mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-10-19 02:43:18 +00:00
78d92aafd7
Strips EXIF information from uploaded avatars (excluding the orientation tag), affecting both user & repo avatars. Adds a new subcommand `forgejo admin avatar-strip-exif` to perform a retroactive update of avatar files. Fixes #9608. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [x] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Features - [PR](https://codeberg.org/forgejo/forgejo/pulls/9638): <!--number 9638 --><!--line 0 --><!--description VXBsb2FkZWQgYXZhdGFyIGltYWdlcyBjYW4gc29tZXRpbWVzIGNvbnRhaW4gdW5leHBlY3RlZCBtZXRhZGF0YSBzdWNoIGFzIHRoZSBsb2NhdGlvbiB3aGVyZSB0aGUgaW1hZ2Ugd2FzIGNyZWF0ZWQsIG9yIHRoZSBkZXZpY2UgdGhlIGltYWdlIHdhcyBjcmVhdGVkIHdpdGgsIHN0b3JlZCBpbiBhIGZvcm1hdCBjYWxsZWQgRVhJRi4gRm9yZ2VqbyBub3cgcmVtb3ZlcyBFWElGIGRhdGEgd2hlbiBjdXN0b20gdXNlciBhbmQgcmVwb3NpdG9yeSBpbWFnZXMgYXJlIHVwbG9hZGVkIGluIG9yZGVyIHRvIHJlZHVjZSB0aGUgcmlzayBvZiBwZXJzb25hbGx5IGlkZW50aWZpYWJsZSBpbmZvcm1hdGlvbiBiZWluZyBsZWFrZWQgdW5leHBlY3RlZGx5LiBBIG5ldyBDTEkgc3ViY29tbWFuZCBgZm9yZ2VqbyBkb2N0b3IgYXZhdGFyLXN0cmlwLWV4aWZgIGNhbiBiZSB1c2VkIHRvIHN0cmlwIEVYSUYgaW5mb3JtYXRpb24gZnJvbSBhbGwgZXhpc3RpbmcgYXZhdGFyczsgd2UgcmVjb21tZW5kIHRoYXQgYWRtaW5pc3RyYXRvcnMgcnVuIHRoaXMgY29tbWFuZCBvbmNlIGFmdGVyIHVwZ3JhZGUgaW4gb3JkZXIgdG8gbWluaW1pemUgdGhpcyByaXNrIGZvciBleGlzdGluZyBzdG9yZWQgZmlsZXMu-->Uploaded avatar images can sometimes contain unexpected metadata such as the location where the image was created, or the device the image was created with, stored in a format called EXIF. Forgejo now removes EXIF data when custom user and repository images are uploaded in order to reduce the risk of personally identifiable information being leaked unexpectedly. A new CLI subcommand `forgejo doctor avatar-strip-exif` can be used to strip EXIF information from all existing avatars; we recommend that administrators run this command once after upgrade in order to minimize this risk for existing stored files.<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9638 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
324 lines
9 KiB
Go
324 lines
9 KiB
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"image"
|
|
"io"
|
|
golog "log"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"text/tabwriter"
|
|
|
|
"forgejo.org/models/db"
|
|
"forgejo.org/models/migrations"
|
|
migrate_base "forgejo.org/models/migrations/base"
|
|
repo_model "forgejo.org/models/repo"
|
|
user_model "forgejo.org/models/user"
|
|
"forgejo.org/modules/container"
|
|
"forgejo.org/modules/log"
|
|
"forgejo.org/modules/setting"
|
|
"forgejo.org/modules/storage"
|
|
"forgejo.org/services/doctor"
|
|
|
|
exif_terminator "code.superseriousbusiness.org/exif-terminator"
|
|
"github.com/urfave/cli/v3"
|
|
)
|
|
|
|
// CmdDoctor represents the available doctor sub-command.
|
|
func cmdDoctor() *cli.Command {
|
|
return &cli.Command{
|
|
Name: "doctor",
|
|
Usage: "Diagnose and optionally fix problems, convert or re-create database tables",
|
|
Description: "A command to diagnose problems with the current Forgejo instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
|
|
|
|
Commands: []*cli.Command{
|
|
cmdDoctorCheck(),
|
|
cmdRecreateTable(),
|
|
cmdDoctorConvert(),
|
|
cmdAvatarStripExif(),
|
|
},
|
|
}
|
|
}
|
|
|
|
func cmdDoctorCheck() *cli.Command {
|
|
return &cli.Command{
|
|
Name: "check",
|
|
Usage: "Diagnose and optionally fix problems",
|
|
Description: "A command to diagnose problems with the current Forgejo instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
|
|
Before: noDanglingArgs,
|
|
Action: runDoctorCheck,
|
|
Flags: []cli.Flag{
|
|
&cli.BoolFlag{
|
|
Name: "list",
|
|
Usage: "List the available checks",
|
|
},
|
|
&cli.BoolFlag{
|
|
Name: "default",
|
|
Usage: "Run the default checks (if neither --run or --all is set, this is the default behaviour)",
|
|
},
|
|
&cli.StringSliceFlag{
|
|
Name: "run",
|
|
Usage: "Run the provided checks - (if --default is set, the default checks will also run)",
|
|
},
|
|
&cli.BoolFlag{
|
|
Name: "all",
|
|
Usage: "Run all the available checks",
|
|
},
|
|
&cli.BoolFlag{
|
|
Name: "fix",
|
|
Usage: "Automatically fix what we can",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "log-file",
|
|
Usage: `Name of the log file (no verbose log output by default). Set to "-" to output to stdout`,
|
|
},
|
|
&cli.BoolFlag{
|
|
Name: "color",
|
|
Aliases: []string{"H"},
|
|
Usage: "Use color for outputted information",
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func cmdRecreateTable() *cli.Command {
|
|
return &cli.Command{
|
|
Name: "recreate-table",
|
|
Usage: "Recreate tables from XORM definitions and copy the data.",
|
|
ArgsUsage: "[TABLE]... : (TABLEs to recreate - leave blank for all)",
|
|
Flags: []cli.Flag{
|
|
&cli.BoolFlag{
|
|
Name: "debug",
|
|
Usage: "Print SQL commands sent",
|
|
},
|
|
},
|
|
Description: `The database definitions Forgejo uses change across versions, sometimes changing default values and leaving old unused columns.
