard to guess for attackers. But now we actually can be sure no path shenanigangs occur, uploads reliably work and save some disk space. While this makes the final path predictable, this prediction is not exploitable. Insertion of a back-reference to the upload itself requires pulling off a successfull preimage attack against SHA-256, which is deemed infeasible for the foreseeable futures. Dedupe was already included in the default list in config.exs since28cfb2c37a
, but this will get overridde by whatever the config generated by the "pleroma.instance gen" task chose. Upload+delete tests running in parallel using Dedupe might be flaky, but this was already true before and needs its own commit to fix eventually.
104 lines
3.2 KiB
Elixir
104 lines
3.2 KiB
Elixir
# Pleroma: A lightweight social networking server
|
|
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
defmodule Mix.Tasks.Pleroma.InstanceTest do
|
|
# Modifies the Application Environment, has to stay synchronous.
|
|
use Pleroma.DataCase
|
|
|
|
setup do
|
|
File.mkdir_p!(tmp_path())
|
|
|
|
on_exit(fn ->
|
|
File.rm_rf(tmp_path())
|
|
static_dir = Pleroma.Config.get([:instance, :static_dir], "test/instance_static/")
|
|
|
|
if File.exists?(static_dir) do
|
|
File.rm_rf(Path.join(static_dir, "robots.txt"))
|
|
end
|
|
end)
|
|
|
|
# Is being modified by the mix task.
|
|
clear_config([:instance, :static_dir])
|
|
|
|
:ok
|
|
end
|
|
|
|
@uuid Ecto.UUID.generate()
|
|
defp tmp_path do
|
|
"/tmp/generated_files/#{@uuid}/"
|
|
end
|
|
|
|
test "running gen" do
|
|
mix_task = fn ->
|
|
Mix.Tasks.Pleroma.Instance.run([
|
|
"gen",
|
|
"--output",
|
|
tmp_path() <> "generated_config.exs",
|
|
"--output-psql",
|
|
tmp_path() <> "setup.psql",
|
|
"--domain",
|
|
"test.pleroma.social",
|
|
"--media-url",
|
|
"https://media.pleroma.social/media",
|
|
"--instance-name",
|
|
"Pleroma",
|
|
"--admin-email",
|
|
"admin@example.com",
|
|
"--notify-email",
|
|
"notify@example.com",
|
|
"--dbhost",
|
|
"dbhost",
|
|
"--dbname",
|
|
"dbname",
|
|
"--dbuser",
|
|
"dbuser",
|
|
"--dbpass",
|
|
"dbpass",
|
|
"--indexable",
|
|
"y",
|
|
"--db-configurable",
|
|
"y",
|
|
"--rum",
|
|
"y",
|
|
"--listen-port",
|
|
"4000",
|
|
"--listen-ip",
|
|
"127.0.0.1",
|
|
"--uploads-dir",
|
|
"test/uploads",
|
|
"--static-dir",
|
|
"./test/../test/instance/static/",
|
|
"--strip-uploads",
|
|
"y",
|
|
"--anonymize-uploads",
|
|
"n"
|
|
])
|
|
end
|
|
|
|
ExUnit.CaptureIO.capture_io(fn ->
|
|
mix_task.()
|
|
end)
|
|
|
|
generated_config = File.read!(tmp_path() <> "generated_config.exs")
|
|
assert generated_config =~ "host: \"test.pleroma.social\""
|
|
assert generated_config =~ "name: \"Pleroma\""
|
|
assert generated_config =~ "email: \"admin@example.com\""
|
|
assert generated_config =~ "notify_email: \"notify@example.com\""
|
|
assert generated_config =~ "hostname: \"dbhost\""
|
|
assert generated_config =~ "database: \"dbname\""
|
|
assert generated_config =~ "username: \"dbuser\""
|
|
assert generated_config =~ "password: \"dbpass\""
|
|
assert generated_config =~ "configurable_from_database: true"
|
|
assert generated_config =~ "http: [ip: {127, 0, 0, 1}, port: 4000]"
|
|
assert generated_config =~ "filters: [Pleroma.Upload.Filter.Exiftool]"
|
|
assert generated_config =~ "base_url: \"https://media.pleroma.social/media\""
|
|
assert File.read!(tmp_path() <> "setup.psql") == generated_setup_psql()
|
|
assert File.exists?(Path.expand("./test/instance/static/robots.txt"))
|
|
end
|
|
|
|
defp generated_setup_psql do
|
|
~s(CREATE USER dbuser WITH ENCRYPTED PASSWORD 'dbpass';\nCREATE DATABASE dbname OWNER dbuser;\n\\c dbname;\n--Extensions made by ecto.migrate that need superuser access\nCREATE EXTENSION IF NOT EXISTS citext;\nCREATE EXTENSION IF NOT EXISTS pg_trgm;\nCREATE EXTENSION IF NOT EXISTS \"uuid-ossp\";\nCREATE EXTENSION IF NOT EXISTS rum;\n)
|
|
end
|
|
end
|