Pass virtualUser avatars through the content proxy (camoproxy)
Pass virtualUser
avatars through the content proxy (camoproxy). Because someone can pass anything to virtualUser.avatarUrl
, we should proxy the avatar images to avoid people scraping IP's for anyone seeing the image (context https://gitlab.com/gitlab-org/gitter/webapp/-/issues/2037).
Fix https://gitlab.com/gitlab-org/gitter/webapp/-/issues/2628
Testing strategy
- Add to your
config\config.user-overrides.json
, https://gitlab.com/gl-gitter/secrets/blob/master/webapp/prod"camo": { "camoUrl": "https://user-content.gitter-static.net", "camoSecret": "<see Gitter secrets repo, https://gitlab.com/gl-gitter/secrets/blob/master/webapp/prod>" }
- Restart the
webapp
- If not already in your Mongo database, create the bridge OAuth clients and tokens that are allowed to bridge and use
virtualUser
$ mongo gitter > db.oauthclients.insert({ clientKey: 'bot-bridge', clientSecret: Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15), name: 'Bridge OAuth app for bot services to bridge in messages', tag: 'bot-bridge' }) // You probably need to change the `gitter-badger` username to something that exists on your local instance. Can be any user > db.oauthaccesstokens.insert({ token: Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15), clientId: db.oauthclients.findOne({clientKey: 'bot-bridge' })._id, userId: db.users.findOne({ username: 'gitter-badger' })._id }) > db.oauthaccesstokens.find({ clientId: db.oauthclients.findOne({clientKey: 'bot-bridge' })._id })
- Send a message from a
virtualUser
with anavatarUrl
.POST http://localhost:5000/api/v1/rooms/:roomId/chatMessages
with{ "virtualUser": { "type": "matrix", "externalId": "madlittlemods:matrix.org", "displayName": "madlittlemods (Eric Eastwood)", "avatarUrl": "https://matrix-client.matrix.org/_matrix/media/r0/thumbnail/matrix.org/bDayqThxTIcGNcskzIADknRv?width=30&height=30&method=crop" }, "text": "asdf" }
- Once https://gitlab.com/gitlab-org/gitter/webapp/-/merge_requests/2042 is merged, you can just go to your local riot instance and send a message back in one of the bridged rooms.
- Notice the avatar image is being requested from
https://user-content.gitter-static.net
Edited by Eric Eastwood