2018-10-06 19:10:08 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2015-10-12 17:47:32 -04:00
|
|
|
require "tempfile"
|
2018-04-03 12:47:33 -04:00
|
|
|
require "tmpdir"
|
2015-10-12 17:47:32 -04:00
|
|
|
require "fileutils"
|
|
|
|
|
|
|
|
class UploadedFile
|
2018-04-03 12:47:33 -04:00
|
|
|
InvalidPathError = Class.new(StandardError)
|
2019-10-18 07:11:44 -04:00
|
|
|
UnknownSizeError = Class.new(StandardError)
|
2018-04-03 12:47:33 -04:00
|
|
|
|
2015-10-12 17:47:32 -04:00
|
|
|
# The filename, *not* including the path, of the "uploaded" file
|
|
|
|
attr_reader :original_filename
|
|
|
|
|
|
|
|
# The tempfile
|
|
|
|
attr_reader :tempfile
|
|
|
|
|
|
|
|
# The content type of the "uploaded" file
|
|
|
|
attr_accessor :content_type
|
|
|
|
|
2018-04-03 12:47:33 -04:00
|
|
|
attr_reader :remote_id
|
|
|
|
attr_reader :sha256
|
2019-10-18 07:11:44 -04:00
|
|
|
attr_reader :size
|
|
|
|
|
|
|
|
def initialize(path, filename: nil, content_type: "application/octet-stream", sha256: nil, remote_id: nil, size: nil)
|
|
|
|
if path.present?
|
|
|
|
raise InvalidPathError, "#{path} file does not exist" unless ::File.exist?(path)
|
|
|
|
|
|
|
|
@tempfile = File.new(path, 'rb')
|
|
|
|
@size = @tempfile.size
|
|
|
|
else
|
|
|
|
begin
|
|
|
|
@size = Integer(size)
|
|
|
|
rescue ArgumentError, TypeError
|
|
|
|
raise UnknownSizeError, 'Unable to determine file size'
|
|
|
|
end
|
|
|
|
end
|
2015-10-12 17:47:32 -04:00
|
|
|
|
|
|
|
@content_type = content_type
|
2019-10-18 07:11:44 -04:00
|
|
|
@original_filename = sanitize_filename(filename || path || '')
|
2018-04-03 12:47:33 -04:00
|
|
|
@content_type = content_type
|
|
|
|
@sha256 = sha256
|
|
|
|
@remote_id = remote_id
|
2015-10-12 17:47:32 -04:00
|
|
|
end
|
|
|
|
|
2020-09-29 14:09:52 -04:00
|
|
|
# TODO this function is meant to replace .from_params when the feature flag
|
|
|
|
# upload_middleware_jwt_params_handler is removed
|
|
|
|
# See https://gitlab.com/gitlab-org/gitlab/-/issues/233895#roll-out-steps
|
2020-09-18 08:09:50 -04:00
|
|
|
def self.from_params_without_field(params, upload_paths)
|
|
|
|
path = params['path']
|
|
|
|
remote_id = params['remote_id']
|
|
|
|
return if path.blank? && remote_id.blank?
|
|
|
|
|
|
|
|
# don't use file_path if remote_id is set
|
|
|
|
if remote_id.present?
|
|
|
|
file_path = nil
|
|
|
|
elsif path.present?
|
|
|
|
file_path = File.realpath(path)
|
|
|
|
|
|
|
|
unless self.allowed_path?(file_path, Array(upload_paths).compact)
|
|
|
|
raise InvalidPathError, "insecure path used '#{file_path}'"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
UploadedFile.new(
|
|
|
|
file_path,
|
|
|
|
filename: params['name'],
|
|
|
|
content_type: params['type'] || 'application/octet-stream',
|
|
|
|
sha256: params['sha256'],
|
|
|
|
remote_id: remote_id,
|
|
|
|
size: params['size']
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2020-09-29 14:09:52 -04:00
|
|
|
# Deprecated. Don't use it.
|
|
|
|
# .from_params_without_field will replace this one
|
|
|
|
# See .from_params_without_field and
|
|
|
|
# https://gitlab.com/gitlab-org/gitlab/-/issues/233895#roll-out-steps
|
2020-04-30 17:09:47 -04:00
|
|
|
def self.from_params(params, field, upload_paths, path_override = nil)
|
|
|
|
path = path_override || params["#{field}.path"]
|
2019-10-18 07:11:44 -04:00
|
|
|
remote_id = params["#{field}.remote_id"]
|
|
|
|
return if path.blank? && remote_id.blank?
|
|
|
|
|
2020-04-30 17:09:47 -04:00
|
|
|
if remote_id.present? # don't use file_path if remote_id is set
|
|
|
|
file_path = nil
|
|
|
|
elsif path.present?
|
2019-10-18 07:11:44 -04:00
|
|
|
file_path = File.realpath(path)
|
|
|
|
|
2020-09-03 17:08:18 -04:00
|
|
|
unless self.allowed_path?(file_path, Array(upload_paths).compact)
|
2019-10-18 07:11:44 -04:00
|
|
|
raise InvalidPathError, "insecure path used '#{file_path}'"
|
|
|
|
end
|
2018-04-03 12:47:33 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
UploadedFile.new(file_path,
|
|
|
|
filename: params["#{field}.name"],
|
|
|
|
content_type: params["#{field}.type"] || 'application/octet-stream',
|
|
|
|
sha256: params["#{field}.sha256"],
|
2019-10-18 07:11:44 -04:00
|
|
|
remote_id: remote_id,
|
|
|
|
size: params["#{field}.size"])
|
2018-04-03 12:47:33 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def self.allowed_path?(file_path, paths)
|
|
|
|
paths.any? do |path|
|
|
|
|
File.exist?(path) && file_path.start_with?(File.realpath(path))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-07-18 10:21:32 -04:00
|
|
|
# copy-pasted from CarrierWave::SanitizedFile
|
|
|
|
def sanitize_filename(name)
|
|
|
|
name = name.tr("\\", "/") # work-around for IE
|
|
|
|
name = ::File.basename(name)
|
|
|
|
name = name.gsub(CarrierWave::SanitizedFile.sanitize_regexp, "_")
|
|
|
|
name = "_#{name}" if name =~ /\A\.+\z/
|
|
|
|
name = "unnamed" if name.empty?
|
|
|
|
name.mb_chars.to_s
|
|
|
|
end
|
|
|
|
|
2015-10-12 17:47:32 -04:00
|
|
|
def path
|
2019-10-18 07:11:44 -04:00
|
|
|
@tempfile&.path
|
|
|
|
end
|
|
|
|
|
|
|
|
def close
|
|
|
|
@tempfile&.close
|
2015-10-12 17:47:32 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
alias_method :local_path, :path
|
|
|
|
|
|
|
|
def method_missing(method_name, *args, &block) #:nodoc:
|
2017-08-10 12:39:26 -04:00
|
|
|
@tempfile.__send__(method_name, *args, &block) # rubocop:disable GitlabSecurity/PublicSend
|
2015-10-12 17:47:32 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def respond_to?(method_name, include_private = false) #:nodoc:
|
|
|
|
@tempfile.respond_to?(method_name, include_private) || super
|
|
|
|
end
|
|
|
|
end
|