indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Merge branch 'main' of gitlab.com:bashrc2/epicyon

merge-requests/30/head
Bob Mottram 2022-03-23 22:38:32 +00:00
parent 158b91e985 95eed2183a
commit f1983ebc4e
5 changed files with 78 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
daemon.py
View File

@ -6657,14 +6657,16 @@ class PubServer(BaseHTTPRequestHandler):
# this account is a bot # this account is a bot
if fields.get('isBot'): if fields.get('isBot'):
if fields['isBot'] == 'on': if fields['isBot'] == 'on' and \
actor_json.get('type'):
if actor_json['type'] != 'Service': if actor_json['type'] != 'Service':
actor_json['type'] = 'Service' actor_json['type'] = 'Service'
actor_changed = True actor_changed = True
else: else:
# this account is a group # this account is a group
if fields.get('isGroup'): if fields.get('isGroup'):
if fields['isGroup'] == 'on': if fields['isGroup'] == 'on' and \
actor_json.get('type'):
if actor_json['type'] != 'Group': if actor_json['type'] != 'Group':
# only allow admin to create groups # only allow admin to create groups
if path.startswith('/users/' + if path.startswith('/users/' +
@ -6673,9 +6675,10 @@ class PubServer(BaseHTTPRequestHandler):
actor_changed = True actor_changed = True
else: else:
# this account is a person (default) # this account is a person (default)
if actor_json['type'] != 'Person': if actor_json.get('type'):
actor_json['type'] = 'Person' if actor_json['type'] != 'Person':
actor_changed = True actor_json['type'] = 'Person'
actor_changed = True
# grayscale theme # grayscale theme
if path.startswith('/users/' + admin_nickname + '/') or \ if path.startswith('/users/' + admin_nickname + '/') or \
@ -7700,8 +7703,9 @@ class PubServer(BaseHTTPRequestHandler):
moved_to = actor_json['movedTo'] moved_to = actor_json['movedTo']
if '"' in moved_to: if '"' in moved_to:
moved_to = moved_to.split('"')[1] moved_to = moved_to.split('"')[1]
if actor_json['type'] == 'Group': if actor_json.get('type'):
is_group = True if actor_json['type'] == 'Group':
is_group = True
locked_account = get_locked_account(actor_json) locked_account = get_locked_account(actor_json)
donate_url = get_donation_url(actor_json) donate_url = get_donation_url(actor_json)
website_url = get_website(actor_json, self.server.translate) website_url = get_website(actor_json, self.server.translate)

2
inbox.py
View File

@ -2690,6 +2690,8 @@ def _group_handle(base_dir: str, handle: str) -> bool:
actor_json = load_json(actor_file) actor_json = load_json(actor_file)
if not actor_json: if not actor_json:
return False return False
if not actor_json.get('type'):
return False
return actor_json['type'] == 'Group' return actor_json['type'] == 'Group'

9
tests.py
View File

@ -3919,6 +3919,15 @@ def _test_danger_markup():
'<script src="https://evilsite/payload.js" /></p>' '<script src="https://evilsite/payload.js" /></p>'
assert dangerous_markup(content, allow_local_network_access) assert dangerous_markup(content, allow_local_network_access)
content = '<p>This is a valid-looking message. But it contains ' + \
'spyware. <amp-analytics type="gtag" ' + \
'data-credentials="include"></amp-analytics></p>'
assert dangerous_markup(content, allow_local_network_access)
content = '<p>This is a valid-looking message. But it contains ' + \
'<a href="something.googleapis.com/anotherthing">spyware.</a></p>'
assert dangerous_markup(content, allow_local_network_access)
content = '<p>This message embeds an evil frame.' + \ content = '<p>This message embeds an evil frame.' + \
'<iframe src="somesite"></iframe></p>' '<iframe src="somesite"></iframe></p>'
assert dangerous_markup(content, allow_local_network_access) assert dangerous_markup(content, allow_local_network_access)

