Merge remote-tracking branch 'dev/15-9-stable' into 15-9-stable

author: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> 2023-05-02 11:11:07 +0000
committer: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> 2023-05-02 11:11:07 +0000
commit: 8554eaaf8c461767bae4be077d925aec055dde4b (patch)
tree: 4d3748f99871b44b64fa4074ff9ecf1eba1ade44 /lib/banzai/filter/asset_proxy_filter.rb
parent: c6cc9bc94e23e01a01ed191aba993ccf2b443680 (diff)
parent: 44e981b3fb85a561c9d93f6d823d562b27789df4 (diff)
download: gitlab-ce-8554eaaf8c461767bae4be077d925aec055dde4b.tar.gz
1 files changed, 43 insertions, 1 deletions
diff --git a/lib/banzai/filter/asset_proxy_filter.rb b/lib/banzai/filter/asset_proxy_filter.rb
index 4c14ee7299b..6371a8f23af 100644
--- a/lib/banzai/filter/asset_proxy_filter.rb
+++ b/lib/banzai/filter/asset_proxy_filter.rb
@@ -6,11 +6,35 @@ module Banzai
     # as well as hiding the customer's IP address when requesting images.
     # Copies the original img `src` to `data-canonical-src` then replaces the
     # `src` with a new url to the proxy server.
-    class AssetProxyFilter < HTML::Pipeline::CamoFilter
+    #
+    # Based on https://github.com/gjtorikian/html-pipeline/blob/v2.14.3/lib/html/pipeline/camo_filter.rb
+    class AssetProxyFilter < HTML::Pipeline::Filter
       def initialize(text, context = nil, result = nil)
         super
       end
 
+      def call
+        return doc unless asset_proxy_enabled?
+
+        doc.search('img').each do |element|
+          original_src = element['src']
+          next unless original_src
+
+          begin
+            uri = URI.parse(original_src)
+          rescue StandardError
+            next
+          end
+
+          next if uri.host.nil? && !original_src.start_with?('///')
+          next if asset_host_allowed?(uri.host)
+
+          element['src'] = asset_proxy_url(original_src)
+          element['data-canonical-src'] = original_src
+        end
+        doc
+      end
+
       def validate
         needs(:asset_proxy, :asset_proxy_secret_key) if asset_proxy_enabled?
       end
@@ -63,6 +87,24 @@ module Banzai
           application_settings.try(:asset_proxy_whitelist).presence ||
           [Gitlab.config.gitlab.host]
       end
+
+      private
+
+      def asset_proxy_enabled?
+        !context[:disable_asset_proxy]
+      end
+
+      def asset_proxy_url(url)
+        "#{context[:asset_proxy]}/#{asset_url_hash(url)}/#{hexencode(url)}"
+      end
+
+      def asset_url_hash(url)
+        OpenSSL::HMAC.hexdigest('sha1', context[:asset_proxy_secret_key], url)
+      end
+
+      def hexencode(str)
+        str.unpack1('H*')
+      end
     end
   end
 end
author	GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>	2023-05-02 11:11:07 +0000
committer	GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>	2023-05-02 11:11:07 +0000
commit	8554eaaf8c461767bae4be077d925aec055dde4b (patch)
tree	4d3748f99871b44b64fa4074ff9ecf1eba1ade44 /lib/banzai/filter/asset_proxy_filter.rb
parent	c6cc9bc94e23e01a01ed191aba993ccf2b443680 (diff)
parent	44e981b3fb85a561c9d93f6d823d562b27789df4 (diff)
download	gitlab-ce-8554eaaf8c461767bae4be077d925aec055dde4b.tar.gz