[bugfix] Use custom bluemonday policy to disallow inline img tags (#2100)

author: tobi <31960611+tsmethurst@users.noreply.github.com> 2023-08-11 14:40:11 +0200
committer: GitHub <noreply@github.com> 2023-08-11 14:40:11 +0200
commit: dc96562b4084e058846aea9102ef0257461717d6 (patch)
tree: a0b4bdbaa266386c7fdbbc02ca3e62bae559bf17 /internal/ap
parent: [feature] Set Content-Security-Policy header (#2095) (diff)
download: gotosocial-dc96562b4084e058846aea9102ef0257461717d6.tar.xz
2 files changed, 35 insertions, 11 deletions
diff --git a/internal/ap/normalize.go b/internal/ap/normalize.go
index 38861a1b9..8bc2a70e8 100644
--- a/internal/ap/normalize.go
+++ b/internal/ap/normalize.go
@@ -20,6 +20,7 @@ package ap
 import (
 	"github.com/superseriousbusiness/activity/pub"
 	"github.com/superseriousbusiness/activity/streams"
+	"github.com/superseriousbusiness/gotosocial/internal/text"
 )
 
 /*
@@ -126,7 +127,8 @@ func NormalizeIncomingActivityObject(activity pub.Activity, rawJSON map[string]i
 }
 
 // NormalizeIncomingContent replaces the Content of the given item
-// with the raw 'content' value from the raw json object map.
+// with the sanitized version of the raw 'content' value from the
+// raw json object map.
 //
 // noop if there was no content in the json object map or the
 // content was not a plain string.
@@ -145,6 +147,14 @@ func NormalizeIncomingContent(item WithSetContent, rawJSON map[string]interface{
 		return
 	}
 
+	// Content should be HTML encoded by default:
+	// https://www.w3.org/TR/activitystreams-vocabulary/#dfn-content
+	//
+	// TODO: sanitize differently based on mediaType.
+	// https://www.w3.org/TR/activitystreams-vocabulary/#dfn-mediatype
+	content = text.SanitizeToHTML(content)
+	content = text.MinifyHTML(content)
+
 	// Set normalized content property from the raw string;
 	// this replaces any existing content property on the item.
 	contentProp := streams.NewActivityStreamsContentProperty()
@@ -154,7 +164,8 @@ func NormalizeIncomingContent(item WithSetContent, rawJSON map[string]interface{
 
 // NormalizeIncomingAttachments normalizes all attachments (if any) of the given
 // item, replacing the 'name' (aka content warning) field of each attachment
-// with the raw 'name' value from the raw json object map.
+// with the raw 'name' value from the raw json object map, and doing sanitization
+// on the result.
 //
 // noop if there are no attachments; noop if attachment is not a format
 // we can understand.
@@ -212,7 +223,8 @@ func NormalizeIncomingAttachments(item WithAttachment, rawJSON map[string]interf
 }
 
 // NormalizeIncomingSummary replaces the Summary of the given item
-// with the raw 'summary' value from the raw json object map.
+// with the sanitized version of the raw 'summary' value from the
+// raw json object map.
 //
 // noop if there was no summary in the json object map or the
 // summary was not a plain string.
@@ -229,6 +241,11 @@ func NormalizeIncomingSummary(item WithSetSummary, rawJSON map[string]interface{
 		return
 	}
 
+	// Summary should be HTML encoded:
+	// https://www.w3.org/TR/activitystreams-vocabulary/#dfn-summary
+	summary = text.SanitizeToHTML(summary)
+	summary = text.MinifyHTML(summary)
+
 	// Set normalized summary property from the raw string; this
 	// will replace any existing summary property on the item.
 	summaryProp := streams.NewActivityStreamsSummaryProperty()
@@ -254,6 +271,13 @@ func NormalizeIncomingName(item WithSetName, rawJSON map[string]interface{}) {
 		return
 	}
 
+	// Name *must not* include any HTML markup:
+	// https://www.w3.org/TR/activitystreams-vocabulary/#dfn-name
+	//
+	// todo: We probably want to update this to allow
+	// *escaped* HTML markup, but for now just nuke it.
+	name = text.SanitizeToPlaintext(name)
+
 	// Set normalized name property from the raw string; this
 	// will replace any existing name property on the item.
 	nameProp := streams.NewActivityStreamsNameProperty()
diff --git a/internal/ap/normalize_test.go b/internal/ap/normalize_test.go
index cde807f21..cefaf4d38 100644
--- a/internal/ap/normalize_test.go
+++ b/internal/ap/normalize_test.go
@@ -146,7 +146,7 @@ func (suite *NormalizeTestSuite) getStatusableWithMultipleAttachments() (vocab.A
 			"type": "Document",
 			"mediaType": "image/jpeg",
 			"url": "https://files.example.org/media_attachments/files/110/258/459/579/509/026/original/b65392ebe0fb04ef.jpeg",
-			"name": "danger: #cute but will claw you :("
+			"name": "image of a cat &amp; there's a note saying: &lt;danger: #cute but will claw you :(&gt;"
 		  }
 		]
 	  }`)
@@ -192,7 +192,7 @@ func (suite *NormalizeTestSuite) TestNormalizeActivityObject() {
 	)
 
