[Embed][StoreRemoteMedia] Re-add {white,black}list check config

2021-08-18 14:15:30 +01:00 · 2021-08-18 14:15:30 +01:00 · 177801c81b
parent de444a2a5a
commit 177801c81b
2 changed files with 101 additions and 29 deletions
--- a/plugins/Embed/Embed.php
+++ b/plugins/Embed/Embed.php
@ -77,12 +77,15 @@ class Embed extends Plugin
     *  Settings which can be set in social.local.yaml
     *  WARNING, these are _regexps_ (slashes added later). Always escape your dots and end ('$') your strings
     */
+    public bool $check_whitelist   = false;
+    public bool $check_blacklist   = false;
    public array $domain_whitelist = [
-        // hostname => service provider
-        '.*' => '', // Default to allowing any host
+        // hostname
+        '.*', // Default to allowing any host
    ];
-
-    public bool $store_image = true; // Whether to maintain a copy of the original media or only a thumbnail of it
+    public array $domain_blacklist = [];
+    // Whether to maintain a copy of the original media or only a thumbnail of it
+    public bool $store_image = true;
    public ?int $thumbnail_width;
    public ?int $thumbnail_height;
    public ?int $max_size;
@ -198,28 +201,6 @@ class Embed extends Plugin
        return Event::next;
    }

-    /**
-     * @param string $url
-     *
-     * @return bool true if allowed by the lists, false otherwise
-     */
-    private function allowedLink(string $url): bool
-    {
-        return true;
-        if ($this->check_whitelist ?? false) {
-            return false;   // indicates "no check made"
-        }
-
-        $host = parse_url($url, PHP_URL_HOST);
-        foreach ($this->domain_whitelist as $regex => $provider) {
-            if (preg_match("/{$regex}/", $host)) {
-                return $provider;    // we trust this source, return provider name
-            }
-        }
-
-        return false;
-    }
-
    /**
     * This code executes when GNU social creates the page routing, and we hook
     * on this event to add our action handler for Embed.
@ -231,6 +212,7 @@ class Embed extends Plugin
     * @return bool
     *
     *
+     *
     */
    public function onAddRoute(RouteLoader $m): bool
    {
@ -301,10 +283,11 @@ class Embed extends Plugin
     * @param Link $link
     * @param Note $note
     *
-     *@throws DuplicateFoundException
+     * @throws DuplicateFoundException
     *
     * @return bool
     *
+     *
     */
    public function onNewLinkFromNote(Link $link, Note $note): bool
    {
@ -362,6 +345,39 @@ class Embed extends Plugin
        return Event::stop;
    }

+    /**
+     * @param string $url
+     *
+     * @return bool true if allowed by the lists, false otherwise
+     */
+    private function allowedLink(string $url): bool
+    {
+        $passed_whitelist = !$this->check_whitelist;
+        $passed_blacklist = !$this->check_blacklist;
+
+        if ($this->check_whitelist) {
+            $passed_whitelist = false; // don't trust be default
+            $host             = parse_url($url, PHP_URL_HOST);
+            foreach ($this->domain_whitelist as $regex => $provider) {
+                if (preg_match("/{$regex}/", $host)) {
+                    $passed_whitelist = true; // we trust this source
+                }
+            }
+        }
+
+        if ($this->check_blacklist) {
+            // assume it passed by default
+            $host = parse_url($url, PHP_URL_HOST);
+            foreach ($this->domain_blacklist as $regex => $provider) {
+                if (preg_match("/{$regex}/", $host)) {
+                    $passed_blacklist = false; // we blocked this source
+                }
+            }
+        }
+
+        return $passed_whitelist && $passed_blacklist;
+    }
+
    /**
     * Perform an oEmbed or OpenGraph lookup for the given $url.
     *
@ -481,6 +497,7 @@ class Embed extends Plugin
     * @throws ServerException
     *
     * @return bool true hook value
+     *
     */
    public function onPluginVersion(array &$versions): bool
    {
--- a/plugins/StoreRemoteMedia/StoreRemoteMedia.php
+++ b/plugins/StoreRemoteMedia/StoreRemoteMedia.php
@ -22,6 +22,8 @@ use App\Core\DB\DB;
 use App\Core\Event;
 use App\Core\GSFile;
 use App\Core\HTTPClient;
+use function App\Core\I18n\_m;
+use App\Core\Log;
 use App\Core\Modules\Plugin;
 use App\Entity\AttachmentThumbnail;
 use App\Entity\AttachmentToLink;
@ -54,7 +56,19 @@ class StoreRemoteMedia extends Plugin
        return '3.0.0';
    }

