From cea31df6a6e0e38ec6a260de0b6ae00d4d40c538 Mon Sep 17 00:00:00 2001
From: Mark Felder <feld@feld.me>
Date: Wed, 24 Feb 2021 15:23:45 -0600
Subject: [PATCH] Attempt to filter out API calls from FrontendStatic plug

---
 lib/pleroma/web.ex                       | 14 +++++++++++++-
 lib/pleroma/web/plugs/frontend_static.ex | 11 ++++++++++-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/lib/pleroma/web.ex b/lib/pleroma/web.ex
index c3aa39492..fe2652ac9 100644
--- a/lib/pleroma/web.ex
+++ b/lib/pleroma/web.ex
@@ -63,7 +63,8 @@ defp skip_plug(conn, plug_modules) do
 
       # Executed just before actual controller action, invokes before-action hooks (callbacks)
       defp action(conn, params) do
-        with %{halted: false} = conn <- maybe_drop_authentication_if_oauth_check_ignored(conn),
+        with %{halted: false} = conn <-
+               maybe_drop_authentication_if_oauth_check_ignored(conn),
              %{halted: false} = conn <- maybe_perform_public_or_authenticated_check(conn),
              %{halted: false} = conn <- maybe_perform_authenticated_check(conn),
              %{halted: false} = conn <- maybe_halt_on_missing_oauth_scopes_check(conn) do
@@ -232,4 +233,15 @@ defmacro __using__(which) when is_atom(which) do
   def base_url do
     Pleroma.Web.Endpoint.url()
   end
+
+  def get_api_routes do
+    Pleroma.Web.Router.__routes__()
+    |> Stream.reject(fn r -> r.plug == Pleroma.Web.Fallback.RedirectController end)
+    |> Enum.map(fn r ->
+      r.path
+      |> String.split("/", trim: true)
+      |> List.first()
+    end)
+    |> Enum.uniq()
+  end
 end
diff --git a/lib/pleroma/web/plugs/frontend_static.ex b/lib/pleroma/web/plugs/frontend_static.ex
index eecf16264..03fd51043 100644
--- a/lib/pleroma/web/plugs/frontend_static.ex
+++ b/lib/pleroma/web/plugs/frontend_static.ex
@@ -10,6 +10,8 @@ defmodule Pleroma.Web.Plugs.FrontendStatic do
   """
   @behaviour Plug
 
+  @api_routes Pleroma.Web.get_api_routes()
+
   def file_path(path, frontend_type \\ :primary) do
     if configuration = Pleroma.Config.get([:frontends, frontend_type]) do
       instance_static_path = Pleroma.Config.get([:instance, :static_dir], "instance/static")
@@ -34,7 +36,8 @@ def init(opts) do
   end
 
   def call(conn, opts) do
-    with false <- invalid_path?(conn.path_info),
+    with false <- api_route?(conn.path_info),
+         false <- invalid_path?(conn.path_info),
          frontend_type <- Map.get(opts, :frontend_type, :primary),
          path when not is_nil(path) <- file_path("", frontend_type) do
       call_static(conn, opts, path)
@@ -52,6 +55,12 @@ defp invalid_path?([h | _], _match) when h in [".", "..", ""], do: true
   defp invalid_path?([h | t], match), do: String.contains?(h, match) or invalid_path?(t)
   defp invalid_path?([], _match), do: false
 
+  defp api_route?(list) when is_list(list) and length(list) > 0 do
+    List.first(list) in @api_routes
+  end
+
+  defp api_route?(_), do: false
+
   defp call_static(conn, opts, from) do
     opts = Map.put(opts, :from, from)
     Plug.Static.call(conn, opts)