From f2907454960e9f05f5b3c3f3cb2864e71932cff2 Mon Sep 17 00:00:00 2001 From: Claudio Costa Date: Mon, 5 Aug 2024 12:33:09 +0200 Subject: [PATCH] Fully deprecate /api/v4/image endpoint when image proxy is disabled (#27595) Co-authored-by: Mattermost Build --- server/channels/api4/image.go | 17 ++++++++++++----- server/channels/api4/image_test.go | 4 ++-- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/server/channels/api4/image.go b/server/channels/api4/image.go index b64d7ca5e1..42a29575e6 100644 --- a/server/channels/api4/image.go +++ b/server/channels/api4/image.go @@ -37,10 +37,17 @@ func getImage(c *Context, w http.ResponseWriter, r *http.Request) { parsedURL.Host = siteURL.Host } - // in case image proxy is enabled and we are fetching a remote image (NOT static or served by plugins), pass request to proxy - if *c.App.Config().ImageProxySettings.Enable && parsedURL.Host != siteURL.Host { - c.App.ImageProxy().GetImage(w, r, parsedURL.String()) - } else { - http.Redirect(w, r, parsedURL.String(), http.StatusFound) + if *c.App.Config().ImageProxySettings.Enable { + // in case image proxy is enabled and we are fetching a remote image (NOT static or served by plugins), pass request to proxy + if parsedURL.Host != siteURL.Host { + c.App.ImageProxy().GetImage(w, r, parsedURL.String()) + } else { + // Otherwise we redirect. + http.Redirect(w, r, parsedURL.String(), http.StatusFound) + } + return } + + // When proxy disabled this endpoint should fail as we don't support redirecting to external images any longer (MM-54477). + c.Err = model.NewAppError("getImage", "api.image.get.app_error", nil, "", http.StatusBadRequest) } diff --git a/server/channels/api4/image_test.go b/server/channels/api4/image_test.go index c63603d47c..66883fb4fb 100644 --- a/server/channels/api4/image_test.go +++ b/server/channels/api4/image_test.go @@ -37,10 +37,10 @@ func TestGetImage(t *testing.T) { require.NoError(t, err) r.Header.Set(model.HeaderAuth, th.Client.AuthType+" "+th.Client.AuthToken) + // External images should not be allowed through this endpoint when proxy is disabled. resp, err := th.Client.HTTPClient.Do(r) require.NoError(t, err) - assert.Equal(t, http.StatusFound, resp.StatusCode) - assert.Equal(t, imageURL, resp.Header.Get("Location")) + assert.Equal(t, http.StatusBadRequest, resp.StatusCode) }) t.Run("atmos/camo", func(t *testing.T) {