replace the upload type whitelist with a sanitizer

2017-05-18 12:13:13 +02:00 · 2017-05-18 12:13:13 +02:00 · 13e489b4ca
parent 8e5b0c79ae
commit 13e489b4ca
4 changed files with 12 additions and 19 deletions
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@ -5,9 +5,8 @@ class UploadsController < ApplicationController
  skip_before_filter :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show]

  def create
-    type = params.require(:type)
-
-    raise Discourse::InvalidAccess.new unless Upload::UPLOAD_TYPES.include?(type)
+    # 50 characters ought to be enough for the upload type
+    type = params.require(:type).parameterize("_")[0..50]

    if type == "avatar" && (SiteSetting.sso_overrides_avatar || !SiteSetting.allow_uploaded_avatars)
      return render json: failed_json, status: 422
--- a/app/models/upload.rb
+++ b/app/models/upload.rb
@ -21,9 +21,6 @@ class Upload < ActiveRecord::Base

  validates_with ::Validators::UploadValidator

-  CROPPED_TYPES ||= %w{avatar card_background custom_emoji profile_background}.each(&:freeze)
-  UPLOAD_TYPES  ||= CROPPED_TYPES + %w{composer category_logo category_background wizard_logo_url wizard_logo_small_url wizard_favicon_url wizard_apple_touch_icon_url}.each(&:freeze)
-
  def thumbnail(width = self.width, height = self.height)
    optimized_images.find_by(width: width, height: height)
  end
--- a/lib/upload_creator.rb
+++ b/lib/upload_creator.rb
@ -5,10 +5,12 @@ class UploadCreator

  TYPES_CONVERTED_TO_JPEG ||= %i{bmp png}

+  TYPES_TO_CROP ||= %w{avatar card_background custom_emoji profile_background}.each(&:freeze)
+
  WHITELISTED_SVG_ELEMENTS ||= %w{
    circle clippath defs ellipse g line linearGradient path polygon polyline
    radialGradient rect stop svg text textpath tref tspan use
-  }
+  }.each(&:freeze)

  # Available options
  #  - type (string)
@ -177,7 +179,7 @@ class UploadCreator
  end

  def should_crop?
-    Upload::CROPPED_TYPES.include?(@opts[:type])
+    TYPES_TO_CROP.include?(@opts[:type])
  end

  def crop!
--- a/spec/controllers/uploads_controller_spec.rb
+++ b/spec/controllers/uploads_controller_spec.rb
@ -33,18 +33,13 @@ describe UploadsController do
        })
      end

-      it 'fails if type is invalid' do
-        xhr :post, :create, file: logo, type: "invalid type cause has space"
-        expect(response.status).to eq 403
+      it 'expects a type' do
+        expect { xhr :post, :create, file: logo }.to raise_error(ActionController::ParameterMissing)
+      end

-        xhr :post, :create, file: logo, type: "\\invalid"
-        expect(response.status).to eq 403
-
-        xhr :post, :create, file: logo, type: "invalid."
-        expect(response.status).to eq 403
-
-        xhr :post, :create, file: logo, type: "toolong"*100
-        expect(response.status).to eq 403
+      it 'parameterize the type' do
+        subject.expects(:create_upload).with(logo, nil, "super_long_type_with_charssuper_long_type_with_char")
+        xhr :post, :create, file: logo, type: "super \# long \//\\ type with \\. $%^&*( chars" * 5
      end

      it 'is successful with an image' do