From 973fc775c0719b7b7e0869684bd9c72d1a36d0a4 Mon Sep 17 00:00:00 2001 From: Oleksii Kriuchykhin Date: Tue, 30 Jul 2019 13:31:22 +0200 Subject: [PATCH] Enforce file size limits for direct uploads on S3 [SCI-3681] --- app/controllers/users/registrations_controller.rb | 2 +- .../active_storage/service/custom_s3_service.rb | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/app/controllers/users/registrations_controller.rb b/app/controllers/users/registrations_controller.rb index d36d90945..3f8f2b86e 100644 --- a/app/controllers/users/registrations_controller.rb +++ b/app/controllers/users/registrations_controller.rb @@ -31,7 +31,7 @@ class Users::RegistrationsController < Devise::RegistrationsController end elsif params.include? :change_avatar params.delete(:change_avatar) - if !params.include?(:avatar) + if !params.include?(:avatar) || (params[:avatar].length > Constants::AVATAR_MAX_SIZE_MB.megabytes * 2) resource.errors.add(:avatar, :blank) false else diff --git a/app/services/active_storage/service/custom_s3_service.rb b/app/services/active_storage/service/custom_s3_service.rb index 7847284b7..08a75645d 100644 --- a/app/services/active_storage/service/custom_s3_service.rb +++ b/app/services/active_storage/service/custom_s3_service.rb @@ -113,6 +113,8 @@ module ActiveStorage end def url_for_direct_upload(key, expires_in:, content_type:, content_length:, checksum:) + raise ActiveStorage::IntegrityError if content_length > Rails.configuration.x.file_max_size_mb.megabytes + instrument :url, key: key do |payload| generated_url = object_for(key).presigned_url :put, expires_in: expires_in.to_i, content_type: content_type, content_length: content_length, content_md5: checksum @@ -169,4 +171,16 @@ module ActiveStorage end end end + + module S3SignerModifier + def build_signer(cfg) + signer = super(cfg) + signer.unsigned_headers.delete('content-length') + signer + end + end + + Aws::S3::Presigner.class_eval do + prepend S3SignerModifier + end end