Merge branch 'fix/sanitize-report-content' into 'develop'

Sanitize HTML in ReportView Closes #990 See merge request pleroma/pleroma!1293
2019-06-16 18:05:00 +00:00 · 2019-06-16 18:05:00 +00:00 · c34327b22e
parent efa445a75b bf6aa6f1a8
commit c34327b22e
2 changed files with 107 additions and 1 deletions
--- a/lib/pleroma/web/admin_api/views/report_view.ex
+++ b/lib/pleroma/web/admin_api/views/report_view.ex
@ -5,6 +5,7 @@
 defmodule Pleroma.Web.AdminAPI.ReportView do
  use Pleroma.Web, :view
  alias Pleroma.Activity
+  alias Pleroma.HTML
  alias Pleroma.User
  alias Pleroma.Web.CommonAPI.Utils
  alias Pleroma.Web.MastodonAPI.AccountView
@ -23,6 +24,13 @@ def render("show.json", %{report: report}) do
    [account_ap_id | status_ap_ids] = report.data["object"]
    account = User.get_cached_by_ap_id(account_ap_id)

+    content =
+      unless is_nil(report.data["content"]) do
+        HTML.filter_tags(report.data["content"])
+      else
+        nil
+      end
+
    statuses =
      Enum.map(status_ap_ids, fn ap_id ->
        Activity.get_by_ap_id_with_object(ap_id)
@ -32,7 +40,7 @@ def render("show.json", %{report: report}) do
      id: report.id,
      account: AccountView.render("account.json", %{user: account}),
      actor: AccountView.render("account.json", %{user: user}),
-      content: report.data["content"],
+      content: content,
      created_at: created_at,
      statuses: StatusView.render("index.json", %{activities: statuses, as: :activity}),
      state: report.data["state"]
--- a/test/web/admin_api/views/report_view_test.exs
+++ b/test/web/admin_api/views/report_view_test.exs
@ -0,0 +1,98 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.AdminAPI.ReportViewTest do
+  use Pleroma.DataCase
+  import Pleroma.Factory
+  alias Pleroma.Web.AdminAPI.ReportView
+  alias Pleroma.Web.CommonAPI
+  alias Pleroma.Web.MastodonAPI.AccountView
+  alias Pleroma.Web.MastodonAPI.StatusView
+
+  test "renders a report" do
+    user = insert(:user)
+    other_user = insert(:user)
+
+    {:ok, activity} = CommonAPI.report(user, %{"account_id" => other_user.id})
+
+    expected = %{
+      content: nil,
+      actor: AccountView.render("account.json", %{user: user}),
+      account: AccountView.render("account.json", %{user: other_user}),
+      statuses: [],
+      state: "open",
+      id: activity.id
+    }
+
+    result =
+      ReportView.render("show.json", %{report: activity})
+      |> Map.delete(:created_at)
+
+    assert result == expected
+  end
+
+  test "includes reported statuses" do
+    user = insert(:user)
+    other_user = insert(:user)
+    {:ok, activity} = CommonAPI.post(other_user, %{"status" => "toot"})
+
+    {:ok, report_activity} =
+      CommonAPI.report(user, %{"account_id" => other_user.id, "status_ids" => [activity.id]})
+
+    expected = %{
+      content: nil,
+      actor: AccountView.render("account.json", %{user: user}),
+      account: AccountView.render("account.json", %{user: other_user}),
+      statuses: [StatusView.render("status.json", %{activity: activity})],
+      state: "open",
+      id: report_activity.id
+    }
+
+    result =
+      ReportView.render("show.json", %{report: report_activity})
+      |> Map.delete(:created_at)
+
+    assert result == expected
+  end
+
+  test "renders report's state" do
+    user = insert(:user)
+    other_user = insert(:user)
+
+    {:ok, activity} = CommonAPI.report(user, %{"account_id" => other_user.id})
+    {:ok, activity} = CommonAPI.update_report_state(activity.id, "closed")
+    assert %{state: "closed"} = ReportView.render("show.json", %{report: activity})
+  end
+
+  test "renders report description" do
+    user = insert(:user)
+    other_user = insert(:user)
+
+    {:ok, activity} =
+      CommonAPI.report(user, %{
+        "account_id" => other_user.id,
+        "comment" => "posts are too good for this instance"
+      })
+
+    assert %{content: "posts are too good for this instance"} =
+             ReportView.render("show.json", %{report: activity})
+  end
+
+  test "sanitizes report description" do
+    user = insert(:user)
+    other_user = insert(:user)
+
+    {:ok, activity} =
+      CommonAPI.report(user, %{
+        "account_id" => other_user.id,
+        "comment" => ""
+      })
+
+    data = Map.put(activity.data, "content", "<script> alert('hecked :D:D:D:D:D:D:D') </script>")
+    activity = Map.put(activity, :data, data)
+
+    refute "<script> alert('hecked :D:D:D:D:D:D:D') </script>" ==
+             ReportView.render("show.json", %{report: activity})[:content]
+  end
+end