mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Merge pull request #42960 from FestaLab/activestorage/unsafe-redirect
Fix open redirects in active storage
This commit is contained in:
commit
ef65eeef08
5 changed files with 96 additions and 2 deletions
|
@ -11,6 +11,6 @@ class ActiveStorage::Blobs::RedirectController < ActiveStorage::BaseController
|
||||||
|
|
||||||
def show
|
def show
|
||||||
expires_in ActiveStorage.service_urls_expire_in
|
expires_in ActiveStorage.service_urls_expire_in
|
||||||
redirect_to @blob.url(disposition: params[:disposition])
|
redirect_to @blob.url(disposition: params[:disposition]), allow_other_host: true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -9,6 +9,6 @@
|
||||||
class ActiveStorage::Representations::RedirectController < ActiveStorage::Representations::BaseController
|
class ActiveStorage::Representations::RedirectController < ActiveStorage::Representations::BaseController
|
||||||
def show
|
def show
|
||||||
expires_in ActiveStorage.service_urls_expire_in
|
expires_in ActiveStorage.service_urls_expire_in
|
||||||
redirect_to @representation.url(disposition: params[:disposition])
|
redirect_to @representation.url(disposition: params[:disposition]), allow_other_host: true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -55,3 +55,38 @@ class ActiveStorage::Blobs::ExpiringRedirectControllerTest < ActionDispatch::Int
|
||||||
assert_response :not_found
|
assert_response :not_found
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
class ActiveStorage::Blobs::RedirectControllerWithOpenRedirectTest < ActionDispatch::IntegrationTest
|
||||||
|
if SERVICE_CONFIGURATIONS[:s3]
|
||||||
|
test "showing existing blob stored in s3" do
|
||||||
|
with_raise_on_open_redirects(:s3) do
|
||||||
|
blob = create_file_blob filename: "racecar.jpg", service_name: :s3
|
||||||
|
|
||||||
|
get rails_storage_redirect_url(blob)
|
||||||
|
assert_redirected_to(/racecar\.jpg/)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
if SERVICE_CONFIGURATIONS[:azure]
|
||||||
|
test "showing existing blob stored in azure" do
|
||||||
|
with_raise_on_open_redirects(:azure) do
|
||||||
|
blob = create_file_blob filename: "racecar.jpg", service_name: :azure
|
||||||
|
|
||||||
|
get rails_storage_redirect_url(blob)
|
||||||
|
assert_redirected_to(/racecar\.jpg/)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
if SERVICE_CONFIGURATIONS[:gcs]
|
||||||
|
test "showing existing blob stored in gcs" do
|
||||||
|
with_raise_on_open_redirects(:gcs) do
|
||||||
|
blob = create_file_blob filename: "racecar.jpg", service_name: :gcs
|
||||||
|
|
||||||
|
get rails_storage_redirect_url(blob)
|
||||||
|
assert_redirected_to(/racecar\.jpg/)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
|
@ -132,3 +132,50 @@ class ActiveStorage::Representations::RedirectControllerWithPreviewsWithStrictLo
|
||||||
assert_equal 100, image.height
|
assert_equal 100, image.height
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
class ActiveStorage::Representations::RedirectControllerWithOpenRedirectTest < ActionDispatch::IntegrationTest
|
||||||
|
if SERVICE_CONFIGURATIONS[:s3]
|
||||||
|
test "showing existing variant stored in s3" do
|
||||||
|
with_raise_on_open_redirects(:s3) do
|
||||||
|
blob = create_file_blob filename: "racecar.jpg", service_name: :s3
|
||||||
|
|
||||||
|
get rails_blob_representation_url(
|
||||||
|
filename: blob.filename,
|
||||||
|
signed_blob_id: blob.signed_id,
|
||||||
|
variation_key: ActiveStorage::Variation.encode(resize_to_limit: [100, 100]))
|
||||||
|
|
||||||
|
assert_redirected_to(/racecar\.jpg/)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
if SERVICE_CONFIGURATIONS[:azure]
|
||||||
|
test "showing existing variant stored in azure" do
|
||||||
|
with_raise_on_open_redirects(:azure) do
|
||||||
|
blob = create_file_blob filename: "racecar.jpg", service_name: :azure
|
||||||
|
|
||||||
|
get rails_blob_representation_url(
|
||||||
|
filename: blob.filename,
|
||||||
|
signed_blob_id: blob.signed_id,
|
||||||
|
variation_key: ActiveStorage::Variation.encode(resize_to_limit: [100, 100]))
|
||||||
|
|
||||||
|
assert_redirected_to(/racecar\.jpg/)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
if SERVICE_CONFIGURATIONS[:gcs]
|
||||||
|
test "showing existing variant stored in gcs" do
|
||||||
|
with_raise_on_open_redirects(:gcs) do
|
||||||
|
blob = create_file_blob filename: "racecar.jpg", service_name: :gcs
|
||||||
|
|
||||||
|
get rails_blob_representation_url(
|
||||||
|
filename: blob.filename,
|
||||||
|
signed_blob_id: blob.signed_id,
|
||||||
|
variation_key: ActiveStorage::Variation.encode(resize_to_limit: [100, 100]))
|
||||||
|
|
||||||
|
assert_redirected_to(/racecar\.jpg/)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
|
@ -139,6 +139,18 @@ class ActiveSupport::TestCase
|
||||||
yield
|
yield
|
||||||
ActiveStorage.track_variants = variant_tracking_was
|
ActiveStorage.track_variants = variant_tracking_was
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def with_raise_on_open_redirects(service)
|
||||||
|
old_raise_on_open_redirects = ActionController::Base.raise_on_open_redirects
|
||||||
|
old_service = ActiveStorage::Blob.service
|
||||||
|
|
||||||
|
ActionController::Base.raise_on_open_redirects = true
|
||||||
|
ActiveStorage::Blob.service = ActiveStorage::Service.configure(service, SERVICE_CONFIGURATIONS)
|
||||||
|
yield
|
||||||
|
ensure
|
||||||
|
ActionController::Base.raise_on_open_redirects = old_raise_on_open_redirects
|
||||||
|
ActiveStorage::Blob.service = old_service
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
require "global_id"
|
require "global_id"
|
||||||
|
|
Loading…
Reference in a new issue