|
|
|
|
This command will cause Xorm to recreate tables, copying over the data and deleting the old table.
|
|
|
|
You should back-up your database before doing this and ensure that your database is up-to-date first.`,
|
|
Action: runRecreateTable,
|
|
}
|
|
}
|
|
|
|
func cmdAvatarStripExif() *cli.Command {
|
|
return &cli.Command{
|
|
Name: "avatar-strip-exif",
|
|
Usage: "Strip EXIF metadata from all images in the avatar storage",
|
|
Before: noDanglingArgs,
|
|
Action: runAvatarStripExif,
|
|
}
|
|
}
|
|
|
|
func runRecreateTable(stdCtx context.Context, ctx *cli.Command) error {
|
|
stdCtx, cancel := installSignals(stdCtx)
|
|
defer cancel()
|
|
|
|
// Redirect the default golog to here
|
|
golog.SetFlags(0)
|
|
golog.SetPrefix("")
|
|
golog.SetOutput(log.LoggerToWriter(log.GetLogger(log.DEFAULT).Info))
|
|
|
|
debug := ctx.Bool("debug")
|
|
setting.MustInstalled()
|
|
setting.LoadDBSetting()
|
|
|
|
if debug {
|
|
setting.InitSQLLoggersForCli(log.DEBUG)
|
|
} else {
|
|
setting.InitSQLLoggersForCli(log.INFO)
|
|
}
|
|
|
|
setting.Database.LogSQL = debug
|
|
if err := db.InitEngine(stdCtx); err != nil {
|
|
fmt.Println(err)
|
|
fmt.Println("Check if you are using the right config file. You can use a --config directive to specify one.")
|
|
return nil
|
|
}
|
|
|
|
args := ctx.Args()
|
|
names := make([]string, 0, ctx.NArg())
|
|
for i := range ctx.NArg() {
|
|
names = append(names, args.Get(i))
|
|
}
|
|
|
|
beans, err := db.NamesToBean(names...)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
recreateTables := migrate_base.RecreateTables(beans...)
|
|
|
|
return db.InitEngineWithMigration(stdCtx, func(x db.Engine) error {
|
|
engine, err := db.GetMasterEngine(x)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := migrations.EnsureUpToDate(engine); err != nil {
|
|
return err
|
|
}
|
|
|
|
return recreateTables(engine)
|
|
})
|
|
}
|
|
|
|
func setupDoctorDefaultLogger(ctx *cli.Command, colorize bool) {
|
|
// Silence the default loggers
|
|
setupConsoleLogger(log.FATAL, log.CanColorStderr, os.Stderr)
|
|
|
|
logFile := ctx.String("log-file")
|
|
switch logFile {
|
|
case "":
|
|
return // if no doctor log-file is set, do not show any log from default logger
|
|
case "-":
|
|
setupConsoleLogger(log.TRACE, colorize, os.Stdout)
|
|
default:
|
|
logFile, _ = filepath.Abs(logFile)
|
|
writeMode := log.WriterMode{Level: log.TRACE, WriterOption: log.WriterFileOption{FileName: logFile}}
|
|
writer, err := log.NewEventWriter("console-to-file", "file", writeMode)
|
|
if err != nil {
|
|
log.FallbackErrorf("unable to create file log writer: %v", err)
|
|
return
|
|
}
|
|
log.GetManager().GetLogger(log.DEFAULT).ReplaceAllWriters(writer)
|
|
}
|
|
}
|
|
|
|
func runDoctorCheck(stdCtx context.Context, ctx *cli.Command) error {
|
|
stdCtx, cancel := installSignals(stdCtx)
|
|
defer cancel()
|
|
|
|
colorize := log.CanColorStdout
|
|
if ctx.IsSet("color") {
|
|
colorize = ctx.Bool("color")
|
|
}
|
|
|
|
setupDoctorDefaultLogger(ctx, colorize)
|
|
|
|
// Finally redirect the default golang's log to here
|
|
golog.SetFlags(0)
|
|
golog.SetPrefix("")
|
|
golog.SetOutput(log.LoggerToWriter(log.GetLogger(log.DEFAULT).Info))
|
|
|
|
if ctx.IsSet("list") {
|
|
w := tabwriter.NewWriter(os.Stdout, 0, 8, 1, '\t', 0)
|
|
_, _ = w.Write([]byte("Default\tName\tTitle\n"))
|
|
doctor.SortChecks(doctor.Checks)
|
|
for _, check := range doctor.Checks {
|
|
if check.IsDefault {
|
|
_, _ = w.Write([]byte{'*'})
|
|
}
|
|
_, _ = w.Write([]byte{'\t'})
|
|
_, _ = w.Write([]byte(check.Name))
|
|
_, _ = w.Write([]byte{'\t'})
|
|
_, _ = w.Write([]byte(check.Title))
|
|
_, _ = w.Write([]byte{'\n'})
|
|
}
|
|
return w.Flush()
|
|
}
|
|
|
|
var checks []*doctor.Check
|
|
if ctx.Bool("all") {
|
|
checks = make([]*doctor.Check, len(doctor.Checks))
|
|
copy(checks, doctor.Checks)
|
|
} else if ctx.IsSet("run") {
|
|
addDefault := ctx.Bool("default")
|
|
runNamesSet := container.SetOf(ctx.StringSlice("run")...)
