Stowage/forgejo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-10-19 02:43:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
forgejo/modules/avatar/avatar_test.go
Mathieu Fenniak 78d92aafd7 feat: strip EXIF information from uploaded avatars (#9638) 
Strips EXIF information from uploaded avatars (excluding the orientation tag), affecting both user & repo avatars.  Adds a new subcommand `forgejo admin avatar-strip-exif` to perform a retroactive update of avatar files.

Fixes #9608.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [x] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/9638): <!--number 9638 --><!--line 0 --><!--description VXBsb2FkZWQgYXZhdGFyIGltYWdlcyBjYW4gc29tZXRpbWVzIGNvbnRhaW4gdW5leHBlY3RlZCBtZXRhZGF0YSBzdWNoIGFzIHRoZSBsb2NhdGlvbiB3aGVyZSB0aGUgaW1hZ2Ugd2FzIGNyZWF0ZWQsIG9yIHRoZSBkZXZpY2UgdGhlIGltYWdlIHdhcyBjcmVhdGVkIHdpdGgsIHN0b3JlZCBpbiBhIGZvcm1hdCBjYWxsZWQgRVhJRi4gRm9yZ2VqbyBub3cgcmVtb3ZlcyBFWElGIGRhdGEgd2hlbiBjdXN0b20gdXNlciBhbmQgcmVwb3NpdG9yeSBpbWFnZXMgYXJlIHVwbG9hZGVkIGluIG9yZGVyIHRvIHJlZHVjZSB0aGUgcmlzayBvZiBwZXJzb25hbGx5IGlkZW50aWZpYWJsZSBpbmZvcm1hdGlvbiBiZWluZyBsZWFrZWQgdW5leHBlY3RlZGx5LiBBIG5ldyBDTEkgc3ViY29tbWFuZCBgZm9yZ2VqbyBkb2N0b3IgYXZhdGFyLXN0cmlwLWV4aWZgIGNhbiBiZSB1c2VkIHRvIHN0cmlwIEVYSUYgaW5mb3JtYXRpb24gZnJvbSBhbGwgZXhpc3RpbmcgYXZhdGFyczsgd2UgcmVjb21tZW5kIHRoYXQgYWRtaW5pc3RyYXRvcnMgcnVuIHRoaXMgY29tbWFuZCBvbmNlIGFmdGVyIHVwZ3JhZGUgaW4gb3JkZXIgdG8gbWluaW1pemUgdGhpcyByaXNrIGZvciBleGlzdGluZyBzdG9yZWQgZmlsZXMu-->Uploaded avatar images can sometimes contain unexpected metadata such as the location where the image was created, or the device the image was created with, stored in a format called EXIF. Forgejo now removes EXIF data when custom user and repository images are uploaded in order to reduce the risk of personally identifiable information being leaked unexpectedly. A new CLI subcommand `forgejo doctor avatar-strip-exif` can be used to strip EXIF information from all existing avatars; we recommend that administrators run this command once after upgrade in order to minimize this risk for existing stored files.<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9638
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
2025-10-13 23:16:17 +02:00

