Stub invalid media with transparent pixels (#1370)

This commit is contained in:
Alexander Zinchuk 2021-08-11 01:27:45 +03:00
parent 878093ca13
commit dd58fc08df
3 changed files with 15 additions and 3 deletions

View File

@ -11,10 +11,11 @@ import {
MEDIA_CACHE_MAX_BYTES,
MEDIA_CACHE_NAME,
MEDIA_CACHE_NAME_AVATARS,
TRANSPARENT_PIXEL,
} from '../../../config';
import localDb from '../localDb';
import { getEntityTypeById } from '../gramjsBuilders';
import { blobToDataUri } from '../../../util/files';
import { blobToDataUri, dataUriToBlob } from '../../../util/files';
import * as cacheApi from '../../../util/cacheApi';
type EntityType = (
@ -233,6 +234,11 @@ async function parseMedia(
function prepareMedia(mediaData: ApiParsedMedia): ApiPreparedMedia {
if (mediaData instanceof Blob) {
// Prevent HTML-in-video attacks
if (mediaData.type.includes('text/html')) {
return URL.createObjectURL(dataUriToBlob(TRANSPARENT_PIXEL));
}
return URL.createObjectURL(mediaData);
}

View File

@ -32,6 +32,7 @@ export const MEDIA_CACHE_MAX_BYTES = 512 * 1024; // 512 KB
export const CUSTOM_BG_CACHE_NAME = 'tt-custom-bg';
export const LANG_CACHE_NAME = 'tt-lang-packs-v5';
export const ASSET_CACHE_NAME = 'tt-assets';
export const TRANSPARENT_PIXEL = 'data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==';
export const DOWNLOAD_WORKERS = 16;
export const UPLOAD_WORKERS = 16;

View File

@ -7,11 +7,11 @@ import {
} from '../api/types';
import {
DEBUG, MEDIA_CACHE_DISABLED, MEDIA_CACHE_NAME, MEDIA_CACHE_NAME_AVATARS,
DEBUG, MEDIA_CACHE_DISABLED, MEDIA_CACHE_NAME, MEDIA_CACHE_NAME_AVATARS, TRANSPARENT_PIXEL,
} from '../config';
import { callApi, cancelApiProgress } from '../api/gramjs';
import * as cacheApi from './cacheApi';
import { fetchBlob } from './files';
import { dataUriToBlob, fetchBlob } from './files';
import { IS_OPUS_SUPPORTED, IS_PROGRESSIVE_SUPPORTED, isWebpSupported } from './environment';
import { oggToWav } from './oggToWav';
import { webpToPng } from './webpToPng';
@ -167,6 +167,11 @@ async function fetchFromCacheOrRemote(url: string, mediaFormat: ApiMediaFormat,
function prepareMedia(mediaData: ApiParsedMedia): ApiPreparedMedia {
if (mediaData instanceof Blob) {
// Prevent HTML-in-video attacks
if (mediaData.type.includes('text/html')) {
return URL.createObjectURL(dataUriToBlob(TRANSPARENT_PIXEL));
}
return URL.createObjectURL(mediaData);
}