From 569ba8bf2d164a9337783f0c5876b639290eee39 Mon Sep 17 00:00:00 2001
From: Jesse Wierzbinski <contact@cpluspatch.com>
Date: Fri, 22 Nov 2024 15:06:46 +0100
Subject: [PATCH] fix(api): :lock: Correctly put all URIs in profiles through
 proxy

---
 .../accounts/update_credentials/index.test.ts | 68 +++++++++++++++++++
 classes/database/note.ts                      | 13 +---
 utils/sanitization.ts                         | 10 +++
 3 files changed, 79 insertions(+), 12 deletions(-)
 create mode 100644 api/api/v1/accounts/update_credentials/index.test.ts

diff --git a/api/api/v1/accounts/update_credentials/index.test.ts b/api/api/v1/accounts/update_credentials/index.test.ts
new file mode 100644
index 00000000..9f9545f2
--- /dev/null
+++ b/api/api/v1/accounts/update_credentials/index.test.ts
@@ -0,0 +1,68 @@
+import { afterAll, describe, expect, test } from "bun:test";
+import type { Account as APIAccount } from "@versia/client/types";
+import { config } from "~/packages/config-manager/index.ts";
+import { fakeRequest, getTestUsers } from "~/tests/utils";
+import { meta } from "./index.ts";
+
+const { tokens, deleteUsers } = await getTestUsers(1);
+
+afterAll(async () => {
+    await deleteUsers();
+});
+
+// /api/v1/accounts/update_credentials
+describe(meta.route, () => {
+    describe("HTML injection testing", () => {
+        test("should not allow HTML injection", async () => {
+            const response = await fakeRequest(meta.route, {
+                method: "PATCH",
+                headers: {
+                    Authorization: `Bearer ${tokens[0].data.accessToken}`,
+                },
+                body: new URLSearchParams({
+                    note: "Hi! <script>alert('Hello, world!');</script>",
+                }),
+            });
+
+            expect(response.status).toBe(200);
+            expect(response.headers.get("content-type")).toContain(
+                "application/json",
+            );
+
+            const object = (await response.json()) as APIAccount;
+
+            expect(object.note).toBe(
+                "<p>Hi! &lt;script&gt;alert('Hello, world!');&lt;/script&gt;</p>\n",
+            );
+        });
+
+        test("should rewrite all image and video src to go through proxy", async () => {
+            const response = await fakeRequest(meta.route, {
+                method: "PATCH",
+                headers: {
+                    Authorization: `Bearer ${tokens[0].data.accessToken}`,
+                },
+                body: new URLSearchParams({
+                    note: "<img src='https://example.com/image.jpg'> <video src='https://example.com/video.mp4'> Test!",
+                }),
+            });
+
+            expect(response.status).toBe(200);
+            expect(response.headers.get("content-type")).toContain(
+                "application/json",
+            );
+
+            const object = (await response.json()) as APIAccount;
+            // Proxy url is base_url/media/proxy/<base64url encoded url>
+            expect(object.note).toBe(
+                `<p><img src="${config.http.base_url}/media/proxy/${Buffer.from(
+                    "https://example.com/image.jpg",
+                ).toString("base64url")}"> <video src="${
+                    config.http.base_url
+                }/media/proxy/${Buffer.from(
+                    "https://example.com/video.mp4",
+                ).toString("base64url")}"> Test!</p>\n`,
+            );
+        });
+    });
+});
diff --git a/classes/database/note.ts b/classes/database/note.ts
index b8162cf6..65580564 100644
--- a/classes/database/note.ts
+++ b/classes/database/note.ts
@@ -1,6 +1,5 @@
 import { idValidator } from "@/api";
 import { localObjectUri } from "@/constants";
-import { proxyUrl } from "@/response";
 import { sanitizedHtmlStrip } from "@/sanitization";
 import { sentry } from "@/sentry";
 import { getLogger } from "@logtape/logtape";
@@ -902,17 +901,7 @@ export class Note extends BaseInterface<typeof Notes, NoteTypeWithRelations> {
             (mention) => mention.instanceId === null,
         );
 
-        // Rewrite all src tags to go through proxy
-        let replacedContent = new HTMLRewriter()
-            .on("[src]", {
-                element(element): void {
-                    element.setAttribute(
-                        "src",
-                        proxyUrl(element.getAttribute("src") ?? "") ?? "",
-                    );
-                },
-            })
-            .transform(data.content);
+        let replacedContent = data.content;
 
         for (const mention of mentionedLocalUsers) {
             replacedContent = replacedContent.replace(
diff --git a/utils/sanitization.ts b/utils/sanitization.ts
index 70d070ae..a7c262d8 100644
--- a/utils/sanitization.ts
+++ b/utils/sanitization.ts
@@ -1,5 +1,6 @@
 import { stringifyEntitiesLight } from "stringify-entities";
 import xss, { type IFilterXSSOptions } from "xss";
+import { proxyUrl } from "./response.ts";
 
 export const sanitizedHtmlStrip = (html: string): Promise<string> => {
     return sanitizeHtml(html, {
@@ -129,6 +130,15 @@ export const sanitizeHtml = async (
                 }
             },
         })
+        // Rewrite all src tags to go through proxy
+        .on("[src]", {
+            element(element): void {
+                element.setAttribute(
+                    "src",
+                    proxyUrl(element.getAttribute("src") ?? "") ?? "",
+                );
+            },
+        })
         .transform(new Response(sanitizedHtml))
         .text();
 };