Fix ArgumentError: Unsafe redirect

2019-01-19 15:50:56 +09:00 · 2019-01-19 15:50:56 +09:00 · ee65ca46e5
parent 9608b180bf
commit ee65ca46e5
4 changed files with 57 additions and 2 deletions
--- a/activestorage/app/controllers/active_storage/blobs_controller.rb
+++ b/activestorage/app/controllers/active_storage/blobs_controller.rb
@ -9,6 +9,6 @@ class ActiveStorage::BlobsController < ActiveStorage::BaseController

  def show
    expires_in ActiveStorage.service_urls_expire_in
-    redirect_to @blob.service_url(disposition: params[:disposition])
+    redirect_to @blob.service_url(disposition: params[:disposition]), allow_other_host: true
  end
 end
--- a/activestorage/app/controllers/active_storage/representations_controller.rb
+++ b/activestorage/app/controllers/active_storage/representations_controller.rb
@ -9,6 +9,6 @@ class ActiveStorage::RepresentationsController < ActiveStorage::BaseController

  def show
    expires_in ActiveStorage.service_urls_expire_in
-    redirect_to @blob.representation(params[:variation_key]).processed.service_url(disposition: params[:disposition])
+    redirect_to @blob.representation(params[:variation_key]).processed.service_url(disposition: params[:disposition]), allow_other_host: true
  end
 end
--- a/activestorage/test/controllers/blobs_controller_test.rb
+++ b/activestorage/test/controllers/blobs_controller_test.rb
@ -20,3 +20,28 @@ class ActiveStorage::BlobsControllerTest < ActionDispatch::IntegrationTest
    assert_equal "max-age=300, private", @response.headers["Cache-Control"]
  end
 end
+
+if SERVICE_CONFIGURATIONS[:s3] && SERVICE_CONFIGURATIONS[:s3][:access_key_id].present?
+  class ActiveStorage::S3BlobsControllerTest < ActionDispatch::IntegrationTest
+    setup do
+      @old_service = ActiveStorage::Blob.service
+      ActiveStorage::Blob.service = ActiveStorage::Service.configure(:s3, SERVICE_CONFIGURATIONS)
+    end
+
+    teardown do
+      ActiveStorage::Blob.service = @old_service
+    end
+
+    test "allow redirection to the different host" do
+      blob = create_file_blob filename: "racecar.jpg"
+
+      assert_nothing_raised { get rails_blob_url(blob) }
+      assert_response :redirect
+      assert_no_match @request.host, @response.headers["Location"]
+    ensure
+      blob.purge
+    end
+  end
+else
+  puts "Skipping S3 redirection tests because no S3 configuration was supplied"
+end
--- a/activestorage/test/controllers/representations_controller_test.rb
+++ b/activestorage/test/controllers/representations_controller_test.rb
@ -59,3 +59,33 @@ class ActiveStorage::RepresentationsControllerWithPreviewsTest < ActionDispatch:
    assert_response :not_found
  end
 end
+
+if SERVICE_CONFIGURATIONS[:s3] && SERVICE_CONFIGURATIONS[:s3][:access_key_id].present?
+  class ActiveStorage::S3RepresentationsControllerWithVariantsTest < ActionDispatch::IntegrationTest
+    setup do
+      @old_service = ActiveStorage::Blob.service
+      ActiveStorage::Blob.service = ActiveStorage::Service.configure(:s3, SERVICE_CONFIGURATIONS)
+    end
+
+    teardown do
+      ActiveStorage::Blob.service = @old_service
+    end
+
+    test "allow redirection to the different host" do
+      blob = create_file_blob filename: "racecar.jpg"
+
+      assert_nothing_raised do
+        get rails_blob_representation_url(
+          filename: blob.filename,
+          signed_blob_id: blob.signed_id,
+          variation_key: ActiveStorage::Variation.encode(resize: "100x100"))
+      end
+      assert_response :redirect
+      assert_no_match @request.host, @response.headers["Location"]
+    ensure
+      blob.purge
+    end
+  end
+else
+  puts "Skipping S3 redirection tests because no S3 configuration was supplied"
+end