scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-09-19 11:34:36 +08:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #321 from okriuchykhin/ok_SCI_736

Browse source 
Improve regexp for image whitelisting [SCI-736]
This commit is contained in:
okriuchykhin 2016-11-28 15:46:54 +01:00 committed by GitHub
commit f9c8223fe5
3 changed files with 9 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
app/controllers/assets_controller.rb
View file

@ -114,8 +114,9 @@ class AssetsController < ApplicationController
fields: s3_post.fields
})
if (asset.file_content_type =~
%r{/^image\/#{Constants::WHITELISTED_IMAGE_TYPES.join("|")}/}) == 0
condition = %r{^image/#{Regexp.union(Constants::WHITELISTED_IMAGE_TYPES)}}
if condition === asset.file_content_type
asset.file.options[:styles].each do |style, option|
s3_post = S3_BUCKET.presigned_post(
key: asset.file.path(style)[1..-1],

16
app/models/asset.rb
View file

@ -19,7 +19,7 @@ class Asset < ActiveRecord::Base
# Should be checked for any security leaks
do_not_validate_attachment_file_type :file
before_file_post_process :allow_styles_on_images
before_file_post_process :is_image?
# Asset validation
# This could cause some problems if you create empty asset and want to
@ -138,8 +138,8 @@ class Asset < ActiveRecord::Base
end
def is_image?
!(file.content_type =~
%r{/^image\/#{Constants::WHITELISTED_IMAGE_TYPES.join("|")}/}).nil?
%r{^image/#{Regexp.union(Constants::WHITELISTED_IMAGE_TYPES)}} ===
file.content_type
end
def text?
@ -298,16 +298,6 @@ class Asset < ActiveRecord::Base
cache
end
protected
# Checks if attachments is an image (in post processing imagemagick will
# generate styles)
def allow_styles_on_images
if !(file.content_type =~ %r{^(image|(x-)?application)/(x-png|pjpeg|jpeg|jpg|png|gif)$})
return false
end
end
private
def filter_paperclip_errors

4
config/initializers/constants.rb
View file

@ -201,7 +201,9 @@ class Constants
'text/plain'
].freeze
WHITELISTED_IMAGE_TYPES = ['gif', 'jpeg', 'png', 'svg+xml', 'bmp'].freeze
WHITELISTED_IMAGE_TYPES = [
'gif', 'jpeg', 'pjpeg', 'png', 'x-png', 'svg+xml', 'bmp'
].freeze
# Very basic regex to check for validity of emails
BASIC_EMAIL_REGEX = URI::MailTo::EMAIL_REGEXP