From e8d0d6ba9eeedf3d895ceb5e679866d4889cbf36 Mon Sep 17 00:00:00 2001 From: Douwe Maan Date: Mon, 11 Dec 2017 17:23:29 +0100 Subject: Use app host instead of asset host when rendering image blob or diff --- app/helpers/blob_helper.rb | 14 +++++++++----- app/helpers/diff_helper.rb | 16 ++++++++++++---- app/views/projects/blob/viewers/_image.html.haml | 3 ++- app/views/projects/diffs/_replaced_image_diff.html.haml | 16 ++++++++-------- app/views/projects/diffs/_single_image_diff.html.haml | 6 +++--- changelogs/unreleased/dm-image-blob-diff-full-url.yml | 5 +++++ 6 files changed, 39 insertions(+), 21 deletions(-) create mode 100644 changelogs/unreleased/dm-image-blob-diff-full-url.yml diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb index 18075ee8be7..556ed233ccf 100644 --- a/app/helpers/blob_helper.rb +++ b/app/helpers/blob_helper.rb @@ -118,20 +118,24 @@ module BlobHelper icon("#{file_type_icon_class('file', mode, name)} fw") end - def blob_raw_path + def blob_raw_url(only_path: false) if @build && @entry - raw_project_job_artifacts_path(@project, @build, path: @entry.path) + raw_project_job_artifacts_url(@project, @build, path: @entry.path, only_path: only_path) elsif @snippet if @snippet.project_id - raw_project_snippet_path(@project, @snippet) + raw_project_snippet_url(@project, @snippet, only_path: only_path) else - raw_snippet_path(@snippet) + raw_snippet_url(@snippet, only_path: only_path) end elsif @blob - project_raw_path(@project, @id) + project_raw_url(@project, @id, only_path: only_path) end end + def blob_raw_path + blob_raw_url(only_path: true) + end + # SVGs can contain malicious JavaScript; only include whitelisted # elements and attributes. Note that this whitelist is by no means complete # and may omit some elements. diff --git a/app/helpers/diff_helper.rb b/app/helpers/diff_helper.rb index e82136f0177..1ce487e6592 100644 --- a/app/helpers/diff_helper.rb +++ b/app/helpers/diff_helper.rb @@ -104,15 +104,23 @@ module DiffHelper ].join(' ').html_safe end - def diff_file_blob_raw_path(diff_file) - project_raw_path(@project, tree_join(diff_file.content_sha, diff_file.file_path)) + def diff_file_blob_raw_url(diff_file, only_path: false) + project_raw_url(@project, tree_join(diff_file.content_sha, diff_file.file_path), only_path: only_path) end - def diff_file_old_blob_raw_path(diff_file) + def diff_file_old_blob_raw_url(diff_file, only_path: false) sha = diff_file.old_content_sha return unless sha - project_raw_path(@project, tree_join(diff_file.old_content_sha, diff_file.old_path)) + project_raw_url(@project, tree_join(diff_file.old_content_sha, diff_file.old_path), only_path: only_path) + end + + def diff_file_blob_raw_path(diff_file) + diff_file_blob_raw_url(diff_file, only_path: true) + end + + def diff_file_old_blob_raw_path(diff_file) + diff_file_old_blob_raw_url(diff_file, only_path: true) end def diff_file_html_data(project, diff_file_path, diff_commit_id) diff --git a/app/views/projects/blob/viewers/_image.html.haml b/app/views/projects/blob/viewers/_image.html.haml index 26ea028c5d7..2a8cefac005 100644 --- a/app/views/projects/blob/viewers/_image.html.haml +++ b/app/views/projects/blob/viewers/_image.html.haml @@ -1,2 +1,3 @@ .file-content.image_file - = image_tag(blob_raw_path, alt: viewer.blob.name) + -# Uses the full URL rather than the path, to prevent it from getting prefixed with the asset host. + = image_tag(blob_raw_url, alt: viewer.blob.name) diff --git a/app/views/projects/diffs/_replaced_image_diff.html.haml b/app/views/projects/diffs/_replaced_image_diff.html.haml index 8fc232b464e..6dffc7c4390 100644 --- a/app/views/projects/diffs/_replaced_image_diff.html.haml +++ b/app/views/projects/diffs/_replaced_image_diff.html.haml @@ -1,7 +1,7 @@ - blob = diff_file.blob - old_blob = diff_file.old_blob -- blob_raw_path = diff_file_blob_raw_path(diff_file) -- old_blob_raw_path = diff_file_old_blob_raw_path(diff_file) +- blob_raw_url = diff_file_blob_raw_url(diff_file) +- old_blob_raw_url = diff_file_old_blob_raw_url(diff_file) - click_to_comment = local_assigns.fetch(:click_to_comment, true) - diff_view_data = local_assigns.fetch(:diff_view_data, '') - class_name = '' @@ -13,7 +13,7 @@ .two-up.view .wrap .frame.deleted - = image_tag(old_blob_raw_path, alt: diff_file.old_path, lazy: false) + = image_tag(old_blob_raw_url, alt: diff_file.old_path, lazy: false) %p.image-info.hide %span.meta-filesize= number_to_human_size(old_blob.size) | @@ -23,7 +23,7 @@ %strong H: %span.meta-height .wrap - = render partial: "projects/diffs/image_diff_frame", locals: { class_name: "added js-image-frame #{class_name}", position: position, note_type: DiffNote.name, image_path: blob_raw_path, alt: diff_file.new_path } + = render partial: "projects/diffs/image_diff_frame", locals: { class_name: "added js-image-frame #{class_name}", position: position, note_type: DiffNote.name, image_path: blob_raw_url, alt: diff_file.new_path } %p.image-info.hide %span.meta-filesize= number_to_human_size(blob.size) | @@ -36,9 +36,9 @@ .swipe.view.hide .swipe-frame .frame.deleted - = image_tag(old_blob_raw_path, alt: diff_file.old_path, lazy: false) + = image_tag(old_blob_raw_url, alt: diff_file.old_path, lazy: false) .swipe-wrap - = render partial: "projects/diffs/image_diff_frame", locals: { class_name: "added js-image-frame #{class_name}", position: position, note_type: DiffNote.name, image_path: blob_raw_path, alt: diff_file.new_path } + = render partial: "projects/diffs/image_diff_frame", locals: { class_name: "added js-image-frame #{class_name}", position: position, note_type: DiffNote.name, image_path: blob_raw_url, alt: diff_file.new_path } %span.swipe-bar %span.top-handle %span.bottom-handle @@ -46,8 +46,8 @@ .onion-skin.view.hide .onion-skin-frame .frame.deleted - = image_tag(old_blob_raw_path, alt: diff_file.old_path, lazy: false) - = render partial: "projects/diffs/image_diff_frame", locals: { class_name: "added js-image-frame #{class_name}", position: position, note_type: DiffNote.name, image_path: blob_raw_path, alt: diff_file.new_path } + = image_tag(old_blob_raw_url, alt: diff_file.old_path, lazy: false) + = render partial: "projects/diffs/image_diff_frame", locals: { class_name: "added js-image-frame #{class_name}", position: position, note_type: DiffNote.name, image_path: blob_raw_url, alt: diff_file.new_path } .controls .transparent .drag-track diff --git a/app/views/projects/diffs/_single_image_diff.html.haml b/app/views/projects/diffs/_single_image_diff.html.haml index 6b0c6bbe48f..12be8beab39 100644 --- a/app/views/projects/diffs/_single_image_diff.html.haml +++ b/app/views/projects/diffs/_single_image_diff.html.haml @@ -1,7 +1,7 @@ - blob = diff_file.blob - old_blob = diff_file.old_blob -- blob_raw_path = diff_file_blob_raw_path(diff_file) -- old_blob_raw_path = diff_file_old_blob_raw_path(diff_file) +- blob_raw_url = diff_file_blob_raw_url(diff_file) +- old_blob_raw_url = diff_file_old_blob_raw_url(diff_file) - click_to_comment = local_assigns.fetch(:click_to_comment, true) - diff_view_data = local_assigns.fetch(:diff_view_data, '') - class_name = '' @@ -12,5 +12,5 @@ .image.js-single-image{ data: diff_view_data } .wrap - single_class_name = diff_file.deleted_file? ? 'deleted' : 'added' - = render partial: "projects/diffs/image_diff_frame", locals: { class_name: "#{single_class_name} #{class_name} js-image-frame", position: position, note_type: DiffNote.name, image_path: blob_raw_path, alt: diff_file.file_path } + = render partial: "projects/diffs/image_diff_frame", locals: { class_name: "#{single_class_name} #{class_name} js-image-frame", position: position, note_type: DiffNote.name, image_path: blob_raw_url, alt: diff_file.file_path } %p.image-info= number_to_human_size(blob.size) diff --git a/changelogs/unreleased/dm-image-blob-diff-full-url.yml b/changelogs/unreleased/dm-image-blob-diff-full-url.yml new file mode 100644 index 00000000000..db44a5a16b5 --- /dev/null +++ b/changelogs/unreleased/dm-image-blob-diff-full-url.yml @@ -0,0 +1,5 @@ +--- +title: Use app host instead of asset host when rendering image blob or diff +merge_request: +author: +type: fixed -- cgit v1.2.1