188 lines
5.5 KiB
Go
Raw Blame History

// Copyright 2016 The Gogs Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package avatar
import (
"bytes"
"image"
"image/png"
"os"
"testing"
"forgejo.org/modules/setting"
"forgejo.org/modules/test"
jpegstructure "code.superseriousbusiness.org/go-jpeg-image-structure/v2"
"github.com/dsoprea/go-exif/v3"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func Test_RandomImageSize(t *testing.T) {
_, err := RandomImageSize(0, []byte("gitea@local"))
require.Error(t, err)
_, err = RandomImageSize(64, []byte("gitea@local"))
require.NoError(t, err)
}
func Test_RandomImage(t *testing.T) {
_, err := RandomImage([]byte("gitea@local"))
require.NoError(t, err)
}
func Test_ProcessAvatarPNG(t *testing.T) {
defer test.MockVariableValue(&setting.Avatar.MaxWidth, 4096)()
defer test.MockVariableValue(&setting.Avatar.MaxHeight, 4096)()
data, err := os.ReadFile("testdata/avatar.png")
require.NoError(t, err)
_, err = processAvatarImage(data, 262144)
require.NoError(t, err)
}
func Test_ProcessAvatarJPEG(t *testing.T) {
defer test.MockVariableValue(&setting.Avatar.MaxWidth, 4096)()
defer test.MockVariableValue(&setting.Avatar.MaxHeight, 4096)()
data, err := os.ReadFile("testdata/avatar.jpeg")
require.NoError(t, err)
_, err = processAvatarImage(data, 262144)
require.NoError(t, err)
}
func Test_ProcessAvatarGIF(t *testing.T) {
defer test.MockVariableValue(&setting.Avatar.MaxWidth, 4096)()
defer test.MockVariableValue(&setting.Avatar.MaxHeight, 4096)()
data, err := os.ReadFile("testdata/avatar.gif")
require.NoError(t, err)
_, err = processAvatarImage(data, 262144)
require.NoError(t, err)
}
func Test_ProcessAvatarInvalidData(t *testing.T) {
defer test.MockVariableValue(&setting.Avatar.MaxWidth, 5)()
defer test.MockVariableValue(&setting.Avatar.MaxHeight, 5)()
_, err := processAvatarImage([]byte{}, 12800)
assert.EqualError(t, err, "image.DecodeConfig: image: unknown format")
}
func Test_ProcessAvatarInvalidImageSize(t *testing.T) {
defer test.MockVariableValue(&setting.Avatar.MaxWidth, 5)()
defer test.MockVariableValue(&setting.Avatar.MaxHeight, 5)()
data, err := os.ReadFile("testdata/avatar.png")
require.NoError(t, err)
_, err = processAvatarImage(data, 12800)
assert.EqualError(t, err, "image width is too large: 10 > 5")
}
func Test_ProcessAvatarImage(t *testing.T) {
defer test.MockVariableValue(&setting.Avatar.MaxWidth, 4096)()
defer test.MockVariableValue(&setting.Avatar.MaxHeight, 4096)()
scaledSize := DefaultAvatarSize * setting.Avatar.RenderedSizeFactor
newImgData := func(size int, optHeight ...int) []byte {
width := size
height := size
if len(optHeight) == 1 {
height = optHeight[0]
}
img := image.NewRGBA(image.Rect(0, 0, width, height))
bs := bytes.Buffer{}
err := png.Encode(&bs, img)
require.NoError(t, err)
return bs.Bytes()
}
// if origin image canvas is too large, crop and resize it
origin := newImgData(500, 600)
result, err := processAvatarImage(origin, 0)
require.NoError(t, err)
assert.NotEqual(t, origin, result)
decoded, err := png.Decode(bytes.NewReader(result))
require.NoError(t, err)
assert.Equal(t, scaledSize, decoded.Bounds().Max.X)
assert.Equal(t, scaledSize, decoded.Bounds().Max.Y)
// if origin image is smaller than the default size, use the origin image
origin = newImgData(1)
result, err = processAvatarImage(origin, 0)
require.NoError(t, err)
assert.Equal(t, origin, result)
// use the origin image if the origin is smaller
origin = newImgData(scaledSize + 100)
result, err = processAvatarImage(origin, 0)
require.NoError(t, err)
assert.Less(t, len(result), len(origin))
// still use the origin image if the origin doesn't exceed the max-origin-size
origin = newImgData(scaledSize + 100)
result, err = processAvatarImage(origin, 262144)
require.NoError(t, err)
assert.Equal(t, origin, result)
// allow to use known image format (eg: webp) if it is small enough
origin, err = os.ReadFile("testdata/animated.webp")
require.NoError(t, err)
result, err = processAvatarImage(origin, 262144)
require.NoError(t, err)
assert.Equal(t, origin, result)
// do not support unknown image formats, eg: SVG may contain embedded JS
origin = []byte("<svg></svg>")
_, err = processAvatarImage(origin, 262144)
require.ErrorContains(t, err, "image: unknown format")
// make sure the canvas size limit works
setting.Avatar.MaxWidth = 5
setting.Avatar.MaxHeight = 5
origin = newImgData(10)
_, err = processAvatarImage(origin, 262144)
require.ErrorContains(t, err, "image width is too large: 10 > 5")
}
func safeExifJpeg(t *testing.T, jpeg []byte) {
t.Helper()
parser := jpegstructure.NewJpegMediaParser()
mediaContext, err := parser.ParseBytes(jpeg)
require.NoError(t, err)
sl := mediaContext.(*jpegstructure.SegmentList)
rootIfd, _, err := sl.Exif()
require.NoError(t, err)
err = rootIfd.EnumerateTagsRecursively(func(ifd *exif.Ifd, ite *exif.IfdTagEntry) error {
assert.Equal(t, "Orientation", ite.TagName(), "only Orientation EXIF tag expected")
return nil
})
require.NoError(t, err)
}
func Test_ProcessAvatarExif(t *testing.T) {
t.Run("greater than max origin size", func(t *testing.T) {
data, err := os.ReadFile("testdata/exif.jpg")
require.NoError(t, err)
processedData, err := processAvatarImage(data, 12800)
require.NoError(t, err)
safeExifJpeg(t, processedData)
})
t.Run("smaller than max origin size", func(t *testing.T) {
data, err := os.ReadFile("testdata/exif.jpg")
require.NoError(t, err)
processedData, err := processAvatarImage(data, 128000)
require.NoError(t, err)
safeExifJpeg(t, processedData)
})
}
Reference in a new issue View git blame Copy permalink