2020-06-11 00:54:34 +02:00
|
|
|
from io import StringIO
|
|
|
|
|
2020-08-07 01:09:47 +02:00
|
|
|
import orjson
|
2021-11-02 15:42:58 +01:00
|
|
|
from django.test import override_settings
|
2018-03-08 09:37:09 +01:00
|
|
|
|
2021-11-02 15:42:58 +01:00
|
|
|
from zerver.lib.rate_limiter import add_ratelimit_rule, remove_ratelimit_rule
|
2019-02-02 23:53:44 +01:00
|
|
|
from zerver.lib.test_classes import ZulipTestCase
|
2018-03-08 09:37:09 +01:00
|
|
|
|
|
|
|
|
|
|
|
class ThumbnailTest(ZulipTestCase):
|
2021-05-07 00:38:24 +02:00
|
|
|
def test_thumbnail_redirect(self) -> None:
|
2021-02-12 08:20:45 +01:00
|
|
|
self.login("hamlet")
|
2018-03-08 09:37:09 +01:00
|
|
|
fp = StringIO("zulip!")
|
|
|
|
fp.name = "zulip.jpeg"
|
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
result = self.client_post("/json/user_uploads", {"file": fp})
|
2018-03-08 09:37:09 +01:00
|
|
|
self.assert_json_success(result)
|
2020-08-07 01:09:47 +02:00
|
|
|
json = orjson.loads(result.content)
|
2018-03-08 09:37:09 +01:00
|
|
|
self.assertIn("uri", json)
|
|
|
|
uri = json["uri"]
|
2021-02-12 08:20:45 +01:00
|
|
|
base = "/user_uploads/"
|
2021-02-12 08:19:30 +01:00
|
|
|
self.assertEqual(base, uri[: len(base)])
|
2018-03-08 09:37:09 +01:00
|
|
|
|
2020-09-13 00:11:30 +02:00
|
|
|
result = self.client_get("/thumbnail", {"url": uri[1:], "size": "full"})
|
2018-03-08 09:37:09 +01:00
|
|
|
self.assertEqual(result.status_code, 302, result)
|
2021-05-07 00:38:24 +02:00
|
|
|
self.assertEqual(uri, result.url)
|
2018-03-08 09:37:09 +01:00
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
self.login("iago")
|
2020-09-13 00:11:30 +02:00
|
|
|
result = self.client_get("/thumbnail", {"url": uri[1:], "size": "full"})
|
2018-03-08 09:37:09 +01:00
|
|
|
self.assertEqual(result.status_code, 403, result)
|
|
|
|
self.assert_in_response("You are not authorized to view this file.", result)
|
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
uri = "https://www.google.com/images/srpr/logo4w.png"
|
2021-05-07 00:38:24 +02:00
|
|
|
result = self.client_get("/thumbnail", {"url": uri, "size": "full"})
|
2018-03-08 09:37:09 +01:00
|
|
|
self.assertEqual(result.status_code, 302, result)
|
2021-02-12 08:20:45 +01:00
|
|
|
base = "https://external-content.zulipcdn.net/external_content/56c362a24201593891955ff526b3b412c0f9fcd2/68747470733a2f2f7777772e676f6f676c652e636f6d2f696d616765732f737270722f6c6f676f34772e706e67"
|
2019-12-12 01:28:29 +01:00
|
|
|
self.assertEqual(base, result.url)
|
2018-03-08 09:37:09 +01:00
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
uri = "http://www.google.com/images/srpr/logo4w.png"
|
2021-05-07 00:38:24 +02:00
|
|
|
result = self.client_get("/thumbnail", {"url": uri, "size": "full"})
|
2018-03-08 09:37:09 +01:00
|
|
|
self.assertEqual(result.status_code, 302, result)
|
2021-02-12 08:20:45 +01:00
|
|
|
base = "https://external-content.zulipcdn.net/external_content/7b6552b60c635e41e8f6daeb36d88afc4eabde79/687474703a2f2f7777772e676f6f676c652e636f6d2f696d616765732f737270722f6c6f676f34772e706e67"
|
2018-03-08 09:37:09 +01:00
|
|
|
self.assertEqual(base, result.url)
|
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
uri = "//www.google.com/images/srpr/logo4w.png"
|
2021-05-07 00:38:24 +02:00
|
|
|
result = self.client_get("/thumbnail", {"url": uri, "size": "full"})
|
2019-12-12 01:28:29 +01:00
|
|
|
self.assertEqual(result.status_code, 302, result)
|
2021-02-12 08:20:45 +01:00
|
|
|
base = "https://external-content.zulipcdn.net/external_content/676530cf4b101d56f56cc4a37c6ef4d4fd9b0c03/2f2f7777772e676f6f676c652e636f6d2f696d616765732f737270722f6c6f676f34772e706e67"
|
2019-12-12 01:28:29 +01:00
|
|
|
self.assertEqual(base, result.url)
|
2021-11-02 15:42:58 +01:00
|
|
|
|
|
|
|
@override_settings(RATE_LIMITING=True)
|
|
|
|
def test_thumbnail_redirect_for_spectator(self) -> None:
|
|
|
|
self.login("hamlet")
|
|
|
|
fp = StringIO("zulip!")
