2021-01-26 09:05:01 +00:00
|
|
|
# Pleroma: A lightweight social networking server
|
|
|
|
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
|
|
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
|
|
|
|
defmodule Mobilizon.Web.MediaProxy do
|
|
|
|
@moduledoc """
|
|
|
|
Module to proxify remote media
|
|
|
|
"""
|
|
|
|
alias Mobilizon.Config
|
|
|
|
alias Mobilizon.Web
|
|
|
|
|
|
|
|
@base64_opts [padding: false]
|
|
|
|
|
2021-09-28 17:40:37 +00:00
|
|
|
@spec url(String.t() | nil) :: String.t() | nil
|
2021-01-26 09:05:01 +00:00
|
|
|
def url(url) when is_nil(url) or url == "", do: nil
|
|
|
|
def url("/" <> _ = url), do: url
|
|
|
|
|
|
|
|
def url(url) do
|
|
|
|
if enabled?() and url_proxiable?(url) do
|
|
|
|
encode_url(url)
|
|
|
|
else
|
|
|
|
url
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
@spec url_proxiable?(String.t()) :: boolean()
|
|
|
|
def url_proxiable?(url) do
|
|
|
|
not local?(url)
|
|
|
|
end
|
|
|
|
|
2021-09-28 17:40:37 +00:00
|
|
|
@spec enabled? :: boolean()
|
2021-01-26 09:05:01 +00:00
|
|
|
def enabled?, do: Config.get([:media_proxy, :enabled], false)
|
|
|
|
|
|
|
|
def local?(url), do: String.starts_with?(url, Web.Endpoint.url())
|
|
|
|
|
2021-09-28 17:40:37 +00:00
|
|
|
@spec base64_sig64(String.t()) :: {String.t(), String.t()}
|
2021-01-26 09:05:01 +00:00
|
|
|
defp base64_sig64(url) do
|
|
|
|
base64 = Base.url_encode64(url, @base64_opts)
|
|
|
|
|
|
|
|
sig64 =
|
|
|
|
base64
|
|
|
|
|> signed_url()
|
|
|
|
|> Base.url_encode64(@base64_opts)
|
|
|
|
|
|
|
|
{base64, sig64}
|
|
|
|
end
|
|
|
|
|
2021-09-28 17:40:37 +00:00
|
|
|
@spec encode_url(String.t()) :: String.t()
|
2021-01-26 09:05:01 +00:00
|
|
|
def encode_url(url) do
|
|
|
|
{base64, sig64} = base64_sig64(url)
|
|
|
|
|
|
|
|
build_url(sig64, base64, filename(url))
|
|
|
|
end
|
|
|
|
|
2021-09-28 17:40:37 +00:00
|
|
|
@spec decode_url(String.t(), String.t()) :: {:ok, String.t()} | {:error, :invalid_signature}
|
2021-01-26 09:05:01 +00:00
|
|
|
def decode_url(sig, url) do
|
|
|
|
with {:ok, sig} <- Base.url_decode64(sig, @base64_opts),
|
|
|
|
signature when signature == sig <- signed_url(url) do
|
|
|
|
{:ok, Base.url_decode64!(url, @base64_opts)}
|
|
|
|
else
|
|
|
|
_ -> {:error, :invalid_signature}
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-09-28 17:40:37 +00:00
|
|
|
@spec signed_url(String.t()) :: String.t()
|
2021-01-26 09:05:01 +00:00
|
|
|
defp signed_url(url) do
|
2021-06-07 14:39:14 +00:00
|
|
|
sha_hmac(Config.get([Web.Endpoint, :secret_key_base]), url)
|
|
|
|
end
|
|
|
|
|
2021-09-28 17:40:37 +00:00
|
|
|
@spec sha_hmac(String.t(), String.t()) :: String.t()
|
2021-06-07 14:39:14 +00:00
|
|
|
