philomena/lib/philomena_web/plugs/scraper_plug.ex

defmodule PhilomenaWeb.ScraperPlug do
  @filename_regex ~r/filename="([^"]+)"/

  def init(opts) do
    opts
  end

  def call(conn, opts) do
    params_name = Keyword.get(opts, :params_name, "image")
    params_key = Keyword.get(opts, :params_key, "image")

    case conn.params do
      %{^params_name => %{^params_key => %Plug.Upload{}}} ->
        conn

      %{"scraper_cache" => url} when not is_nil(url) and url != "" ->
        url
        |> Philomena.Http.get()
        |> maybe_fixup_params(url, opts, conn)

      _ ->
        conn
    end
  end

  # Writing the tempfile doesn't allow traversal
  # sobelow_skip ["Traversal.FileModule"]
  defp maybe_fixup_params(
         {:ok, %Tesla.Env{body: body, status: 200, headers: headers}},
         url,
         opts,
         conn
       ) do
    params_name = Keyword.get(opts, :params_name, "image")
    params_key = Keyword.get(opts, :params_key, "image")
    name = extract_filename(url, headers)
    file = Plug.Upload.random_file!(UUID.uuid1())

    File.write!(file, body)

    fake_upload = %Plug.Upload{
      path: file,
      content_type: "application/octet-stream",
      filename: name
    }

    updated_form = Map.put(conn.params[params_name], params_key, fake_upload)

    updated_params = Map.put(conn.params, params_name, updated_form)

    %Plug.Conn{conn | params: updated_params}
  end

  defp maybe_fixup_params(_response, _url, _opts, conn), do: conn

  defp extract_filename(url, resp_headers) do
    {_, header} =
      Enum.find(resp_headers, {nil, "filename=\"#{Path.basename(url)}\""}, fn {key, value} ->
        key == "content-disposition" and Regex.match?(@filename_regex, value)
      end)

    [name] = Regex.run(@filename_regex, header, capture: :all_but_first)

    String.slice(name, 0, 127)
  end
end
finish scraper 2019-11-29 00:19:47 +01:00			`defmodule PhilomenaWeb.ScraperPlug do`
propagate filename through scraper (fixes derpibooru/philomena#226) 2020-12-06 18:40:38 +01:00			`@filename_regex ~r/filename="([^"]+)"/`

Fix all but one dialyzer warning 2020-08-08 02:23:36 +02:00			`def init(opts) do`
			`opts`
			`end`
finish scraper 2019-11-29 00:19:47 +01:00
			`def call(conn, opts) do`
various scraper fixes 2019-12-19 00:51:02 +01:00			`params_name = Keyword.get(opts, :params_name, "image")`
			`params_key = Keyword.get(opts, :params_key, "image")`

finish scraper 2019-11-29 00:19:47 +01:00			`case conn.params do`
various scraper fixes 2019-12-19 00:51:02 +01:00			`%{^params_name => %{^params_key => %Plug.Upload{}}} ->`
			`conn`

pass on empty scraper url (fixes philomena-dev/philomena#81) 2020-12-08 21:12:31 +01:00			`%{"scraper_cache" => url} when not is_nil(url) and url != "" ->`
Fix all but one dialyzer warning 2020-08-08 02:23:36 +02:00			`url`
require http clients to handle errors 2020-09-10 05:12:54 +02:00			`\|> Philomena.Http.get()`
propagate filename through scraper (fixes derpibooru/philomena#226) 2020-12-06 18:40:38 +01:00			`\|> maybe_fixup_params(url, opts, conn)`
finish scraper 2019-11-29 00:19:47 +01:00
			`_ ->`
			`conn`
			`end`
			`end`

add and configure sobelow 2021-04-01 18:49:41 +02:00			`# Writing the tempfile doesn't allow traversal`
			`# sobelow_skip ["Traversal.FileModule"]`
propagate filename through scraper (fixes derpibooru/philomena#226) 2020-12-06 18:40:38 +01:00			`defp maybe_fixup_params(`
			`{:ok, %Tesla.Env{body: body, status: 200, headers: headers}},`
			`url,`
			`opts,`
			`conn`
			`) do`
finish scraper 2019-11-29 00:19:47 +01:00			`params_name = Keyword.get(opts, :params_name, "image")`
			`params_key = Keyword.get(opts, :params_key, "image")`
propagate filename through scraper (fixes derpibooru/philomena#226) 2020-12-06 18:40:38 +01:00			`name = extract_filename(url, headers)`
Spawn for upload persistence 2022-07-18 16:13:24 +02:00			`file = Plug.Upload.random_file!(UUID.uuid1())`
finish scraper 2019-11-29 00:19:47 +01:00
			`File.write!(file, body)`

run formatter 2020-01-11 05:20:19 +01:00			`fake_upload = %Plug.Upload{`
			`path: file,`
			`content_type: "application/octet-stream",`
propagate filename through scraper (fixes derpibooru/philomena#226) 2020-12-06 18:40:38 +01:00			`filename: name`
run formatter 2020-01-11 05:20:19 +01:00			`}`
finish scraper 2019-11-29 00:19:47 +01:00
run formatter 2020-01-11 05:20:19 +01:00			`updated_form = Map.put(conn.params[params_name], params_key, fake_upload)`
finish scraper 2019-11-29 00:19:47 +01:00
run formatter 2020-01-11 05:20:19 +01:00			`updated_params = Map.put(conn.params, params_name, updated_form)`
finish scraper 2019-11-29 00:19:47 +01:00
Fix all but one dialyzer warning 2020-08-08 02:23:36 +02:00			`%Plug.Conn{conn \| params: updated_params}`
finish scraper 2019-11-29 00:19:47 +01:00			`end`
run formatter 2020-01-11 05:20:19 +01:00
propagate filename through scraper (fixes derpibooru/philomena#226) 2020-12-06 18:40:38 +01:00			`defp maybe_fixup_params(_response, _url, _opts, conn), do: conn`

			`defp extract_filename(url, resp_headers) do`
			`{_, header} =`
			`Enum.find(resp_headers, {nil, "filename=\"#{Path.basename(url)}\""}, fn {key, value} ->`
			`key == "content-disposition" and Regex.match?(@filename_regex, value)`
			`end)`

			`[name] = Regex.run(@filename_regex, header, capture: :all_but_first)`

			`String.slice(name, 0, 127)`
			`end`
various scraper fixes 2019-12-19 00:51:02 +01:00			`end`