65
utils.py
View File

@ -884,8 +884,8 @@ def is_local_network_address(ip_address: str) -> bool:
return False return False
def _is_dangerous_string(content: str, allow_local_network_access: bool, def _is_dangerous_string_tag(content: str, allow_local_network_access: bool,
separators: [], invalid_strings: []) -> bool: separators: [], invalid_strings: []) -> bool:
"""Returns true if the given string is dangerous """Returns true if the given string is dangerous
""" """
for separator_style in separators: for separator_style in separators:
@ -908,12 +908,48 @@ def _is_dangerous_string(content: str, allow_local_network_access: bool,
return True return True
if ' ' not in markup: if ' ' not in markup:
for bad_str in invalid_strings: for bad_str in invalid_strings:
if bad_str in markup: if not bad_str.endswith('-'):
return True if bad_str in markup:
return True
else:
if markup.startswith(bad_str):
return True
else: else:
for bad_str in invalid_strings: for bad_str in invalid_strings:
if bad_str + ' ' in markup: if not bad_str.endswith('-'):
return True if bad_str + ' ' in markup:
return True
else:
if markup.startswith(bad_str):
return True
return False
def _is_dangerous_string_simple(content: str, allow_local_network_access: bool,
separators: [], invalid_strings: []) -> bool:
"""Returns true if the given string is dangerous
"""
for separator_style in separators:
start_char = separator_style[0]
end_char = separator_style[1]
if start_char not in content:
continue
if end_char not in content:
continue
content_sections = content.split(start_char)
invalid_partials = ()
if not allow_local_network_access:
invalid_partials = get_local_network_addresses()
for markup in content_sections:
if end_char not in markup:
continue
markup = markup.split(end_char)[0].strip()
for partial_match in invalid_partials:
if partial_match in markup:
return True
for bad_str in invalid_strings:
if bad_str in markup:
return True
return False return False
@ -921,14 +957,21 @@ def dangerous_markup(content: str, allow_local_network_access: bool) -> bool:
"""Returns true if the given content contains dangerous html markup """Returns true if the given content contains dangerous html markup
""" """
separators = [['<', '>'], ['&lt;', '&gt;']] separators = [['<', '>'], ['&lt;', '&gt;']]
invalid_strings = [
'analytics', 'ampproject', 'googleapis'
]
if _is_dangerous_string_simple(content, allow_local_network_access,
separators, invalid_strings):
return True
invalid_strings = [ invalid_strings = [
'script', 'noscript', 'code', 'pre', 'script', 'noscript', 'code', 'pre',
'canvas', 'style', 'abbr', 'canvas', 'style', 'abbr',
'frame', 'iframe', 'html', 'body', 'frame', 'iframe', 'html', 'body',
'hr', 'allow-popups', 'allow-scripts' 'hr', 'allow-popups', 'allow-scripts',
'amp-'
] ]
return _is_dangerous_string(content, allow_local_network_access, return _is_dangerous_string_tag(content, allow_local_network_access,
separators, invalid_strings) separators, invalid_strings)
def dangerous_svg(content: str, allow_local_network_access: bool) -> bool: def dangerous_svg(content: str, allow_local_network_access: bool) -> bool:
@ -938,8 +981,8 @@ def dangerous_svg(content: str, allow_local_network_access: bool) -> bool:
invalid_strings = [ invalid_strings = [
'script' 'script'
] ]
return _is_dangerous_string(content, allow_local_network_access, return _is_dangerous_string_tag(content, allow_local_network_access,
separators, invalid_strings) separators, invalid_strings)
def get_display_name(base_dir: str, actor: str, person_cache: {}) -> str: def get_display_name(base_dir: str, actor: str, person_cache: {}) -> str:

2
webapp_media.py
View File

@ -153,7 +153,9 @@ def _add_embedded_video_from_sites(translate: {}, content: str,
peertube_sites = ( peertube_sites = (
'share.tube', 'share.tube',
'visionon.tv', 'visionon.tv',
'anarchy.tube',
'peertube.fr', 'peertube.fr',
'video.nerdcave.site',
'kolektiva.media', 'kolektiva.media',
'peertube.social', 'peertube.social',
'videos.lescommuns.org' 'videos.lescommuns.org'