|
|
for _, check := range doctor.Checks {
|
|
if (addDefault && check.IsDefault) || runNamesSet.Contains(check.Name) {
|
|
checks = append(checks, check)
|
|
runNamesSet.Remove(check.Name)
|
|
}
|
|
}
|
|
if len(runNamesSet) > 0 {
|
|
return fmt.Errorf("unknown checks: %q", strings.Join(runNamesSet.Values(), ","))
|
|
}
|
|
} else {
|
|
for _, check := range doctor.Checks {
|
|
if check.IsDefault {
|
|
checks = append(checks, check)
|
|
}
|
|
}
|
|
}
|
|
return doctor.RunChecks(stdCtx, colorize, ctx.Bool("fix"), checks)
|
|
}
|
|
|
|
func runAvatarStripExif(ctx context.Context, c *cli.Command) error {
|
|
ctx, cancel := installSignals(ctx)
|
|
defer cancel()
|
|
|
|
if err := initDB(ctx); err != nil {
|
|
return err
|
|
}
|
|
if err := storage.Init(); err != nil {
|
|
return err
|
|
}
|
|
|
|
type HasCustomAvatarRelativePath interface {
|
|
CustomAvatarRelativePath() string
|
|
}
|
|
|
|
doExifStrip := func(obj HasCustomAvatarRelativePath, name string, target_storage storage.ObjectStorage) error {
|
|
if obj.CustomAvatarRelativePath() == "" {
|
|
return nil
|
|
}
|
|
|
|
log.Info("Stripping avatar for %s...", name)
|
|
|
|
avatarFile, err := target_storage.Open(obj.CustomAvatarRelativePath())
|
|
if err != nil {
|
|
return fmt.Errorf("storage.Avatars.Open: %w", err)
|
|
}
|
|
_, imgType, err := image.DecodeConfig(avatarFile)
|
|
if err != nil {
|
|
return fmt.Errorf("image.DecodeConfig: %w", err)
|
|
}
|
|
|
|
// reset io.Reader for exif termination scan
|
|
_, err = avatarFile.Seek(0, io.SeekStart)
|
|
if err != nil {
|
|
return fmt.Errorf("avatarFile.Seek: %w", err)
|
|
}
|
|
|
|
cleanedData, err := exif_terminator.Terminate(avatarFile, imgType)
|
|
if err != nil && strings.Contains(err.Error(), "cannot be processed") {
|
|
// expected error for an image type that isn't supported by exif_terminator
|
|
log.Info("... image type %s is not supported by exif_terminator, skipping.", imgType)
|
|
return nil
|
|
} else if err != nil {
|
|
return fmt.Errorf("error cleaning exif data: %w", err)
|
|
}
|
|
|
|
if err := storage.SaveFrom(target_storage, obj.CustomAvatarRelativePath(), func(w io.Writer) error {
|
|
_, err := io.Copy(w, cleanedData)
|
|
return err
|
|
}); err != nil {
|
|
return fmt.Errorf("Failed to create dir %s: %w", obj.CustomAvatarRelativePath(), err)
|
|
}
|
|
|
|
log.Info("... completed %s.", name)
|
|
|
|
return nil
|
|
}
|
|
|
|
err := db.Iterate(ctx, nil, func(ctx context.Context, user *user_model.User) error {
|
|
return doExifStrip(user, fmt.Sprintf("user %s", user.Name), storage.Avatars)
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = db.Iterate(ctx, nil, func(ctx context.Context, repo *repo_model.Repository) error {
|
|
return doExifStrip(repo, fmt.Sprintf("repo %s", repo.Name), storage.RepoAvatars)
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|