@compile {:no_warn_undefined, {:crypto, :mac, 4}}
|
|
|
|
@compile {:no_warn_undefined, {:crypto, :hmac, 3}}
|
|
|
|
defp sha_hmac(key, url) do
|
|
|
|
# :crypto.hmac was removed in OTP24, but :crypto.mac was added in OTP 22.1
|
|
|
|
# TODO: Remove me when we don't support OTP 21/22 anymore
|
|
|
|
if function_exported?(:crypto, :mac, 4) do
|
|
|
|
:crypto.mac(:hmac, :sha, key, url)
|
|
|
|
else
|
|
|
|
:crypto.hmac(:sha, key, url)
|
|
|
|
end
|
2021-01-26 09:05:01 +00:00
|
|
|
end
|
|
|
|
|
2021-09-28 17:40:37 +00:00
|
|
|
@spec filename(String.t()) :: String.t() | nil
|
2021-01-26 09:05:01 +00:00
|
|
|
def filename(url_or_path) do
|
|
|
|
if path = URI.parse(url_or_path).path, do: Path.basename(path)
|
|
|
|
end
|
|
|
|
|
2021-09-28 17:40:37 +00:00
|
|
|
@spec base_url :: String.t()
|
2021-01-26 09:05:01 +00:00
|
|
|
def base_url do
|
|
|
|
Web.Endpoint.url()
|
|
|
|
end
|
|
|
|
|
2021-09-28 17:40:37 +00:00
|
|
|
@spec proxy_url(String.t(), String.t(), String.t(), String.t() | nil) :: String.t()
|
2021-01-26 09:05:01 +00:00
|
|
|
defp proxy_url(path, sig_base64, url_base64, filename) do
|
|
|
|
[
|
|
|
|
base_url(),
|
|
|
|
path,
|
|
|
|
sig_base64,
|
|
|
|
url_base64,
|
|
|
|
filename
|
|
|
|
]
|
|
|
|
|> Enum.filter(& &1)
|
|
|
|
|> Path.join()
|
|
|
|
end
|
|
|
|
|
2021-09-28 17:40:37 +00:00
|
|
|
@spec build_url(String.t(), String.t(), String.t() | nil) :: String.t()
|
2021-01-26 09:05:01 +00:00
|
|
|
def build_url(sig_base64, url_base64, filename \\ nil) do
|
|
|
|
proxy_url("proxy", sig_base64, url_base64, filename)
|
|
|
|
end
|
|
|
|
|
2021-09-28 17:40:37 +00:00
|
|
|
@spec verify_request_path_and_url(Plug.Conn.t() | String.t(), String.t()) ::
|
|
|
|
:ok | {:wrong_filename, String.t()}
|
2021-01-26 09:05:01 +00:00
|
|
|
def verify_request_path_and_url(
|
|
|
|
%Plug.Conn{params: %{"filename" => _}, request_path: request_path},
|
|
|
|
url
|
|
|
|
) do
|
|
|
|
verify_request_path_and_url(request_path, url)
|
|
|
|
end
|
|
|
|
|
|
|
|
def verify_request_path_and_url(request_path, url) when is_binary(request_path) do
|
|
|
|
filename = filename(url)
|
|
|
|
|
|
|
|
if filename && not basename_matches?(request_path, filename) do
|
|
|
|
{:wrong_filename, filename}
|
|
|
|
else
|
|
|
|
:ok
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def verify_request_path_and_url(_, _), do: :ok
|
|
|
|
|
2021-09-28 17:40:37 +00:00
|
|
|
@spec basename_matches?(String.t(), String.t()) :: boolean()
|
2021-01-26 09:05:01 +00:00
|
|
|
defp basename_matches?(path, filename) do
|
|
|
|
basename = Path.basename(path)
|
|
|
|
basename == filename or URI.decode(basename) == filename or URI.encode(basename) == filename
|
|
|
|
end
|
|
|
|
end
|