-    public bool $store_original = false; // Whether to maintain a copy of the original media or only a thumbnail of it
+    /**
+     *  Settings which can be set in social.local.yaml
+     *  WARNING, these are _regexps_ (slashes added later). Always escape your dots and end ('$') your strings
+     */
+    public bool $check_whitelist   = false;
+    public bool $check_blacklist   = false;
+    public array $domain_whitelist = [
+        // hostname
+        '.*', // Default to allowing any host
+    ];
+    public array $domain_blacklist = [];
+    // Whether to maintain a copy of the original media or only a thumbnail of it
+    public bool $store_original = false;
    public ?int $thumbnail_width;
    public ?int $thumbnail_height;
    public ?int $max_size;
@ -64,6 +78,7 @@ class StoreRemoteMedia extends Plugin
    {
        return $this->store_original;
    }
+
    private function getThumbnailWidth(): int
    {
        return $this->thumbnail_width ?? Common::config('thumbnail', 'width');
@ -88,11 +103,12 @@ class StoreRemoteMedia extends Plugin
     * @param Link $link
     * @param Note $note
     *
-     * @throws DuplicateFoundException
     * @throws ServerException
     * @throws TemporaryFileException
+     * @throws DuplicateFoundException
     *
     * @return bool
+     *
     */
    public function onNewLinkFromNote(Link $link, Note $note): bool
    {
@ -101,6 +117,12 @@ class StoreRemoteMedia extends Plugin
            return Event::next;
        }

+        // Is this URL trusted?
+        if (!$this->allowedLink($link->getUrl())) {
+            Log::info("Blocked URL ({$link->getUrl()}) in StoreRemoteMedia->onNewLinkFromNote.");
+            return Event::next;
+        }
+
        // Have we handled it already?
        $attachment_to_link = DB::find('attachment_to_link',
            ['link_id' => $link->getId()]);
@ -165,6 +187,39 @@ class StoreRemoteMedia extends Plugin
        }
    }

+    /**
+     * @param string $url
+     *
+     * @return bool true if allowed by the lists, false otherwise
+     */
+    private function allowedLink(string $url): bool
+    {
+        $passed_whitelist = !$this->check_whitelist;
+        $passed_blacklist = !$this->check_blacklist;
+
+        if ($this->check_whitelist) {
+            $passed_whitelist = false; // don't trust be default
+            $host             = parse_url($url, PHP_URL_HOST);
+            foreach ($this->domain_whitelist as $regex => $provider) {
+                if (preg_match("/{$regex}/", $host)) {
+                    $passed_whitelist = true; // we trust this source
+                }
+            }
+        }
+
+        if ($this->check_blacklist) {
+            // assume it passed by default
+            $host = parse_url($url, PHP_URL_HOST);
+            foreach ($this->domain_blacklist as $regex => $provider) {
+                if (preg_match("/{$regex}/", $host)) {
+                    $passed_blacklist = false; // we blocked this source
+                }
+            }
+        }
+
+        return $passed_whitelist && $passed_blacklist;
+    }
+
    /**
     * Event raised when GNU social polls the plugin for information about it.
     * Adds this plugin's version information to $versions array