Active Storage representations: respond with 404 given invalid variation key

activestorage/app/controllers/active_storage/representations/base_controller.rb

@@ -0,0 +1,12 @@
+class ActiveStorage::Representations::BaseController < ActiveStorage::BaseController #:nodoc:
+  include ActiveStorage::SetBlob
+
+  before_action :set_representation
+
+  private
+    def set_representation
+      @representation = @blob.representation(params[:variation_key]).processed
+    rescue ActiveSupport::MessageVerifier::InvalidSignature
+      head :not_found
+    end
+end

activestorage/app/controllers/active_storage/representations/proxy_controller.rb

@@ -1,17 +1,10 @@
 # frozen_string_literal: true
 
 # Proxy files through application. This avoids having a redirect and makes files easier to cache.
-class ActiveStorage::Representations::ProxyController < ActiveStorage::BaseController
-  include ActiveStorage::SetBlob
-
+class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
   def show
     http_cache_forever public: true do
-      send_blob_stream representation.image
+      send_blob_stream @representation.image
     end
   end
-
-  private
-    def representation
-      @representation ||= @blob.representation(params[:variation_key]).processed
-    end
 end

activestorage/app/controllers/active_storage/representations/redirect_controller.rb

@@ -4,11 +4,9 @@
 # Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
 # security-through-obscurity factor of the signed blob and variation reference, you'll need to implement your own
 # authenticated redirection controller.
-class ActiveStorage::Representations::RedirectController < ActiveStorage::BaseController
-  include ActiveStorage::SetBlob
-
+class ActiveStorage::Representations::RedirectController < ActiveStorage::Representations::BaseController
   def show
     expires_in ActiveStorage.service_urls_expire_in
-    redirect_to @blob.representation(params[:variation_key]).processed.url(disposition: params[:disposition])
+    redirect_to @representation.url(disposition: params[:disposition])
   end
 end

activestorage/test/controllers/representations/proxy_controller_test.rb

@@ -30,6 +30,15 @@ class ActiveStorage::Representations::ProxyControllerWithVariantsTest < ActionDi
 
     assert_response :not_found
   end
+
+  test "showing variant with invalid variation key" do
+    get rails_blob_representation_proxy_url(
+      filename: @blob.filename,
+      signed_blob_id: @blob.signed_id,
+      variation_key: "invalid")
+
+    assert_response :not_found
+  end
 end
 
 class ActiveStorage::Representations::ProxyControllerWithPreviewsTest < ActionDispatch::IntegrationTest
@@ -61,4 +70,13 @@ class ActiveStorage::Representations::ProxyControllerWithPreviewsTest < ActionDi
 
     assert_response :not_found
   end
+
+  test "showing preview with invalid variation key" do
+    get rails_blob_representation_proxy_url(
+      filename: @blob.filename,
+      signed_blob_id: @blob.signed_id,
+      variation_key: "invalid")
+
+    assert_response :not_found
+  end
 end

activestorage/test/controllers/representations/redirect_controller_test.rb

@@ -31,6 +31,15 @@ class ActiveStorage::Representations::RedirectControllerWithVariantsTest < Actio
 
     assert_response :not_found
   end
+
+  test "showing variant with invalid variation key" do
+    get rails_blob_representation_url(
+      filename: @blob.filename,
+      signed_blob_id: @blob.signed_id,
+      variation_key: "invalid")
+
+    assert_response :not_found
+  end
 end
 
 class ActiveStorage::Representations::RedirectControllerWithPreviewsTest < ActionDispatch::IntegrationTest
@@ -62,4 +71,13 @@ class ActiveStorage::Representations::RedirectControllerWithPreviewsTest < Actio
 
     assert_response :not_found
   end
+
+  test "showing preview with invalid variation key" do
+    get rails_blob_representation_url(
+      filename: @blob.filename,
+      signed_blob_id: @blob.signed_id,
+      variation_key: "invalid")
+
+    assert_response :not_found
+  end
 end