scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-11-12 01:11:24 +08:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #321 from okriuchykhin/ok_SCI_736

Browse source 
Improve regexp for image whitelisting [SCI-736]
This commit is contained in:
okriuchykhin 2016-11-28 15:46:54 +01:00 committed by GitHub
commit f9c8223fe5
3 changed files with 9 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
app/controllers/assets_controller.rb
View file

@ -114,8 +114,9 @@ class AssetsController < ApplicationController
fields: s3_post.fields fields: s3_post.fields
}) })
if (asset.file_content_type =~ condition = %r{^image/#{Regexp.union(Constants::WHITELISTED_IMAGE_TYPES)}}
%r{/^image\/#{Constants::WHITELISTED_IMAGE_TYPES.join("|")}/}) == 0
if condition === asset.file_content_type
asset.file.options[:styles].each do |style, option| asset.file.options[:styles].each do |style, option|
s3_post = S3_BUCKET.presigned_post( s3_post = S3_BUCKET.presigned_post(
key: asset.file.path(style)[1..-1], key: asset.file.path(style)[1..-1],

16
app/models/asset.rb
View file

@ -19,7 +19,7 @@ class Asset < ActiveRecord::Base
# Should be checked for any security leaks # Should be checked for any security leaks
do_not_validate_attachment_file_type :file do_not_validate_attachment_file_type :file
before_file_post_process :allow_styles_on_images before_file_post_process :is_image?
# Asset validation # Asset validation
# This could cause some problems if you create empty asset and want to # This could cause some problems if you create empty asset and want to
@ -138,8 +138,8 @@ class Asset < ActiveRecord::Base
end end
def is_image? def is_image?
!(file.content_type =~ %r{^image/#{Regexp.union(Constants::WHITELISTED_IMAGE_TYPES)}} ===
%r{/^image\/#{Constants::WHITELISTED_IMAGE_TYPES.join("|")}/}).nil? file.content_type
end end
def text? def text?
@ -298,16 +298,6 @@ class Asset < ActiveRecord::Base
cache cache
end end
protected
# Checks if attachments is an image (in post processing imagemagick will
# generate styles)
def allow_styles_on_images
if !(file.content_type =~ %r{^(image|(x-)?application)/(x-png|pjpeg|jpeg|jpg|png|gif)$})
return false
end
end
private private
def filter_paperclip_errors def filter_paperclip_errors

4
config/initializers/constants.rb
View file

@ -201,7 +201,9 @@ class Constants
'text/plain' 'text/plain'
].freeze ].freeze
WHITELISTED_IMAGE_TYPES = ['gif', 'jpeg', 'png', 'svg+xml', 'bmp'].freeze WHITELISTED_IMAGE_TYPES = [
'gif', 'jpeg', 'pjpeg', 'png', 'x-png', 'svg+xml', 'bmp'
].freeze
# Very basic regex to check for validity of emails # Very basic regex to check for validity of emails
BASIC_EMAIL_REGEX = URI::MailTo::EMAIL_REGEXP BASIC_EMAIL_REGEX = URI::MailTo::EMAIL_REGEXP