f7603e7356
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9638 Strips EXIF information from uploaded avatars (excluding the orientation tag), affecting both user & repo avatars. Adds a new subcommand `forgejo doctor avatar-strip-exif` to perform a retroactive update of avatar files. Fixes #9608. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [x] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Features - [PR](https://codeberg.org/forgejo/forgejo/pulls/9689): <!--number 9689 --><!--line 0 --><!--description VXBsb2FkZWQgYXZhdGFyIGltYWdlcyBjYW4gc29tZXRpbWVzIGNvbnRhaW4gdW5leHBlY3RlZCBtZXRhZGF0YSBzdWNoIGFzIHRoZSBsb2NhdGlvbiB3aGVyZSB0aGUgaW1hZ2Ugd2FzIGNyZWF0ZWQsIG9yIHRoZSBkZXZpY2UgdGhlIGltYWdlIHdhcyBjcmVhdGVkIHdpdGgsIHN0b3JlZCBpbiBhIGZvcm1hdCBjYWxsZWQgRVhJRi4gRm9yZ2VqbyBub3cgcmVtb3ZlcyBFWElGIGRhdGEgd2hlbiBjdXN0b20gdXNlciBhbmQgcmVwb3NpdG9yeSBpbWFnZXMgYXJlIHVwbG9hZGVkIGluIG9yZGVyIHRvIHJlZHVjZSB0aGUgcmlzayBvZiBwZXJzb25hbGx5IGlkZW50aWZpYWJsZSBpbmZvcm1hdGlvbiBiZWluZyBsZWFrZWQgdW5leHBlY3RlZGx5LiBBIG5ldyBDTEkgc3ViY29tbWFuZCBgZm9yZ2VqbyBkb2N0b3IgYXZhdGFyLXN0cmlwLWV4aWZgIGNhbiBiZSB1c2VkIHRvIHN0cmlwIEVYSUYgaW5mb3JtYXRpb24gZnJvbSBhbGwgZXhpc3RpbmcgYXZhdGFyczsgd2UgcmVjb21tZW5kIHRoYXQgYWRtaW5pc3RyYXRvcnMgcnVuIHRoaXMgY29tbWFuZCBvbmNlIGFmdGVyIHVwZ3JhZGUgaW4gb3JkZXIgdG8gbWluaW1pemUgdGhpcyByaXNrIGZvciBleGlzdGluZyBzdG9yZWQgZmlsZXMu-->Uploaded avatar images can sometimes contain unexpected metadata such as the location where the image was created, or the device the image was created with, stored in a format called EXIF. Forgejo now removes EXIF data when custom user and repository images are uploaded in order to reduce the risk of personally identifiable information being leaked unexpectedly. A new CLI subcommand `forgejo doctor avatar-strip-exif` can be used to strip EXIF information from all existing avatars; we recommend that administrators run this command once after upgrade in order to minimize this risk for existing stored files.<!--description--> <!--end release-notes-assistant--> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9689 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
188 lines
5.5 KiB
Go
188 lines
5.5 KiB
Go
// Copyright 2016 The Gogs Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package avatar
|
|
|
|
import (
|
|
"bytes"
|
|
"image"
|
|
"image/png"
|
|
"os"
|
|
"testing"
|
|
|
|
"forgejo.org/modules/setting"
|
|
"forgejo.org/modules/test"
|
|
|
|
jpegstructure "code.superseriousbusiness.org/go-jpeg-image-structure/v2"
|
|
"github.com/dsoprea/go-exif/v3"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func Test_RandomImageSize(t *testing.T) {
|
|
_, err := RandomImageSize(0, []byte("gitea@local"))
|
|
require.Error(t, err)
|
|
|
|
_, err = RandomImageSize(64, []byte("gitea@local"))
|
|
require.NoError(t, err)
|
|
}
|
|
|
|
func Test_RandomImage(t *testing.T) {
|
|
_, err := RandomImage([]byte("gitea@local"))
|
|
require.NoError(t, err)
|
|
}
|
|
|
|
func Test_ProcessAvatarPNG(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.Avatar.MaxWidth, 4096)()
|
|
defer test.MockVariableValue(&setting.Avatar.MaxHeight, 4096)()
|
|
|
|
data, err := os.ReadFile("testdata/avatar.png")
|
|
require.NoError(t, err)
|
|
|
|
_, err = processAvatarImage(data, 262144)
|
|
require.NoError(t, err)
|
|
}
|
|
|
|
func Test_ProcessAvatarJPEG(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.Avatar.MaxWidth, 4096)()
|
|
defer test.MockVariableValue(&setting.Avatar.MaxHeight, 4096)()
|
|
|
|
data, err := os.ReadFile("testdata/avatar.jpeg")
|
|
require.NoError(t, err)
|
|
|
|
_, err = processAvatarImage(data, 262144)
|
|
require.NoError(t, err)
|
|
}
|
|
|
|
func Test_ProcessAvatarGIF(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.Avatar.MaxWidth, 4096)()
|
|
defer test.MockVariableValue(&setting.Avatar.MaxHeight, 4096)()
|
|
|
|
data, err := os.ReadFile("testdata/avatar.gif")
|
|
require.NoError(t, err)
|
|
|
|
_, err = processAvatarImage(data, 262144)
|
|
require.NoError(t, err)
|
|
}
|
|
|
|
func Test_ProcessAvatarInvalidData(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.Avatar.MaxWidth, 5)()
|
|
defer test.MockVariableValue(&setting.Avatar.MaxHeight, 5)()
|
|
|
|
_, err := processAvatarImage([]byte{}, 12800)
|
|
assert.EqualError(t, err, "image.DecodeConfig: image: unknown format")
|
|
}
|
|
|
|
func Test_ProcessAvatarInvalidImageSize(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.Avatar.MaxWidth, 5)()
|
|
defer test.MockVariableValue(&setting.Avatar.MaxHeight, 5)()
|
|
|
|
data, err := os.ReadFile("testdata/avatar.png")
|
|
require.NoError(t, err)
|
|
|
|
_, err = processAvatarImage(data, 12800)
|
|
assert.EqualError(t, err, "image width is too large: 10 > 5")
|
|
}
|
|
|
|
func Test_ProcessAvatarImage(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.Avatar.MaxWidth, 4096)()
|
|
defer test.MockVariableValue(&setting.Avatar.MaxHeight, 4096)()
|
|
scaledSize := DefaultAvatarSize * setting.Avatar.RenderedSizeFactor
|
|
|
|
newImgData := func(size int, optHeight ...int) []byte {
|
|
width := size
|
|
height := size
|
|
if len(optHeight) == 1 {
|
|
height = optHeight[0]
|
|
}
|
|
img := image.NewRGBA(image.Rect(0, 0, width, height))
|
|
bs := bytes.Buffer{}
|
|
err := png.Encode(&bs, img)
|
|
require.NoError(t, err)
|
|
return bs.Bytes()
|
|
}
|
|
|
|
// if origin image canvas is too large, crop and resize it
|
|
origin := newImgData(500, 600)
|
|
result, err := processAvatarImage(origin, 0)
|
|
require.NoError(t, err)
|
|
assert.NotEqual(t, origin, result)
|
|
decoded, err := png.Decode(bytes.NewReader(result))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, scaledSize, decoded.Bounds().Max.X)
|
|
assert.Equal(t, scaledSize, decoded.Bounds().Max.Y)
|
|
|
|
// if origin image is smaller than the default size, use the origin image
|
|
origin = newImgData(1)
|
|
result, err = processAvatarImage(origin, 0)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, origin, result)
|
|
|
|
// use the origin image if the origin is smaller
|
|
origin = newImgData(scaledSize + 100)
|
|
result, err = processAvatarImage(origin, 0)
|
|
require.NoError(t, err)
|
|
assert.Less(t, len(result), len(origin))
|
|
|
|
// still use the origin image if the origin doesn't exceed the max-origin-size
|
|
origin = newImgData(scaledSize + 100)
|
|
result, err = processAvatarImage(origin, 262144)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, origin, result)
|
|
|
|
// allow to use known image format (eg: webp) if it is small enough
|
|
origin, err = os.ReadFile("testdata/animated.webp")
|
|
require.NoError(t, err)
|
|
result, err = processAvatarImage(origin, 262144)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, origin, result)
|
|
|
|
// do not support unknown image formats, eg: SVG may contain embedded JS
|
|
origin = []byte("<svg></svg>")
|
|
_, err = processAvatarImage(origin, 262144)
|
|
require.ErrorContains(t, err, "image: unknown format")
|
|
|
|
// make sure the canvas size limit works
|
|
setting.Avatar.MaxWidth = 5
|
|
setting.Avatar.MaxHeight = 5
|
|
origin = newImgData(10)
|
|
_, err = processAvatarImage(origin, 262144)
|
|
require.ErrorContains(t, err, "image width is too large: 10 > 5")
|
|
}
|
|
|
|
func safeExifJpeg(t *testing.T, jpeg []byte) {
|
|
t.Helper()
|
|
|
|
parser := jpegstructure.NewJpegMediaParser()
|
|
mediaContext, err := parser.ParseBytes(jpeg)
|
|
require.NoError(t, err)
|
|
|
|
sl := mediaContext.(*jpegstructure.SegmentList)
|
|
|
|
rootIfd, _, err := sl.Exif()
|
|
require.NoError(t, err)
|
|
err = rootIfd.EnumerateTagsRecursively(func(ifd *exif.Ifd, ite *exif.IfdTagEntry) error {
|
|
assert.Equal(t, "Orientation", ite.TagName(), "only Orientation EXIF tag expected")
|
|
return nil
|
|
})
|
|
require.NoError(t, err)
|
|
}
|
|
|
|
func Test_ProcessAvatarExif(t *testing.T) {
|
|
t.Run("greater than max origin size", func(t *testing.T) {
|
|
data, err := os.ReadFile("testdata/exif.jpg")
|
|
require.NoError(t, err)
|
|
|
|
processedData, err := processAvatarImage(data, 12800)
|
|
require.NoError(t, err)
|
|
safeExifJpeg(t, processedData)
|
|
})
|
|
t.Run("smaller than max origin size", func(t *testing.T) {
|
|
data, err := os.ReadFile("testdata/exif.jpg")
|
|
require.NoError(t, err)
|
|
|
|
processedData, err := processAvatarImage(data, 128000)
|
|
require.NoError(t, err)
|
|
safeExifJpeg(t, processedData)
|
|
})
|
|
}
|