|
|
|
|
fp.name = "zulip.jpeg"
|
|
|
|
|
|
|
|
result = self.client_post("/json/user_uploads", {"file": fp})
|
|
|
|
self.assert_json_success(result)
|
|
|
|
json = orjson.loads(result.content)
|
|
|
|
uri = json["uri"]
|
|
|
|
|
|
|
|
add_ratelimit_rule(86400, 1000, domain="spectator_attachment_access_by_file")
|
2022-04-28 05:15:11 +02:00
|
|
|
# Deny file access for non-web-public stream
|
2021-11-02 15:42:58 +01:00
|
|
|
self.subscribe(self.example_user("hamlet"), "Denmark")
|
|
|
|
host = self.example_user("hamlet").realm.host
|
|
|
|
body = f"First message ...[zulip.txt](http://{host}" + uri + ")"
|
|
|
|
self.send_stream_message(self.example_user("hamlet"), "Denmark", body, "test")
|
|
|
|
|
|
|
|
self.logout()
|
|
|
|
response = self.client_get("/thumbnail", {"url": uri[1:], "size": "full"})
|
|
|
|
self.assertEqual(response.status_code, 403)
|
|
|
|
|
2022-04-28 05:05:04 +02:00
|
|
|
# Allow file access for web-public stream
|
2021-11-02 15:42:58 +01:00
|
|
|
self.login("hamlet")
|
|
|
|
self.make_stream("web-public-stream", is_web_public=True)
|
|
|
|
self.subscribe(self.example_user("hamlet"), "web-public-stream")
|
|
|
|
body = f"First message ...[zulip.txt](http://{host}" + uri + ")"
|
|
|
|
self.send_stream_message(self.example_user("hamlet"), "web-public-stream", body, "test")
|
|
|
|
|
|
|
|
self.logout()
|
|
|
|
response = self.client_get("/thumbnail", {"url": uri[1:], "size": "full"})
|
|
|
|
self.assertEqual(response.status_code, 302)
|
|
|
|
remove_ratelimit_rule(86400, 1000, domain="spectator_attachment_access_by_file")
|
|
|
|
|
|
|
|
# Deny file access since rate limited
|
|
|
|
add_ratelimit_rule(86400, 0, domain="spectator_attachment_access_by_file")
|
|
|
|
response = self.client_get("/thumbnail", {"url": uri[1:], "size": "full"})
|
|
|
|
self.assertEqual(response.status_code, 403)
|
|
|
|
remove_ratelimit_rule(86400, 0, domain="spectator_attachment_access_by_file")
|
|
|
|
|
|
|
|
# Deny random file access
|
|
|
|
response = self.client_get(
|
|
|
|
"/thumbnail",
|
|
|
|
{
|
|
|
|
"url": "user_uploads/2/71/QYB7LA-ULMYEad-QfLMxmI2e/zulip-non-existent.txt",
|
|
|
|
"size": "full",
|
|
|
|
},
|
|
|
|
)
|
|
|
|
self.assertEqual(response.status_code, 403)
|