Fix dangerous use of uri open, remove unused obsolete file encryptor module [SCI-11259] (#8030)

2024-12-26 09:42:46 +08:00 · 2024-11-11 15:39:36 +01:00 · 2024-11-11 15:39:36 +01:00 · f2c9a7c0a5
commit f2c9a7c0a5
parent 575920f83d
5 changed files with 3 additions and 26 deletions
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 # frozen_string_literal: true

-source 'http://rubygems.org'
+source 'https://rubygems.org'

 ruby '~> 3.2.2'

--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@ -114,10 +114,7 @@ module Users
          email: auth_hash['info']['email'],
          password: generate_user_password
        )
-        if auth_hash['info']['picture_url']
-          avatar = URI.open(auth_hash['info']['picture_url'])
-          @user.avatar.attach(io: avatar, filename: 'linkedin_avatar.jpg')
-        end
+        @user.avatar.attach(io: URI(auth_hash['info']['picture_url']).open, filename: 'linkedin_avatar.jpg') if auth_hash['info']['picture_url']
        user_identity = UserIdentity.new(user: @user,
                                         provider: auth_hash['provider'],
                                         uid: auth_hash['uid'])
--- a/app/models/asset.rb
+++ b/app/models/asset.rb
@ -3,7 +3,6 @@
 class Asset < ApplicationRecord
  include SearchableModel
  include DatabaseHelper
-  include Encryptor
  include WopiUtil
  include ActiveStorageFileUtil
  include ActiveStorageConcerns
--- a/app/utilities/encryptor.rb
+++ b/app/utilities/encryptor.rb
@ -1,19 +0,0 @@
-module Encryptor
-  def decrypt(data)
-    return '' unless data.present?
-    cipher = build_cipher(:decrypt, 'f5awRubeTUd2E*8duxum')
-    cipher.update(Base64.urlsafe_decode64(data).unpack('m')[0]) + cipher.final
-  end
-
-  def encrypt(data)
-    return '' unless data.present?
-    cipher = build_cipher(:encrypt, 'f5awRubeTUd2E*8duxum')
-    Base64.urlsafe_encode64([cipher.update(data) + cipher.final].pack('m'))
-  end
-
-  def build_cipher(type, password)
-    cipher = OpenSSL::Cipher::Cipher.new('DES-EDE3-CBC').send(type)
-    cipher.pkcs5_keyivgen(password)
-    cipher
-  end
-end
--- a/app/utilities/protocol_importers/attachments_builder.rb
+++ b/app/utilities/protocol_importers/attachments_builder.rb
@ -7,7 +7,7 @@ module ProtocolImporters

      step_json[:attachments].map do |f|
        asset = Asset.new(created_by: user, last_modified_by: user, team: team)
-        asset.attach_file_version(io: URI.open(f[:url]), filename: f[:name])
+        asset.attach_file_version(io: URI(f[:url]).open, filename: f[:name])
        asset
      end
    end