 	ap.NormalizeIncomingActivityObject(create, map[string]interface{}{"object": rawNote})
-	suite.Equal(`UPDATE: As of this morning there are now more than 7 million Mastodon users, most from the <a class="hashtag" data-tag="twittermigration" href="https://example.org/tag/twittermigration" rel="tag ugc">#TwitterMigration</a>.<br><br>In fact, 100,000 new accounts have been created since last night.<br><br>Since last night&#39;s spike 8,000-12,000 new accounts are being created every hour.<br><br>Yesterday, I estimated that Mastodon would have 8 million users by the end of the week. That might happen a lot sooner if this trend continues.`, ap.ExtractContent(note))
+	suite.Equal(`UPDATE: As of this morning there are now more than 7 million Mastodon users, most from the <a class="hashtag" href="https://example.org/tag/twittermigration" rel="tag ugc nofollow noreferrer noopener" target="_blank">#TwitterMigration</a>.<br><br>In fact, 100,000 new accounts have been created since last night.<br><br>Since last night's spike 8,000-12,000 new accounts are being created every hour.<br><br>Yesterday, I estimated that Mastodon would have 8 million users by the end of the week. That might happen a lot sooner if this trend continues.`, ap.ExtractContent(note))
 }
 
 func (suite *NormalizeTestSuite) TestNormalizeStatusableAttachmentsOneAttachment() {
@@ -224,7 +224,7 @@ func (suite *NormalizeTestSuite) TestNormalizeStatusableAttachmentsOneAttachment
   "@context": "https://www.w3.org/ns/activitystreams",
   "attachment": {
     "mediaType": "image/jpeg",
-    "name": "DESCRIPTION: here's \u003c\u003ca\u003e\u003e picture of a #cat, it's cute! here's some special characters: \"\" \\ weeee''''",
+    "name": "DESCRIPTION: here's \u003c\u003e picture of a #cat, it's cute! here's some special characters: \"\" \\ weeee''''",
     "type": "Document",
     "url": "https://files.example.org/media_attachments/files/110/258/459/579/509/026/original/b65392ebe0fb04ef.jpeg"
   },
@@ -265,7 +265,7 @@ func (suite *NormalizeTestSuite) TestNormalizeStatusableAttachmentsOneAttachment
   "@context": "https://www.w3.org/ns/activitystreams",
   "attachment": {
     "mediaType": "image/jpeg",
-    "name": "DESCRIPTION: here's \u003c\u003ca\u003e\u003e picture of a #cat, it's cute! here's some special characters: \"\" \\ weeee''''",
+    "name": "DESCRIPTION: here's \u003c\u003e picture of a #cat, it's cute! here's some special characters: \"\" \\ weeee''''",
     "type": "Document",
     "url": "https://files.example.org/media_attachments/files/110/258/459/579/509/026/original/b65392ebe0fb04ef.jpeg"
   },
@@ -304,7 +304,7 @@ func (suite *NormalizeTestSuite) TestNormalizeStatusableAttachmentsMultipleAttac
     },
     {
       "mediaType": "image/jpeg",
-      "name": "danger: #cute%20but%20will%20claw%20you%20:(",
+      "name": "image of a cat \u0026amp; there's a note saying: \u0026lt;danger: #cute but will claw you :(\u0026gt;",
       "type": "Document",
       "url": "https://files.example.org/media_attachments/files/110/258/459/579/509/026/original/b65392ebe0fb04ef.jpeg"
     }
@@ -326,7 +326,7 @@ func (suite *NormalizeTestSuite) TestNormalizeStatusableAttachmentsMultipleAttac
   "attachment": [
     {
       "mediaType": "image/jpeg",
-      "name": "DESCRIPTION: here's \u003c\u003ca\u003e\u003e picture of a #cat, it's cute! here's some special characters: \"\" \\ weeee''''",
+      "name": "DESCRIPTION: here's \u003c\u003e picture of a #cat, it's cute! here's some special characters: \"\" \\ weeee''''",
       "type": "Document",
       "url": "https://files.example.org/media_attachments/files/110/258/459/579/509/026/original/b65392ebe0fb04ef.jpeg"
     },
@@ -343,7 +343,7 @@ func (suite *NormalizeTestSuite) TestNormalizeStatusableAttachmentsMultipleAttac
     },
     {
       "mediaType": "image/jpeg",
-      "name": "danger: #cute but will claw you :(",
+      "name": "image of a cat \u0026 there's a note saying:",
       "type": "Document",
       "url": "https://files.example.org/media_attachments/files/110/258/459/579/509/026/original/b65392ebe0fb04ef.jpeg"
     }
@@ -380,7 +380,7 @@ func (suite *NormalizeTestSuite) TestNormalizeStatusableSummary() {
 	suite.Equal(`warning: #WEIRD%20%23SUMMARY%20;;;;a;;a;asv%20%20%20%20khop8273987(*%5E&%5E)`, ap.ExtractSummary(statusable))
 
 	ap.NormalizeIncomingSummary(statusable, rawAccount)
-	suite.Equal(`warning: #WEIRD #SUMMARY ;;;;a;;a;asv    khop8273987(*^&^)`, ap.ExtractSummary(statusable))
+	suite.Equal(`warning: #WEIRD #SUMMARY ;;;;a;;a;asv khop8273987(*^&^)`, ap.ExtractSummary(statusable))
 }
 
 func (suite *NormalizeTestSuite) TestNormalizeStatusableName() {
author	tobi <31960611+tsmethurst@users.noreply.github.com>	2023-08-11 14:40:11 +0200
committer	GitHub <noreply@github.com>	2023-08-11 14:40:11 +0200
commit	dc96562b4084e058846aea9102ef0257461717d6 (patch)
tree	a0b4bdbaa266386c7fdbbc02ca3e62bae559bf17 /internal/ap
parent	[feature] Set Content-Security-Policy header (#2095) (diff)
download	gotosocial-dc96562b4084e058846aea9102ef0257461717d6.tar.xz