Add brakeman rake task and improve code security

1 files changed, 36 insertions, 5 deletions

diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
index b096c3913e1..810ac9f34bd 100644
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -3,22 +3,53 @@ class UploadsController < ApplicationController
   before_filter :authorize_access
 
   def show
-    model = params[:model].camelize.constantize.find(params[:id])
-    uploader = model.send(params[:mounted_as])
+    unless upload_model && upload_mount
+      return not_found!
+    end
 
-    return not_found! if model.respond_to?(:project) && !can?(current_user, :read_project, model.project)
+    model = upload_model.find(params[:id])
+    uploader = model.send(upload_mount)
 
-    return redirect_to uploader.url unless uploader.file_storage?
+    if model.respond_to?(:project) && !can?(current_user, :read_project, model.project)
+      return not_found!
+    end
 
-    return not_found! unless uploader.file.exists?
+    unless uploader.file_storage?
+      return redirect_to uploader.url
+    end
+
+    unless uploader.file.exists?
+      return not_found!
+    end
 
     disposition = uploader.image? ? 'inline' : 'attachment'
     send_file uploader.file.path, disposition: disposition
   end
 
+  private
+
   def authorize_access
     unless params[:mounted_as] == 'avatar'
       authenticate_user! && reject_blocked!
     end
   end
+
+  def upload_model
+    upload_models = {
+      user: User,
+      project: Project,
+      note: Note,
+      group: Group
+    }
+
+    upload_models[params[:model].to_sym]
+  end
+
+  def upload_mount
+    upload_mounts = %w(avatar attachment file)
+
+    if upload_mounts.include?(params[:mounted_as])
+      params[:mounted_as]
+    end
+  end
 end