From de195f883ef2f79b08d9ece222f91cce8ed30726 Mon Sep 17 00:00:00 2001
From: Gabe Kangas <gabek@real-ity.com>
Date: Mon, 8 Mar 2021 23:20:15 -0800
Subject: [PATCH] Gek/disable remote images (#800)

* Disable images from anywhere but our emojis. Closes #756

* Add tests around images in chat messages

* Update sanitizer + test
---
 core/chat/messageRendering_test.go | 27 ++++++++++++++++++++++++---
 models/chatMessage.go              | 18 ++++++------------
 2 files changed, 30 insertions(+), 15 deletions(-)

diff --git a/core/chat/messageRendering_test.go b/core/chat/messageRendering_test.go
index df33c2a3c..b0d320244 100644
--- a/core/chat/messageRendering_test.go
+++ b/core/chat/messageRendering_test.go
@@ -15,7 +15,7 @@ func TestRenderAndSanitize(t *testing.T) {
 
   ## blah blah blah
   [test link](http://owncast.online)
-  <img class="emoji" alt="bananadance.gif" width="600px" src="https://goth.land/img/emoji/bananadance.gif">
+  <img class="emoji" alt="bananadance.gif" width="600px" src="/img/emoji/bananadance.gif">
   <script src="http://hackers.org/hack.js"></script>
   `
 
@@ -23,11 +23,32 @@ func TestRenderAndSanitize(t *testing.T) {
 Here is an iframe </p>
 blah blah blah
 <p><a href="http://owncast.online" rel="nofollow noreferrer noopener" target="_blank">test link</a>
-<img class="emoji" alt="bananadance.gif" src="https://goth.land/img/emoji/bananadance.gif"></p>`
+<img class="emoji" src="/img/emoji/bananadance.gif"></p>`
 
 	result := models.RenderAndSanitize(messageContent)
 	if result != expected {
 		t.Errorf("message rendering/sanitation does not match expected.  Got\n%s, \n\n want:\n%s", result, expected)
 	}
-
+}
+
+// Test to make sure we block remote images in chat messages.
+func TestBlockRemoteImages(t *testing.T) {
+	messageContent := `<img src="https://via.placeholder.com/350x150"> test ![](https://via.placeholder.com/350x150)`
+	expected := `<p> test </p>`
+	result := models.RenderAndSanitize(messageContent)
+
+	if result != expected {
+		t.Errorf("message rendering/sanitation does not match expected.  Got\n%s, \n\n want:\n%s", result, expected)
+	}
+}
+
+// Test to make sure emoji images are allowed in chat messages.
+func TestAllowEmojiImages(t *testing.T) {
+	messageContent := `<img src="/img/emoji/beerparrot.gif"> test ![](/img/emoji/beerparrot.gif)`
+	expected := `<p><img src="/img/emoji/beerparrot.gif"> test <img src="/img/emoji/beerparrot.gif"></p>`
+	result := models.RenderAndSanitize(messageContent)
+
+	if result != expected {
+		t.Errorf("message rendering/sanitation does not match expected.  Got\n%s, \n\n want:\n%s", result, expected)
+	}
 }
diff --git a/models/chatMessage.go b/models/chatMessage.go
index 4102fd775..2b17cd20e 100644
--- a/models/chatMessage.go
+++ b/models/chatMessage.go
@@ -2,6 +2,7 @@ package models
 
 import (
 	"bytes"
+	"regexp"
 	"strings"
 	"time"
 
@@ -96,6 +97,7 @@ func sanitize(raw string) string {
 
 	// Require URLs to be parseable by net/url.Parse
 	p.AllowStandardURLs()
+	p.RequireParseableURLs(true)
 
 	// Allow links
 	p.AllowAttrs("href").OnElements("a")
@@ -106,19 +108,11 @@ func sanitize(raw string) string {
 	// Links will get target="_blank" added to them.
 	p.AddTargetBlankToFullyQualifiedLinks(true)
 
-	// Allow paragraphs
-	p.AllowElements("br")
-	p.AllowElements("p")
+	// Allow breaks
+	p.AllowElements("br", "p")
 
-	// Allow img tags
-	p.AllowElements("img")
-	p.AllowAttrs("src").OnElements("img")
-	p.AllowAttrs("alt").OnElements("img")
-	p.AllowAttrs("title").OnElements("img")
-
-	// Custom emoji have a class already specified.
-	// We should only allow classes on emoji, not *all* imgs.
-	// But TODO.
+	// Allow img tags from the the local emoji directory only
+	p.AllowAttrs("src", "alt", "class", "title").Matching(regexp.MustCompile(`(?i)/img/emoji`)).OnElements("img")
 	p.AllowAttrs("class").OnElements("img")
 
 	// Allow bold