diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-12 18:09:28 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-12 18:09:28 +0000 |
commit | ce8a0b90849ac5d1895e741c023432930f24d724 (patch) | |
tree | dbdc97de542cdbe18a2fc8b1a6b64ac0673ed3d3 /app/uploaders | |
parent | dc889678d1de8c09310b2f8f9742bb6c78a6f1a4 (diff) | |
download | gitlab-ce-ce8a0b90849ac5d1895e741c023432930f24d724.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/uploaders')
-rw-r--r-- | app/uploaders/avatar_uploader.rb | 7 | ||||
-rw-r--r-- | app/uploaders/content_type_whitelist.rb | 53 | ||||
-rw-r--r-- | app/uploaders/favicon_uploader.rb | 9 | ||||
-rw-r--r-- | app/uploaders/gitlab_uploader.rb | 2 |
4 files changed, 65 insertions, 6 deletions
diff --git a/app/uploaders/avatar_uploader.rb b/app/uploaders/avatar_uploader.rb index e4046e4b7e6..73dafaefb41 100644 --- a/app/uploaders/avatar_uploader.rb +++ b/app/uploaders/avatar_uploader.rb @@ -5,9 +5,8 @@ class AvatarUploader < GitlabUploader include RecordsUploads::Concern include ObjectStorage::Concern prepend ObjectStorage::Extension::RecordsUploads - include UploadTypeCheck::Concern - check_upload_type extensions: AvatarUploader::SAFE_IMAGE_EXT + MIME_WHITELIST = %w[image/png image/jpeg image/gif image/bmp image/tiff image/vnd.microsoft.icon].freeze def exists? model.avatar.file && model.avatar.file.present? @@ -29,6 +28,10 @@ class AvatarUploader < GitlabUploader super || 'avatar' end + def content_type_whitelist + MIME_WHITELIST + end + private def dynamic_segment diff --git a/app/uploaders/content_type_whitelist.rb b/app/uploaders/content_type_whitelist.rb new file mode 100644 index 00000000000..b3975d7e2e0 --- /dev/null +++ b/app/uploaders/content_type_whitelist.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +# Currently we run CarrierWave 1.3.1 which means we can not whitelist files +# by their content type through magic header parsing. +# +# This is a patch to hold us over until we get to CarrierWave 2 :) It's a mashup of +# CarrierWave's lib/carrierwave/uploader/content_type_whitelist.rb and +# lib/carrierwave/sanitized_file.rb +# +# Include this concern and add a content_type_whitelist method to get the same +# behavior as you would with CarrierWave 2. +# +# This is not an exact replacement as we don't override +# SanitizedFile#content_type but we do set the content_type attribute when we +# check the whitelist. +# +# Remove this after moving to CarrierWave 2, though on practical terms it shouldn't +# break anything if left for a while. +module ContentTypeWhitelist + module Concern + extend ActiveSupport::Concern + + private + + # CarrierWave calls this method as part of it's before :cache callbacks. + # Here we override and extend CarrierWave's method that does not parse the + # magic headers. + def check_content_type_whitelist!(new_file) + new_file.content_type = mime_magic_content_type(new_file.path) + + if content_type_whitelist && !whitelisted_content_type?(new_file.content_type) + message = I18n.translate(:"errors.messages.content_type_whitelist_error", allowed_types: Array(content_type_whitelist).join(", ")) + raise CarrierWave::IntegrityError, message + end + + super(new_file) + end + + def whitelisted_content_type?(content_type) + Array(content_type_whitelist).any? { |item| content_type =~ /#{item}/ } + end + + def mime_magic_content_type(path) + if path + File.open(path) do |file| + MimeMagic.by_magic(file).try(:type) || 'invalid/invalid' + end + end + rescue Errno::ENOENT + nil + end + end +end diff --git a/app/uploaders/favicon_uploader.rb b/app/uploaders/favicon_uploader.rb index f393fdf0d84..c9be55e001c 100644 --- a/app/uploaders/favicon_uploader.rb +++ b/app/uploaders/favicon_uploader.rb @@ -1,16 +1,17 @@ # frozen_string_literal: true class FaviconUploader < AttachmentUploader - include UploadTypeCheck::Concern - EXTENSION_WHITELIST = %w[png ico].freeze - - check_upload_type extensions: EXTENSION_WHITELIST + MIME_WHITELIST = %w[image/png image/vnd.microsoft.icon].freeze def extension_whitelist EXTENSION_WHITELIST end + def content_type_whitelist + MIME_WHITELIST + end + private def filename_for_different_format(filename, format) diff --git a/app/uploaders/gitlab_uploader.rb b/app/uploaders/gitlab_uploader.rb index 7dc211b14e4..654bb15378c 100644 --- a/app/uploaders/gitlab_uploader.rb +++ b/app/uploaders/gitlab_uploader.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true class GitlabUploader < CarrierWave::Uploader::Base + include ContentTypeWhitelist::Concern + class_attribute :options class << self |