Merge remote-tracking branch 'origin/2pcjn0j-files-format-vulnerability' into dev

2025-02-18 12:54:27 +01:00 · 2022-08-01 18:18:06 +02:00 · 2022-08-01 18:18:06 +02:00 · 68dc18a68d
commit 68dc18a68d
parent 549a719413 9bc2d4f96c
15 changed files with 44 additions and 25 deletions
--- a/app/models/user_avatar.rb
+++ b/app/models/user_avatar.rb
@ -3,5 +3,5 @@
 # UserAvatar is the profile picture for an User
 class UserAvatar < Asset
  include ImageValidatorConcern
-  mount_uploader :attachment, ProfilImageUploader
+  mount_uploader :attachment, UserAvatarUploader
 end
--- a/app/uploaders/concerns/content_type_validation_from_file_content.rb
+++ b/app/uploaders/concerns/content_type_validation_from_file_content.rb
@ -0,0 +1,26 @@
+module ContentTypeValidationFromFileContent
+  extend ActiveSupport::Concern
+
+  # overrides carrierwave methods to do a REAL mime type check based on content and not based on extension
+
+  included do
+    private
+      def check_content_type_whitelist!(new_file)
+        content_type = Marcel::MimeType.for Pathname.new(new_file.file)
+
+        if content_type_whitelist && content_type && !whitelisted_content_type?(content_type)
+          raise CarrierWave::IntegrityError,
+                I18n.translate(:'errors.messages.content_type_whitelist_error',
+                              content_type: content_type,
+                              allowed_types: Array(content_type_whitelist).join(', '))
+        end
+      end
+
+      def whitelisted_content_type?(content_type)
+        Array(content_type_whitelist).any? do |item|
+          item = Regexp.quote(item) if item.class != Regexp
+          content_type =~ /#{item}/
+        end
+      end
+  end
+end
--- a/app/uploaders/custom_assets_uploader.rb
+++ b/app/uploaders/custom_assets_uploader.rb
@ -8,6 +8,7 @@ class CustomAssetsUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  # include CarrierWave::MiniMagick
  include UploadHelper
+  include ContentTypeValidationFromFileContent

  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/event_file_uploader.rb
+++ b/app/uploaders/event_file_uploader.rb
@ -6,6 +6,7 @@ class EventFileUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  # include CarrierWave::MiniMagick
  include UploadHelper
+  include ContentTypeValidationFromFileContent

  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/event_image_uploader.rb
+++ b/app/uploaders/event_image_uploader.rb
@ -7,6 +7,7 @@ class EventImageUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  include CarrierWave::MiniMagick
  include UploadHelper
+  include ContentTypeValidationFromFileContent

  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/machine_file_uploader.rb
+++ b/app/uploaders/machine_file_uploader.rb
@ -6,6 +6,7 @@ class MachineFileUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  # include CarrierWave::MiniMagick
  include UploadHelper
+  include ContentTypeValidationFromFileContent

  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/machine_image_uploader.rb
+++ b/app/uploaders/machine_image_uploader.rb
@ -7,7 +7,8 @@ class MachineImageUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  include CarrierWave::MiniMagick
  include UploadHelper
-
+  include ContentTypeValidationFromFileContent
+ 
  # Choose what kind of storage to use for this uploader:
  storage :file
  after :remove, :delete_empty_dirs
--- a/app/uploaders/plan_file_uploader.rb
+++ b/app/uploaders/plan_file_uploader.rb
@ -6,6 +6,7 @@ class PlanFileUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  # include CarrierWave::MiniMagick
  include UploadHelper
+  include ContentTypeValidationFromFileContent

  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/project_cao_uploader.rb
+++ b/app/uploaders/project_cao_uploader.rb
@ -4,6 +4,7 @@
 # This file defines the parameters for these uploads
 class ProjectCaoUploader < CarrierWave::Uploader::Base
  include UploadHelper
+  include ContentTypeValidationFromFileContent

  # Choose what kind of storage to use for this uploader:
  storage :file
@ -29,24 +30,4 @@ class ProjectCaoUploader < CarrierWave::Uploader::Base
  def content_type_whitelist
    Setting.get('allowed_cad_mime_types').split(' ')
  end
-
-  private
-
-  def check_content_type_whitelist!(new_file)
-    content_type = Marcel::MimeType.for Pathname.new(new_file.file)
-
-    if content_type_whitelist && content_type && !whitelisted_content_type?(content_type)
-      raise CarrierWave::IntegrityError,
-            I18n.translate(:'errors.messages.content_type_whitelist_error',
-                           content_type: content_type,
-                           allowed_types: Array(content_type_whitelist).join(', '))
-    end
-  end
-
-  def whitelisted_content_type?(content_type)
-    Array(content_type_whitelist).any? do |item|
-      item = Regexp.quote(item) if item.class != Regexp
-      content_type =~ /#{item}/
-    end
-  end
 end
--- a/app/uploaders/project_image_uploader.rb
+++ b/app/uploaders/project_image_uploader.rb
@ -5,6 +5,7 @@
 class ProjectImageUploader < CarrierWave::Uploader::Base
  include CarrierWave::MiniMagick
  include UploadHelper
+  include ContentTypeValidationFromFileContent

  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/proof_of_identity_file_uploader.rb
+++ b/app/uploaders/proof_of_identity_file_uploader.rb
@ -8,6 +8,7 @@ class ProofOfIdentityFileUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  # include CarrierWave::MiniMagick
  include UploadHelper
+  include ContentTypeValidationFromFileContent

  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/space_file_uploader.rb
+++ b/app/uploaders/space_file_uploader.rb
@ -6,6 +6,7 @@ class SpaceFileUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  # include CarrierWave::MiniMagick
  include UploadHelper
+  include ContentTypeValidationFromFileContent

  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/space_image_uploader.rb
+++ b/app/uploaders/space_image_uploader.rb
@ -7,7 +7,8 @@ class SpaceImageUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  include CarrierWave::MiniMagick
  include UploadHelper
-
+  include ContentTypeValidationFromFileContent
+ 
  # Choose what kind of storage to use for this uploader:
  storage :file
  after :remove, :delete_empty_dirs
--- a/app/uploaders/training_image_uploader.rb
+++ b/app/uploaders/training_image_uploader.rb
@ -7,6 +7,7 @@ class TrainingImageUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  include CarrierWave::MiniMagick
  include UploadHelper
+  include ContentTypeValidationFromFileContent

  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/profil_image_uploader.rb
+++ b/app/uploaders/profil_image_uploader.rb
@ -2,11 +2,12 @@

 # CarrierWave uploader for user's avatar.
 # This file defines the parameters for these uploads.
-class ProfilImageUploader < CarrierWave::Uploader::Base
+class UserAvatarUploader < CarrierWave::Uploader::Base
  # Include RMagick or MiniMagick support:
  # include CarrierWave::RMagick
  include CarrierWave::MiniMagick
  include UploadHelper
+  include ContentTypeValidationFromFileContent 

  # Choose what kind of storage to use for this uploader:
  storage :file
@ -59,7 +60,7 @@ class ProfilImageUploader < CarrierWave::Uploader::Base
  end

  def content_type_whitelist
-    [%r{image/}]
+    %w[image/jpeg image/gif image/png]
  end

  # Override the filename of the uploaded files: