misskey-dev/summaly
1
0
Fork 0
mirror of https://github.com/misskey-dev/summaly.git synced 2025-05-09 23:57:20 +09:00
Code Issues Packages Projects Releases Wiki Activity

ignored permissions

Browse Source
This commit is contained in:
Kagami Sascha Rosylight 2023-03-11 22:35:44 +01:00
parent 87241994fd
commit f9bb67638e
4 changed files with 34 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/general.ts
View File

@ -84,15 +84,24 @@ async function getOEmbedPlayer($: cheerio.CheerioAPI, pageUrl: string): Promise<
// TODO: This implementation only allows basic syntax of `allow`. // TODO: This implementation only allows basic syntax of `allow`.
// Might need to implement better later. // Might need to implement better later.
const allowedFeatures = (iframe.attr('allow') ?? '').split(/\s*;\s*/g).filter(s => s);
const safeList = [ const safeList = [
'autoplay', 'autoplay',
'clipboard-write', 'clipboard-write',
'fullscreen', 'fullscreen',
'encrypted-media', 'encrypted-media',
'picture-in-picture' 'picture-in-picture',
'web-share',
]; ];
if (allowedFeatures.some(allow => !safeList.includes(allow))) { // YouTube has these but they are almost never used.
const ignoredList = [
'gyroscope',
'accelerometer',
];
const allowedPermissions =
(iframe.attr('allow') ?? '').split(/\s*;\s*/g)
.filter(s => s)
.filter(s => !ignoredList.includes(s));
if (allowedPermissions.some(allow => !safeList.includes(allow))) {
// This iframe is probably too powerful to be embedded // This iframe is probably too powerful to be embedded
return null; return null;
} }
@ -101,7 +110,7 @@ async function getOEmbedPlayer($: cheerio.CheerioAPI, pageUrl: string): Promise<
url, url,
width, width,
height, height,
allow: allowedFeatures allow: allowedPermissions
} }
} }

14
test/index.ts
View File

@ -294,12 +294,24 @@ describe("oEmbed", () => {
await setUpFastify('oembed-allow-fullscreen.json'); await setUpFastify('oembed-allow-fullscreen.json');
const summary = await summaly(host); const summary = await summaly(host);
expect(summary.player.url).toBe('https://example.com/'); expect(summary.player.url).toBe('https://example.com/');
expect(summary.player.allow).toStrictEqual(['fullscreen'])
}); });
test('allows safelisted features', async () => { test('allows safelisted permissions', async () => {
await setUpFastify('oembed-allow-safelisted-features.json'); await setUpFastify('oembed-allow-safelisted-features.json');
const summary = await summaly(host); const summary = await summaly(host);
expect(summary.player.url).toBe('https://example.com/'); expect(summary.player.url).toBe('https://example.com/');
expect(summary.player.allow).toStrictEqual([
'autoplay', 'clipboard-write', 'fullscreen',
'encrypted-media', 'picture-in-picture', 'web-share',
]);
});
test('ignores rare permissions', async () => {
await setUpFastify('oembed-ignore-rare-features.json');
const summary = await summaly(host);
expect(summary.player.url).toBe('https://example.com/');
expect(summary.player.allow).toStrictEqual(['autoplay']);
}); });
test('oEmbed with relative path', async () => { test('oEmbed with relative path', async () => {

2
test/oembed/oembed-allow-safelisted-features.json → test/oembed/oembed-allow-safelisted-permissions.json
View File

@ -1,7 +1,7 @@
{ {
"version": "1.0", "version": "1.0",
"type": "rich", "type": "rich",
"html": "<iframe src='https://example.com/' allow='autoplay;clipboard-write;fullscreen;encrypted-media;picture-in-picture'></iframe>", "html": "<iframe src='https://example.com/' allow='autoplay;clipboard-write;fullscreen;encrypted-media;picture-in-picture;web-share'></iframe>",
"width": 500, "width": 500,
"height": 300 "height": 300
} }

7
test/oembed/oembed-ignore-rare-permissions.json Normal file
View File

@ -0,0 +1,7 @@
{
"version": "1.0",
"type": "rich",
"html": "<iframe src='https://example.com/' allow='autoplay;gyroscope;accelerometer'></iframe>",
"width": 500,
"height": 300
}