FIX: Don't blow up when trying to parse invalid or non-ASCII URLs (#9838)

* FIX: Don't blow up when trying to parseinvalid or non-ASCII URLs Follow-up to 72f139191e
2020-05-20 12:46:27 +03:00 · 2020-05-20 12:46:27 +03:00 · 02f44def56
parent fb15da43da
commit 02f44def56
2 changed files with 15 additions and 1 deletions
--- a/lib/file_store/s3_store.rb
+++ b/lib/file_store/s3_store.rb
@ -79,7 +79,12 @@ module FileStore
    def has_been_uploaded?(url)
      return false if url.blank?

-      parsed_url = URI.parse(url)
+      begin
+        parsed_url = URI.parse(URI.encode(url))
+      rescue URI::InvalidURIError
+        return false
+      end
+
      base_hostname = URI.parse(absolute_base_url).hostname
      if url[base_hostname]
        # if the hostnames match it means the upload is in the same
--- a/spec/components/file_store/s3_store_spec.rb
+++ b/spec/components/file_store/s3_store_spec.rb
@ -304,6 +304,15 @@ describe FileStore::S3Store do

  describe ".has_been_uploaded?" do

+    it "doesn't crash for invalid URLs" do
+      expect(store.has_been_uploaded?("https://site.discourse.com/#bad#6")).to eq(false)
+    end
+
+    it "doesn't crash if URL contains non-ascii characters" do
+      expect(store.has_been_uploaded?("//s3-upload-bucket.s3.dualstack.us-east-1.amazonaws.com/漢1337.png")).to eq(true)
+      expect(store.has_been_uploaded?("//s3-upload-bucket.s3.amazonaws.com/漢1337.png")).to eq(false)
+    end
+
    it "identifies S3 uploads" do
      expect(store.has_been_uploaded?("//s3-upload-bucket.s3.dualstack.us-east-1.amazonaws.com/1337.png")).to eq(true)
    end